summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp50
1 files changed, 48 insertions, 2 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 33f848798..518712c00 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -102,10 +102,29 @@ class ModuleSSLOpenSSL : public Module
SSL_CTX* ctx;
SSL_CTX* clictx;
+ long ctx_options;
+ long clictx_options;
+
std::string sslports;
bool use_sha;
ServiceProvider iohook;
+
+ static void SetContextOptions(SSL_CTX* ctx, long defoptions, const std::string& ctxname, ConfigTag* tag)
+ {
+ long setoptions = tag->getInt(ctxname + "setoptions");
+ long clearoptions = tag->getInt(ctxname + "clearoptions");
+ ServerInstance->Logs->Log("m_ssl_openssl", DEBUG, "Setting OpenSSL %s context options, default: %ld set: %ld clear: %ld", ctxname.c_str(), defoptions, clearoptions, setoptions);
+
+ // Clear everything
+ SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx));
+
+ // Set the default options and what is in the conf
+ SSL_CTX_set_options(ctx, defoptions | setoptions);
+ long final = SSL_CTX_clear_options(ctx, clearoptions);
+ ServerInstance->Logs->Log("m_ssl_openssl", DEFAULT, "OpenSSL %s context options: %ld", ctxname.c_str(), final);
+ }
+
public:
ModuleSSLOpenSSL() : iohook(this, "ssl/openssl", SERVICE_IOHOOK)
@@ -128,8 +147,20 @@ class ModuleSSLOpenSSL : public Module
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
SSL_CTX_set_verify(clictx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
- const unsigned char session_id[] = "inspircd";
- SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_session_cache_mode(clictx, SSL_SESS_CACHE_OFF);
+
+ long opts = SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE;
+ // Only turn options on if they exist
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ opts |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+#ifdef SSL_OP_NO_TICKET
+ opts |= SSL_OP_NO_TICKET;
+#endif
+
+ ctx_options = SSL_CTX_set_options(ctx, opts);
+ clictx_options = SSL_CTX_set_options(clictx, opts);
}
void init()
@@ -211,10 +242,17 @@ class ModuleSSLOpenSSL : public Module
throw ModuleException("Unknown hash type " + hash);
use_sha = (hash == "sha1");
+ if (conf->getBool("customcontextoptions"))
+ {
+ SetContextOptions(ctx, ctx_options, "server", conf);
+ SetContextOptions(clictx, clictx_options, "client", conf);
+ }
+
std::string ciphers = conf->getString("ciphers", "");
if (!ciphers.empty())
{
+ ERR_clear_error();
if ((!SSL_CTX_set_cipher_list(ctx, ciphers.c_str())) || (!SSL_CTX_set_cipher_list(clictx, ciphers.c_str())))
{
ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't set cipher list to %s.", ciphers.c_str());
@@ -225,12 +263,14 @@ class ModuleSSLOpenSSL : public Module
/* Load our keys and certificates
* NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
*/
+ ERR_clear_error();
if ((!SSL_CTX_use_certificate_chain_file(ctx, certfile.c_str())) || (!SSL_CTX_use_certificate_chain_file(clictx, certfile.c_str())))
{
ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read certificate file %s. %s", certfile.c_str(), strerror(errno));
ERR_print_errors_cb(error_callback, this);
}
+ ERR_clear_error();
if (((!SSL_CTX_use_PrivateKey_file(ctx, keyfile.c_str(), SSL_FILETYPE_PEM))) || (!SSL_CTX_use_PrivateKey_file(clictx, keyfile.c_str(), SSL_FILETYPE_PEM)))
{
ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read key file %s. %s", keyfile.c_str(), strerror(errno));
@@ -238,6 +278,7 @@ class ModuleSSLOpenSSL : public Module
}
/* Load the CAs we trust*/
+ ERR_clear_error();
if (((!SSL_CTX_load_verify_locations(ctx, cafile.c_str(), 0))) || (!SSL_CTX_load_verify_locations(clictx, cafile.c_str(), 0)))
{
ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", cafile.c_str(), strerror(errno));
@@ -264,6 +305,8 @@ class ModuleSSLOpenSSL : public Module
#else
ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL);
#endif
+
+ ERR_clear_error();
if ((SSL_CTX_set_tmp_dh(ctx, ret) < 0) || (SSL_CTX_set_tmp_dh(clictx, ret) < 0))
{
ServerInstance->Logs->Log("m_ssl_openssl",DEFAULT, "m_ssl_openssl.so: Couldn't set DH parameters %s. SSL errors follow:", dhfile.c_str());
@@ -426,6 +469,7 @@ class ModuleSSLOpenSSL : public Module
if (session->status == ISSL_OPEN)
{
+ ERR_clear_error();
char* buffer = ServerInstance->GetReadBuffer();
size_t bufsiz = ServerInstance->Config->NetBufferSize;
int ret = SSL_read(session->sess, buffer, bufsiz);
@@ -496,6 +540,7 @@ class ModuleSSLOpenSSL : public Module
if (session->status == ISSL_OPEN)
{
+ ERR_clear_error();
int ret = SSL_write(session->sess, buffer.data(), buffer.size());
if (ret == (int)buffer.length())
{
@@ -542,6 +587,7 @@ class ModuleSSLOpenSSL : public Module
{
int ret;
+ ERR_clear_error();
if (session->outbound)
ret = SSL_connect(session->sess);
else