ngircd

Free, portable and lightweight Internet Relay Chat server http://ngircd.barton.de/
Log | Files | Refs | README | LICENSE

commit 6e4235443eb4dee0930a65e613c8bf5e00331f73
parent f33a4067a16747c8fc5f1c0b5eb5e5520ee1e7a7
Author: Alexander Barton <alex@barton.de>
Date:   Sun, 26 Oct 2014 11:58:22 +0100

Merge branch 'CipherListNoSSL3'

* CipherListNoSSL3:
  INSTALL: List the changed SSL CipherList default value.
  Update "CipherList" to not enable SSLv3 by default

Diffstat:
MINSTALL | 15++++++++++++---
Mdoc/sample-ngircd.conf.tmpl | 4++--
Mman/ngircd.conf.5.tmpl | 4++--
Msrc/ngircd/conf.c | 4++--
4 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/INSTALL b/INSTALL @@ -12,12 +12,21 @@ I. Upgrade Information ~~~~~~~~~~~~~~~~~~~~~~ +Differences to version 22.x + +- The default value of the SSL "CipherList" variable has been changed to + "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0" + (GnuTLS) to disable the old SSLv3 protocol by default. + To enable connections of clients still requiring the weak SSLv3 protocol, + the "CipherList" must be set to its old value (not recommended!), which + was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below. + Differences to version 20.x - Starting with ngIRCd 21, the ciphers used by SSL are configurable and - default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). - Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT - and NORMAL respectively. + default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). + Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT" + and "NORMAL" respectively. - When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching the new mask will be KILL'ed. This was not the case with earlier versions diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl @@ -259,9 +259,9 @@ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. # For OpenSSL: - ;CipherList = HIGH:!aNULL:@STRENGTH + ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 # For GnuTLS: - ;CipherList = SECURE128 + ;CipherList = SECURE128:-VERS-SSL3.0 # Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl @@ -1,7 +1,7 @@ .\" .\" ngircd.conf(5) manual page template .\" -.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual" +.TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual" .SH NAME ngircd.conf \- configuration file of ngIRCd .SH SYNOPSIS @@ -375,7 +375,7 @@ SSL Certificate file of the private server key. .TP \fBCipherList\fR (string) Select cipher suites allowed for SSL/TLS connections. This defaults to -"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). +"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS). Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' (GnuTLS) for details. .TP diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c @@ -88,10 +88,10 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server )); #endif #ifdef HAVE_LIBSSL -#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH" +#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH:!SSLv3" #endif #ifdef HAVE_LIBGNUTLS -#define DEFAULT_CIPHERS "SECURE128" +#define DEFAULT_CIPHERS "SECURE128:-VERS-SSL3.0" #endif #ifdef SSL_SUPPORT