commit 6e4235443eb4dee0930a65e613c8bf5e00331f73 from: Alexander Barton date: Sun Oct 26 10:58:22 2014 UTC Merge branch 'CipherListNoSSL3' * CipherListNoSSL3: INSTALL: List the changed SSL CipherList default value. Update "CipherList" to not enable SSLv3 by default commit - f33a4067a16747c8fc5f1c0b5eb5e5520ee1e7a7 commit + 6e4235443eb4dee0930a65e613c8bf5e00331f73 blob - cf33fa3474685254cdc9c1f39f218698cc65a7da blob + 0aa853c1d2d2777377493356a88ad1c79023b1a3 --- INSTALL +++ INSTALL @@ -12,12 +12,21 @@ I. Upgrade Information ~~~~~~~~~~~~~~~~~~~~~~ +Differences to version 22.x + +- The default value of the SSL "CipherList" variable has been changed to + "HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) and "SECURE128:-VERS-SSL3.0" + (GnuTLS) to disable the old SSLv3 protocol by default. + To enable connections of clients still requiring the weak SSLv3 protocol, + the "CipherList" must be set to its old value (not recommended!), which + was "HIGH:!aNULL:@STRENGTH" (OpenSSL) and "SECURE128" (GnuTLS), see below. + Differences to version 20.x - Starting with ngIRCd 21, the ciphers used by SSL are configurable and - default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). - Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT - and NORMAL respectively. + default to "HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). + Previous version were using the OpenSSL or GnuTLS defaults, "DEFAULT" + and "NORMAL" respectively. - When adding GLINE's or KLINE's to ngIRCd 21 (or newer), all clients matching the new mask will be KILL'ed. This was not the case with earlier versions blob - 1d07822c5b405e748af8da30f13c397837afa8fc blob + b5db1d9e1edffa5af2070dfc27bf9fa990590ce6 --- doc/sample-ngircd.conf.tmpl +++ doc/sample-ngircd.conf.tmpl @@ -259,9 +259,9 @@ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' # (GnuTLS) for details. # For OpenSSL: - ;CipherList = HIGH:!aNULL:@STRENGTH + ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 # For GnuTLS: - ;CipherList = SECURE128 + ;CipherList = SECURE128:-VERS-SSL3.0 # Diffie-Hellman parameters ;DHFile = :ETCDIR:/ssl/dhparams.pem blob - 9b2ed08259b3e0ea2b2fd95c3f6ad5a7382e00e6 blob + 0d57f902d46c4b5a0fb5f8cc3651a4030694554b --- man/ngircd.conf.5.tmpl +++ man/ngircd.conf.5.tmpl @@ -1,7 +1,7 @@ .\" .\" ngircd.conf(5) manual page template .\" -.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual" +.TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual" .SH NAME ngircd.conf \- configuration file of ngIRCd .SH SYNOPSIS @@ -375,7 +375,7 @@ SSL Certificate file of the private server key. .TP \fBCipherList\fR (string) Select cipher suites allowed for SSL/TLS connections. This defaults to -"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS). +"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS). Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init' (GnuTLS) for details. .TP blob - 6692ecbbdd8b5f8bb21f981fec5981acfb21e3a9 blob + 5f8c392976d2c377e4d35e6799ec81936916c4b4 --- src/ngircd/conf.c +++ src/ngircd/conf.c @@ -88,10 +88,10 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *S #endif #ifdef HAVE_LIBSSL -#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH" +#define DEFAULT_CIPHERS "HIGH:!aNULL:@STRENGTH:!SSLv3" #endif #ifdef HAVE_LIBGNUTLS -#define DEFAULT_CIPHERS "SECURE128" +#define DEFAULT_CIPHERS "SECURE128:-VERS-SSL3.0" #endif #ifdef SSL_SUPPORT