Skip to content
Permalink
Browse files

Add additional SSL/TLS config granularity. Closes #185

Found by: Robby-
Patch by: michaelortmann

Adds new config variables ssl-protocols, ssl-ciphers, ssl-dhparam and allows the user to specify (duh) which SSL/TLS protocols, ciphers, and dhparam file to use. Also updated some debug logging to use the actual cipher in use, not the minimum protocol allowed for that cipher.
  • Loading branch information...
michaelortmann authored and vanosg committed Aug 20, 2019
1 parent cbb5dad commit c41fa13f3b9f93c25b2647ab5da377cc9120ac83
Showing with 110 additions and 4 deletions.
  1. +12 −0 eggdrop.conf
  2. +12 −1 help/set/cmds1.help
  3. +4 −2 src/tcl.c
  4. +82 −1 src/tls.c
@@ -435,6 +435,11 @@ set paranoid-telnet-flood 1
set ssl-capath "/etc/ssl/"
#set ssl-cafile ""

# Specify the list of protocols allowed for use with ssl. The protocol list is
# one or more protocol strings separated by spaces. Available protocols are
# SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.
# set ssl-protocols "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

# Specify the list of ciphers (in order of preference) allowed for use with
# ssl. The cipher list is one or more cipher strings separated by colons,
# commas or spaces. Unavailable ciphers are silently ignored unless no usable
@@ -456,6 +461,13 @@ set ssl-capath "/etc/ssl/"
# reasonable order.
#set ssl-ciphers ""

# Specify the location of a dhparam file. This file is necessary if you are
# using a Diffie-Hellman based key exchange. If you don't know what this is,
# you are probably safe leaving it commented.
# You can create a dhaparm file using the following command:
# openssl dhparam -out dhparam.pem 4096
#set ssl-dhparam "dhparam.pem"

# Enable certificate authorization. Set to 1 to allow users and bots to
# identify automatically by their certificate fingerprints. Setting it
# to 2 to will force fingerprint logins. With a value of 2, users without
@@ -304,6 +304,16 @@ See also: ssl-cafile
or ssl-capath, certificate verification will not work.

See also: set ssl-capath
%{help=set ssl-protocols}%{+n}
### %bset ssl-protocols%b <protocol list>
Specify the list of protocols allowed for use with ssl. The protocol list
is one or more protocol strings separated by spaces. Available protocols
are SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. Default is
"TLSv1 TLSv1.1 TLSv1.2 TLSv1.3".
%{help=set ssl-dhparam}%{+n}
### %bset ssl-dhparam%b <filename>
Specify dhparam filename. You can create it using the following command:
openssl dhparam -out dhparam.pem 4096
%{help=set ssl-ciphers}%{+n}
### %bset ssl-ciphers%b <cipher list>
Specify the list of ciphers (in order of preference) allowed for
@@ -314,7 +324,8 @@ See also: set ssl-capath
to the ciphers(1) manual.
If you set this, the value replaces any ciphers OpenSSL might use
by default. To include the default ciphers, you can put DEFAULT
as a cipher string in the list.
as a cipher string in the list. This setting may not impact TLSv1.3
ciphersuites.
%{help=set ssl-cert-auth}%{+n}
### %bset ssl-cert-auth%b <0/1/2>
Enable certificate authorization. Set to 1 to allow users and bots
@@ -68,7 +68,7 @@ extern int pref_af;
#ifdef TLS
extern int tls_maxdepth, tls_vfybots, tls_vfyclients, tls_vfydcc, tls_auth;
extern char tls_capath[], tls_cafile[], tls_certfile[], tls_keyfile[],
tls_ciphers[];
tls_protocols[], tls_dhparam[], tls_ciphers[];
#endif

extern struct dcc_t *dcc;
@@ -370,7 +370,9 @@ static tcl_strings def_tcl_strings[] = {
#ifdef TLS
{"ssl-capath", tls_capath, 120, STR_DIR | STR_PROTECT},
{"ssl-cafile", tls_cafile, 120, STR_PROTECT},
{"ssl-ciphers", tls_ciphers, 2048, STR_PROTECT},
{"ssl-protocols", tls_protocols, 60, STR_PROTECT},
{"ssl-dhparam", tls_dhparam, 120, STR_PROTECT},
{"ssl-ciphers", tls_ciphers, 2048, STR_PROTECT},
{"ssl-privatekey", tls_keyfile, 120, STR_PROTECT},
{"ssl-certificate", tls_certfile, 120, STR_PROTECT},
#endif
@@ -31,6 +31,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include <openssl/ssl.h>

extern int tls_vfydcc;
extern struct dcc_t *dcc;
@@ -43,6 +44,8 @@ char tls_capath[121] = ""; /* Path to trusted CA certificates */
char tls_cafile[121] = ""; /* File containing trusted CA certificates */
char tls_certfile[121] = ""; /* Our own digital certificate ;) */
char tls_keyfile[121] = ""; /* Private key for use with eggdrop */
char tls_protocols[61] = "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ; /* A list of protocols for SSL to use */
char tls_dhparam[121] = ""; /* dhparam for SSL to use */
char tls_ciphers[2049] = ""; /* A list of ciphers for SSL to use */


@@ -168,6 +171,84 @@ int ssl_init()
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
}
/* Let advanced users specify the list of allowed ssl protocols */
#define EGG_SSLv2 (1 << 0)
#define EGG_SSLv3 (1 << 1)
#define EGG_TLSv1 (1 << 2)
#define EGG_TLSv1_1 (1 << 3)
#define EGG_TLSv1_2 (1 << 4)
#define EGG_TLSv1_3 (1 << 5)
if (tls_protocols[0]) {
char s[sizeof tls_protocols];
char *sep = " ";
char *word;
unsigned int protocols = 0;
strcpy(s, tls_protocols);
for (word = strtok(s, sep); word; word = strtok(NULL, sep)) {
if (!strcmp(word, "SSLv2"))
protocols |= EGG_SSLv2;
if (!strcmp(word, "SSLv3"))
protocols |= EGG_SSLv3;
if (!strcmp(word, "TLSv1"))
protocols |= EGG_TLSv1;
if (!strcmp(word, "TLSv1.1"))
protocols |= EGG_TLSv1_1;
if (!strcmp(word, "TLSv1.2"))
protocols |= EGG_TLSv1_2;
if (!strcmp(word, "TLSv1.3"))
protocols |= EGG_TLSv1_3;
}
if (!(protocols & EGG_SSLv2)) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
}
if (!(protocols & EGG_SSLv3)) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
}
if (!(protocols & EGG_TLSv1)) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
}
#ifdef SSL_OP_NO_TLSv1_1
if (!(protocols & EGG_TLSv1_1)) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
}
#endif
#ifdef SSL_OP_NO_TLSv1_2
if (!(protocols & EGG_TLSv1_2)) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
}
#endif
#ifdef SSL_OP_NO_TLSv1_3
if (!(protocols & EGG_TLSv1_3)) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
}
#endif
}
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
#endif
/* Let advanced users specify dhparam */
if (tls_dhparam[0]) {
DH *dh;
FILE *paramfile = fopen(tls_dhparam, "r");
if (paramfile) {
dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
fclose(paramfile);
if (dh) {
if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) {
putlog(LOG_MISC, "*", "ERROR: TLS: unable to set tmp dh %s: %s",
tls_dhparam, ERR_error_string(ERR_get_error(), NULL));
}
}
else {
putlog(LOG_MISC, "*", "ERROR: TLS: unable to read DHparams %s: %s",
tls_dhparam, ERR_error_string(ERR_get_error(), NULL));
}
}
else {
putlog(LOG_MISC, "*", "ERROR: TLS: unable to open %s: %s",
tls_dhparam, strerror(errno));
}
}
/* Let advanced users specify the list of allowed ssl ciphers */
if (tls_ciphers[0] && !SSL_CTX_set_cipher_list(ssl_ctx, tls_ciphers)) {
/* this replaces any preset ciphers so an invalid list is fatal */
@@ -662,7 +743,7 @@ void ssl_info(SSL *ssl, int where, int ret)
cipher = SSL_get_current_cipher(ssl);
processed = SSL_CIPHER_get_bits(cipher, &secret);
putlog(data->loglevel, "*", "TLS: cipher used: %s %s; %d bits (%d secret)",
SSL_CIPHER_get_name(cipher), SSL_CIPHER_get_version(cipher),
SSL_CIPHER_get_name(cipher), SSL_get_version(ssl),
processed, secret);
/* secret are the actually secret bits. If processed and secret differ,
the rest of the bits are fixed, i.e. for limited export ciphers */

0 comments on commit c41fa13

Please sign in to comment.
You can’t perform that action at this time.