Config option for SSL protocols (resolves #720)

ZNC currently disables SSLv2 and SSLv3 by default. To keep the ZNC
defaults (recommended, may change in the future versions) and for
example disable TLSv1 in addition, specify in the global config
section:

    SSLProtocols = -TLSv1

Available (case-insentive) values are:

    All, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

A non-prefixed "absolute" value overrides the ZNC defaults:

    SSLProtocols = TLSV1 +TLSv1.1 +TLSv1.2
This commit is contained in:
J-P Nurmi
2014-11-06 20:39:00 +01:00
parent 54e8b62b87
commit b759c68847
3 changed files with 50 additions and 2 deletions
+2 -2
View File
@@ -22,7 +22,7 @@
CZNCSock::CZNCSock(int timeout) : Csock(timeout) {
#ifdef HAVE_LIBSSL
DisableSSLCompression();
DisableSSLProtocols(EDP_SSL);
DisableSSLProtocols(CZNC::Get().GetDisabledSSLProtocols());
CString sCipher = CZNC::Get().GetSSLCiphers();
if (!sCipher.empty()) {
SetCipher(sCipher);
@@ -33,7 +33,7 @@ CZNCSock::CZNCSock(int timeout) : Csock(timeout) {
CZNCSock::CZNCSock(const CString& sHost, u_short port, int timeout) : Csock(sHost, port, timeout) {
#ifdef HAVE_LIBSSL
DisableSSLCompression();
DisableSSLProtocols(EDP_SSL);
DisableSSLProtocols(CZNC::Get().GetDisabledSSLProtocols());
CString sCipher = CZNC::Get().GetSSLCiphers();
if (!sCipher.empty()) {
SetCipher(sCipher);
+45
View File
@@ -55,6 +55,8 @@ CZNC::CZNC() {
m_sConnectThrottle.SetTTL(30000);
m_pLockFile = NULL;
m_bProtectWebSessions = true;
m_uDisabledSSLProtocols = Csock::EDP_SSL;
m_sSSLProtocols = "";
}
CZNC::~CZNC() {
@@ -479,6 +481,10 @@ bool CZNC::WriteConfig() {
config.AddKeyValuePair("SSLCiphers", CString(m_sSSLCiphers));
}
if (!m_sSSLProtocols.empty()) {
config.AddKeyValuePair("SSLProtocols", m_sSSLProtocols);
}
for (unsigned int m = 0; m < m_vsMotd.size(); m++) {
config.AddKeyValuePair("Motd", m_vsMotd[m].FirstLine());
}
@@ -1094,6 +1100,45 @@ bool CZNC::DoRehash(CString& sError)
if (config.FindStringEntry("protectwebsessions", sVal))
m_bProtectWebSessions = sVal.ToBool();
if (config.FindStringEntry("sslprotocols", m_sSSLProtocols)) {
VCString vsProtocols;
m_sSSLProtocols.Split(" ", vsProtocols, false, "", "", true, true);
for (CString& sProtocol : vsProtocols) {
unsigned int uFlag = 0;
bool bEnable = sProtocol.TrimPrefix("+");
bool bDisable = sProtocol.TrimPrefix("-");
if (sProtocol.Equals("All")) {
uFlag = ~0;
} else if (sProtocol.Equals("SSLv2")) {
uFlag = Csock::EDP_SSLv2;
} else if (sProtocol.Equals("SSLv3")) {
uFlag = Csock::EDP_SSLv3;
} else if (sProtocol.Equals("TLSv1")) {
uFlag = Csock::EDP_TLSv1;
} else if (sProtocol.Equals("TLSv1.1")) {
uFlag = Csock::EDP_TLSv1_1;
} else if (sProtocol.Equals("TLSv1.2")) {
uFlag = Csock::EDP_TLSv1_2;
} else {
CUtils::PrintError("Invalid SSLProtocols value [" + sProtocol + "]");
CUtils::PrintError("The syntax is [SSLProtocols = [+|-]<protocol> ...]");
CUtils::PrintError("Available protocols are [SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2]");
return false;
}
if (bEnable) {
m_uDisabledSSLProtocols &= ~uFlag;
} else if (bDisable) {
m_uDisabledSSLProtocols |= uFlag;
} else {
m_uDisabledSSLProtocols = ~uFlag;
}
}
}
// This has to be after SSLCertFile is handled since it uses that value
const char *szListenerEntries[] = {
"listen", "listen6", "listen4",