From cac9da4951447ddab494a36c4561aa8a9ba9c868 Mon Sep 17 00:00:00 2001 From: Edoardo Spadolini Date: Fri, 2 Jan 2015 23:36:36 +0100 Subject: [PATCH 1/2] Update Csocket to 0119a006bdfb6223a1a86d48b02efee87d11b721 --- include/znc/Csocket.h | 3 +++ src/Csocket.cpp | 13 +++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/include/znc/Csocket.h b/include/znc/Csocket.h index 5d8794fe..45372122 100644 --- a/include/znc/Csocket.h +++ b/include/znc/Csocket.h @@ -859,6 +859,8 @@ public: void DisableSSLProtocols( u_int uDisableOpts ) { m_uDisableProtocols = uDisableOpts; } //! allow disabling compression void DisableSSLCompression() { m_bNoSSLCompression = true; } + //! select the ciphers in server-preferred order + void FollowSSLCipherServerPreference() { m_bSSLCipherServerPreference = true; } //! Set the cipher type ( openssl cipher [to see ciphers available] ) void SetCipher( const CS_STRING & sCipher ); const CS_STRING & GetCipher() const; @@ -1186,6 +1188,7 @@ private: uint32_t m_iRequireClientCertFlags; u_int m_uDisableProtocols; bool m_bNoSSLCompression; + bool m_bSSLCipherServerPreference; FPCertVerifyCB m_pCerVerifyCB; diff --git a/src/Csocket.cpp b/src/Csocket.cpp index 8d613f7a..2f4142b6 100644 --- a/src/Csocket.cpp +++ b/src/Csocket.cpp @@ -1041,6 +1041,7 @@ void Csock::Copy( const Csock & cCopy ) #ifdef HAVE_LIBSSL m_bNoSSLCompression = cCopy.m_bNoSSLCompression; + m_bSSLCipherServerPreference = cCopy.m_bSSLCipherServerPreference; m_uDisableProtocols = cCopy.m_uDisableProtocols; m_iRequireClientCertFlags = cCopy.m_iRequireClientCertFlags; m_sSSLBuffer = cCopy.m_sSSLBuffer; @@ -1433,6 +1434,10 @@ bool Csock::ConfigureCTXOptions( SSL_CTX * pCTX ) if( m_bNoSSLCompression ) uCTXOptions |= SSL_OP_NO_COMPRESSION; #endif /* SSL_OP_NO_COMPRESSION */ +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + if( m_bSSLCipherServerPreference ) + uCTXOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#endif /* SSL_OP_CIPHER_SERVER_PREFERENCE */ if( uCTXOptions ) SSL_CTX_set_options( pCTX, uCTXOptions ); } @@ -1708,7 +1713,7 @@ SSL_CTX * Csock::SetupServerCTX() // Presumably PEM_read_DHparams failed, as there was no DH structure. Clearing those errors here so they are removed off the stack ERR_clear_error(); } - +#ifndef OPENSSL_NO_ECDH // Errors for the following block are non-fatal (ECDHE is nice to have // but not a requirement) #if defined( SSL_CTX_set_ecdh_auto ) @@ -1725,8 +1730,11 @@ SSL_CTX * Csock::SetupServerCTX() EC_KEY_free( ecdh ); } else + { ERR_clear_error(); -#endif + } +#endif /* SSL_CTX_set_tmp_ecdh */ +#endif /* OPENSSL_NO_ECDH */ if( !ConfigureCTXOptions( pCTX ) ) { @@ -2992,6 +3000,7 @@ void Csock::Init( const CS_STRING & sHostname, uint16_t uPort, int iTimeout ) m_iRequireClientCertFlags = 0; m_uDisableProtocols = 0; m_bNoSSLCompression = false; + m_bSSLCipherServerPreference = false; #endif /* HAVE_LIBSSL */ m_iTcount = 0; m_iReadSock = CS_INVALID_SOCK; From 507f9b3392c6388da6dd644eda1fe42aa47b925c Mon Sep 17 00:00:00 2001 From: Edoardo Spadolini Date: Fri, 2 Jan 2015 23:40:15 +0100 Subject: [PATCH 2/2] Follow SSL Cipher Server Preference --- src/Socket.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Socket.cpp b/src/Socket.cpp index 3cd9e7ac..49185299 100644 --- a/src/Socket.cpp +++ b/src/Socket.cpp @@ -40,6 +40,7 @@ static CString ZNC_DefaultCipher() { CZNCSock::CZNCSock(int timeout) : Csock(timeout) { #ifdef HAVE_LIBSSL DisableSSLCompression(); + FollowSSLCipherServerPreference(); DisableSSLProtocols(CZNC::Get().GetDisabledSSLProtocols()); CString sCipher = CZNC::Get().GetSSLCiphers(); if (sCipher.empty()) { @@ -52,6 +53,7 @@ CZNCSock::CZNCSock(int timeout) : Csock(timeout) { CZNCSock::CZNCSock(const CString& sHost, u_short port, int timeout) : Csock(sHost, port, timeout) { #ifdef HAVE_LIBSSL DisableSSLCompression(); + FollowSSLCipherServerPreference(); DisableSSLProtocols(CZNC::Get().GetDisabledSSLProtocols()); #endif }