ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/trunk/src/tls_openssl.c
(Generate patch)

Comparing ircd-hybrid/trunk/src/tls_openssl.c (file contents):
Revision 9149 by michael, Sun Jan 12 10:59:03 2020 UTC vs.
Revision 9165 by michael, Sat Jan 18 13:01:40 2020 UTC

# Line 156 | Line 156 | tls_new_cred(void)
156      SSL_CTX_set1_groups_list(ConfigServerInfo.tls_ctx.server_ctx, "X25519:P-256");
157    else if (SSL_CTX_set1_groups_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_supported_groups) == 0)
158    {
159    ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_supported_groups -- could not set supported group(s)");
159      SSL_CTX_set1_groups_list(ConfigServerInfo.tls_ctx.server_ctx, "X25519:P-256");
160 +    ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_supported_groups -- could not set supported group(s)");
161    }
162  
163    if (ConfigServerInfo.tls_message_digest_algorithm == NULL)
164      ConfigServerInfo.message_digest_algorithm = EVP_sha256();
165 <  else
165 >  else if ((ConfigServerInfo.message_digest_algorithm = EVP_get_digestbyname(ConfigServerInfo.tls_message_digest_algorithm)) == NULL)
166    {
167 <    ConfigServerInfo.message_digest_algorithm = EVP_get_digestbyname(ConfigServerInfo.tls_message_digest_algorithm);
168 <
169 <    if (ConfigServerInfo.message_digest_algorithm == NULL)
170 <    {
171 <      ConfigServerInfo.message_digest_algorithm = EVP_sha256();
172 <      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_message_digest_algorithm -- unknown message digest algorithm");
173 <    }
167 >    ConfigServerInfo.message_digest_algorithm = EVP_sha256();
168 >    ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_message_digest_algorithm -- unknown message digest algorithm");
169    }
170  
171 <  if (ConfigServerInfo.tls_cipher_list)
172 <    if (SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_cipher_list) == 0)
173 <      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_cipher_list -- could not set supported cipher(s)");
171 >  if (ConfigServerInfo.tls_cipher_list == NULL)
172 >    SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL");
173 >  else if (SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_cipher_list) == 0)
174 >  {
175 >    SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL");
176 >    ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_cipher_list -- could not set supported cipher(s)");
177 >  }
178  
179   #ifndef LIBRESSL_VERSION_NUMBER
180    if (ConfigServerInfo.tls_cipher_suites == NULL)
181 <    /* Default to TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 */
183 <    SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, "");
181 >    SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256");
182    else if (SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.tls_cipher_suites) == 0)
183    {
184 +    SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256");
185      ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_cipher_suites -- could not set supported cipher suite(s)");
187    SSL_CTX_set_ciphersuites(ConfigServerInfo.tls_ctx.server_ctx, "");
186    }
187   #endif
188  
# Line 195 | Line 193 | tls_new_cred(void)
193   const char *
194   tls_get_cipher(const tls_data_t *tls_data)
195   {
196 <  static char buffer[IRCD_BUFSIZE];
196 >  static char buf[128];
197    SSL *ssl = *tls_data;
198  
199 <  snprintf(buffer, sizeof(buffer), "%s-%s", SSL_get_version(ssl), SSL_get_cipher(ssl));
200 <  return buffer;
199 >  snprintf(buf, sizeof(buf), "%s-%s", SSL_get_version(ssl), SSL_get_cipher(ssl));
200 >  return buf;
201   }
202  
203   const char *
204   tls_get_version(void)
205   {
206 <  static char buf[IRCD_BUFSIZE];
206 >  static char buf[256];
207  
208    snprintf(buf, sizeof(buf), "OpenSSL version: library: %s, header: %s",
209             OpenSSL_version(OPENSSL_VERSION), OPENSSL_VERSION_TEXT);

Diff Legend

Removed lines
+ Added lines
< Changed lines (old)
> Changed lines (new)