mirror of
https://github.com/znc/znc.git
synced 2026-07-06 01:41:12 +02:00
Config option for SSL protocols (resolves #720)
ZNC currently disables SSLv2 and SSLv3 by default. To keep the ZNC
defaults (recommended, may change in the future versions) and for
example disable TLSv1 in addition, specify in the global config
section:
SSLProtocols = -TLSv1
Available (case-insentive) values are:
All, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
A non-prefixed "absolute" value overrides the ZNC defaults:
SSLProtocols = TLSV1 +TLSv1.1 +TLSv1.2
This commit is contained in:
+2
-2
@@ -22,7 +22,7 @@
|
||||
CZNCSock::CZNCSock(int timeout) : Csock(timeout) {
|
||||
#ifdef HAVE_LIBSSL
|
||||
DisableSSLCompression();
|
||||
DisableSSLProtocols(EDP_SSL);
|
||||
DisableSSLProtocols(CZNC::Get().GetDisabledSSLProtocols());
|
||||
CString sCipher = CZNC::Get().GetSSLCiphers();
|
||||
if (!sCipher.empty()) {
|
||||
SetCipher(sCipher);
|
||||
@@ -33,7 +33,7 @@ CZNCSock::CZNCSock(int timeout) : Csock(timeout) {
|
||||
CZNCSock::CZNCSock(const CString& sHost, u_short port, int timeout) : Csock(sHost, port, timeout) {
|
||||
#ifdef HAVE_LIBSSL
|
||||
DisableSSLCompression();
|
||||
DisableSSLProtocols(EDP_SSL);
|
||||
DisableSSLProtocols(CZNC::Get().GetDisabledSSLProtocols());
|
||||
CString sCipher = CZNC::Get().GetSSLCiphers();
|
||||
if (!sCipher.empty()) {
|
||||
SetCipher(sCipher);
|
||||
|
||||
+45
@@ -55,6 +55,8 @@ CZNC::CZNC() {
|
||||
m_sConnectThrottle.SetTTL(30000);
|
||||
m_pLockFile = NULL;
|
||||
m_bProtectWebSessions = true;
|
||||
m_uDisabledSSLProtocols = Csock::EDP_SSL;
|
||||
m_sSSLProtocols = "";
|
||||
}
|
||||
|
||||
CZNC::~CZNC() {
|
||||
@@ -479,6 +481,10 @@ bool CZNC::WriteConfig() {
|
||||
config.AddKeyValuePair("SSLCiphers", CString(m_sSSLCiphers));
|
||||
}
|
||||
|
||||
if (!m_sSSLProtocols.empty()) {
|
||||
config.AddKeyValuePair("SSLProtocols", m_sSSLProtocols);
|
||||
}
|
||||
|
||||
for (unsigned int m = 0; m < m_vsMotd.size(); m++) {
|
||||
config.AddKeyValuePair("Motd", m_vsMotd[m].FirstLine());
|
||||
}
|
||||
@@ -1094,6 +1100,45 @@ bool CZNC::DoRehash(CString& sError)
|
||||
if (config.FindStringEntry("protectwebsessions", sVal))
|
||||
m_bProtectWebSessions = sVal.ToBool();
|
||||
|
||||
if (config.FindStringEntry("sslprotocols", m_sSSLProtocols)) {
|
||||
VCString vsProtocols;
|
||||
m_sSSLProtocols.Split(" ", vsProtocols, false, "", "", true, true);
|
||||
|
||||
for (CString& sProtocol : vsProtocols) {
|
||||
|
||||
unsigned int uFlag = 0;
|
||||
bool bEnable = sProtocol.TrimPrefix("+");
|
||||
bool bDisable = sProtocol.TrimPrefix("-");
|
||||
|
||||
if (sProtocol.Equals("All")) {
|
||||
uFlag = ~0;
|
||||
} else if (sProtocol.Equals("SSLv2")) {
|
||||
uFlag = Csock::EDP_SSLv2;
|
||||
} else if (sProtocol.Equals("SSLv3")) {
|
||||
uFlag = Csock::EDP_SSLv3;
|
||||
} else if (sProtocol.Equals("TLSv1")) {
|
||||
uFlag = Csock::EDP_TLSv1;
|
||||
} else if (sProtocol.Equals("TLSv1.1")) {
|
||||
uFlag = Csock::EDP_TLSv1_1;
|
||||
} else if (sProtocol.Equals("TLSv1.2")) {
|
||||
uFlag = Csock::EDP_TLSv1_2;
|
||||
} else {
|
||||
CUtils::PrintError("Invalid SSLProtocols value [" + sProtocol + "]");
|
||||
CUtils::PrintError("The syntax is [SSLProtocols = [+|-]<protocol> ...]");
|
||||
CUtils::PrintError("Available protocols are [SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2]");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (bEnable) {
|
||||
m_uDisabledSSLProtocols &= ~uFlag;
|
||||
} else if (bDisable) {
|
||||
m_uDisabledSSLProtocols |= uFlag;
|
||||
} else {
|
||||
m_uDisabledSSLProtocols = ~uFlag;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// This has to be after SSLCertFile is handled since it uses that value
|
||||
const char *szListenerEntries[] = {
|
||||
"listen", "listen6", "listen4",
|
||||
|
||||
Reference in New Issue
Block a user