Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'master' of github.com:znc/znc

  • Loading branch information...
commit a35385db3aa6a3a7a77c9e8afd8d492163e457fd 2 parents 0952ee8 + ed7119b
@DarthGandalf DarthGandalf authored
Showing with 33 additions and 15 deletions.
  1. +2 −2 include/znc/Csocket.h
  2. +1 −1  modules/q.cpp
  3. +30 −12 src/Csocket.cpp
View
4 include/znc/Csocket.h
@@ -592,8 +592,8 @@ class Csock : public CSockCommon
SSL2 = 2,
SSL3 = 3,
TLS1 = 4,
- TLS1_1 = 5,
- TLS1_2 = 6
+ TLS11 = 5,
+ TLS12 = 6
};
enum ECONState
View
2  modules/q.cpp
@@ -274,7 +274,7 @@ class CQModule : public CModule {
if (!Nick.NickEquals("Q") || !Nick.GetHost().Equals("CServe.quakenet.org"))
return CONTINUE;
if (m_bJoinOnInvite)
- PutIRC("JOIN " + sChan);
+ m_pNetwork->AddChan(sChan, false);
return CONTINUE;
}
View
42 src/Csocket.cpp
@@ -1355,7 +1355,7 @@ bool Csock::SSLClientSetup()
return( false );
}
break;
- case TLS1_2:
+ case TLS12:
#ifdef TLS1_2_VERSION
m_ssl_ctx = SSL_CTX_new( TLSv1_2_client_method() );
if( !m_ssl_ctx )
@@ -1364,8 +1364,8 @@ bool Csock::SSLClientSetup()
return( false );
}
break;
-#endif
- case TLS1_1:
+#endif /* TLS1_2_VERSION */
+ case TLS11:
#ifdef TLS1_1_VERSION
m_ssl_ctx = SSL_CTX_new( TLSv1_1_client_method() );
if( !m_ssl_ctx )
@@ -1374,7 +1374,7 @@ bool Csock::SSLClientSetup()
return( false );
}
break;
-#endif
+#endif /* TLS1_1_VERSION */
case TLS1:
m_ssl_ctx = SSL_CTX_new( TLSv1_client_method() );
if( !m_ssl_ctx )
@@ -1392,10 +1392,14 @@ bool Csock::SSLClientSetup()
return( false );
}
break;
-#endif
+#endif /* OPENSSL_NO_SSL2 */
/* Fall through if SSL2 is disabled */
case SSL23:
default:
+ if( m_iMethod != SSL23 )
+ {
+ CS_DEBUG( "WARNING: SSL Client Method other than SSLv23 specified, but has passed through" );
+ }
m_ssl_ctx = SSL_CTX_new( SSLv23_client_method() );
if( !m_ssl_ctx )
{
@@ -1472,7 +1476,7 @@ bool Csock::SSLServerSetup()
return( false );
}
break;
- case TLS1_2:
+ case TLS12:
#ifdef TLS1_2_VERSION
m_ssl_ctx = SSL_CTX_new( TLSv1_2_server_method() );
if( !m_ssl_ctx )
@@ -1481,8 +1485,8 @@ bool Csock::SSLServerSetup()
return( false );
}
break;
-#endif
- case TLS1_1:
+#endif /* TLS1_2_VERSION */
+ case TLS11:
#ifdef TLS1_1_VERSION
m_ssl_ctx = SSL_CTX_new( TLSv1_1_server_method() );
if( !m_ssl_ctx )
@@ -1491,8 +1495,8 @@ bool Csock::SSLServerSetup()
return( false );
}
break;
-#endif
case TLS1:
+#endif /* TLS1_1_VERSION */
m_ssl_ctx = SSL_CTX_new( TLSv1_server_method() );
if( !m_ssl_ctx )
{
@@ -1500,8 +1504,8 @@ bool Csock::SSLServerSetup()
return( false );
}
break;
-#ifndef OPENSSL_NO_SSL2
case SSL2:
+#ifndef OPENSSL_NO_SSL2
m_ssl_ctx = SSL_CTX_new( SSLv2_server_method() );
if( !m_ssl_ctx )
{
@@ -1509,10 +1513,14 @@ bool Csock::SSLServerSetup()
return( false );
}
break;
-#endif
+#endif /* OPENSSL_NO_SSL2 */
/* Fall through if SSL2 is disabled */
case SSL23:
default:
+ if( m_iMethod != SSL23 )
+ {
+ CS_DEBUG( "WARNING: SSL Server Method other than SSLv23 specified, but has passed through" );
+ }
m_ssl_ctx = SSL_CTX_new( SSLv23_server_method() );
if( !m_ssl_ctx )
{
@@ -2751,7 +2759,17 @@ void Csock::Init( const CS_STRING & sHostname, uint16_t uPort, int iTimeout )
m_shostname = sHostname;
m_sbuffer.clear();
m_eCloseType = CLT_DONT;
- m_iMethod = TLS1_2; // Falls though TLSv1.1 and TLSv1 if not available
+ /*
+ * While I appreciate the line ...
+ * "It's 2014, no idea how this made it as a default for the past 16 years..."
+ * TLS 1.2 was introduced in 2008. That being said, it's still not widely supported so I'm not
+ * ready to make it the default. SSL 3.0 is still the most widely supported standard and that's
+ * what a sane default is supposed to be. Additionally, OpenSSL is smart with SSLv23_client_method
+ * as it will check for TLS in addition to SSL (per the manual) which is the reason for its choice.
+ *
+ * https://www.openssl.org/docs/ssl/SSL_CTX_new.html
+ */
+ m_iMethod = SSL23;
m_sCipherType = "ALL";
m_iMaxBytes = 0;
m_iMaxMilliSeconds = 0;

0 comments on commit a35385d

Please sign in to comment.
Something went wrong with that request. Please try again.