summaryrefslogtreecommitdiff
path: root/src/modules
diff options
context:
space:
mode:
authorSadie Powell <sadie@witchery.services>2021-05-25 17:10:20 +0100
committerSadie Powell <sadie@witchery.services>2021-05-25 17:10:20 +0100
commit772f7ceb94242a8ebfadd0d4e31209c0b51c2923 (patch)
treeb92fe9e82cb99c7859f5647c2691274cb1d17078 /src/modules
parent182cdec31090a4664e6532f1555f1dd70748a2bd (diff)
Implement support for setting TLSv1.3 ciphersuites in ssl_openssl.
Diffstat (limited to 'src/modules')
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp26
1 files changed, 25 insertions, 1 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 0f4e2d713..f84468da8 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -217,10 +217,20 @@ namespace OpenSSL
bool SetCiphers(const std::string& ciphers)
{
+ // TLSv1 to TLSv1.2 ciphers.
ERR_clear_error();
return SSL_CTX_set_cipher_list(ctx, ciphers.c_str());
}
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ bool SetCiphersuites(const std::string& ciphers)
+ {
+ // TLSv1.3+ ciphers.
+ ERR_clear_error();
+ return SSL_CTX_set_ciphersuites(ctx, ciphers.c_str());
+ }
+#endif
+
bool SetCerts(const std::string& filename)
{
ERR_clear_error();
@@ -408,7 +418,7 @@ namespace OpenSSL
if (digest == NULL)
throw Exception("Unknown hash type " + hash);
- std::string ciphers = tag->getString("ciphers");
+ const std::string ciphers = tag->getString("ciphers");
if (!ciphers.empty())
{
if ((!ctx.SetCiphers(ciphers)) || (!clictx.SetCiphers(ciphers)))
@@ -418,6 +428,20 @@ namespace OpenSSL
}
}
+ const std::string ciphersuites = tag->getString("ciphersuites");
+ if (!ciphers.empty())
+ {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ if ((!ctx.SetCiphersuites(ciphersuites)) || (!clictx.SetCiphersuites(ciphersuites)))
+ {
+ ERR_print_errors_cb(error_callback, this);
+ throw Exception("Can't set ciphersuite list to \"" + ciphersuites + "\" " + lasterr);
+ }
+#else
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "You have configured <sslprofile:ciphersuites> but your version of OpenSSL does not support TLSv1.3+");
+#endif
+ }
+
#ifndef OPENSSL_NO_ECDH
const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1);
if (!curvename.empty())