Allow configuring the OpenSSL security level, see https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour for further details.

5 files changed, 32 insertions, 1 deletions

diff --git a/TODO b/TODO
index 2164755..30ee1fa 100644
--- a/TODO
+++ b/TODO
@@ -63,3 +63,5 @@ NickServ HELP with SA receiving full message in one go? e.g. oper 05/01/2025 10:
 Allow specifying time zone for timestamps in config.
 
 Use default configuration options and stderr warn if missing and where possible.
+
+Implement SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version.
diff --git a/blabouncer.c b/blabouncer.c
index 443c75c..8f2aaf6 100644
--- a/blabouncer.c
+++ b/blabouncer.c
@@ -463,6 +463,18 @@ void dochat(int *serversockfd, int *clientsockfd, struct settings *settings) {
     // Set up and configure client OpenSSL context
     ctx = create_openssl_context(SOURCE_CLIENT);
     configure_openssl_context(ctx, settings->certfile, settings->keyfile);
+
+    // Optionally set OpenSSL security level
+    int ssl_sec_level = -1;
+    if (settings->sslseclevel >= 0) {
+      // SSL_CTX_set_security_level is void, no return to check
+      SSL_CTX_set_security_level(ctx, settings->sslseclevel);
+      ssl_sec_level = SSL_CTX_get_security_level(ctx);
+      debugprint(DEBUG_FULL, "dochat(): Client SSL_CTX security level '%d' requested and got set to '%d'.\n", settings->sslseclevel, ssl_sec_level);
+    } else {
+      ssl_sec_level = SSL_CTX_get_security_level(ctx);
+      debugprint(DEBUG_FULL, "dochat(): sslseclevel unset, no change to SSL_CTX security level requested, still set to '%d'.\n", ssl_sec_level);
+    }
   }
 
   // Let's set up signal handling stuff here since we're about to enter The Big Loop (TM)
@@ -1250,7 +1262,7 @@ int main(int argc, char *argv[]) {
     strncat(conffailmsg, "Error getting 'clienttls' from configuration file.\n", sizeof conffailmsg - strlen(conffailmsg) - 1);
   }
 
-  // If so, load the certificates
+  // If so, load the certificates and optionally configure the security level
   if (settings.clienttls) {
     // What is the certificate file path?
     if (!getconfstr("certfile", settings.conffile, settings.certfile)) {
@@ -1269,6 +1281,12 @@ int main(int argc, char *argv[]) {
         exit(1);
       }
     }
+
+    // Has an OpenSSL security level been specified?
+    settings.sslseclevel = getconfint("sslseclevel", settings.conffile);
+    if (errno == ECONFINT) {
+      settings.sslseclevel = -1;
+    }
   }
 
   // Make sure the base directory exists
diff --git a/blabouncer.conf.example b/blabouncer.conf.example
index 4e8e7f1..f5007c4 100644
--- a/blabouncer.conf.example
+++ b/blabouncer.conf.example
@@ -94,6 +94,11 @@ ircserverport = "6697"
 # If clienttls = "0" then this need not be set
 #keyfile = "/home/foo/.blabouncer/key.pem"
 
+# OpenSSL security level, from 0 to 5 at the time of writing, left at the OpenSSL default if undefined,
+# see https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour
+# for further details
+#sslseclevel = "2"
+
 # Enable logging ("1" for yes or "0" for no)
 # Logs go to basedir/logs/ with one file per channel/nick
 logging = "1"
diff --git a/config.c b/config.c
index 938b597..2a8db43 100644
--- a/config.c
+++ b/config.c
@@ -406,6 +406,11 @@ int createconfigfile(char *filename) {
   "# If clienttls = \"0\" then this need not be set\n"
   "#keyfile = \"/home/foo/.blabouncer/key.pem\"\n"
   "\n"
+  "# OpenSSL security level, from 0 to 5 at the time of writing, left at the OpenSSL default if undefined,\n"
+  "# see https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour\n"
+  "# for further details\n"
+  "#sslseclevel = \"2\"\n"
+  "\n"
   "# Enable logging (\"1\" for yes or \"0\" for no)\n"
   "# Logs go to basedir/logs/ with one file per channel/nick\n"
   "logging = \"1\"\n"
diff --git a/structures.h b/structures.h
index 86f83b7..727640e 100644
--- a/structures.h
+++ b/structures.h
@@ -77,6 +77,7 @@ struct settings {
   char conffile[PATH_MAX];
   char certfile[PATH_MAX];
   char keyfile[PATH_MAX];
+  int sslseclevel; // OpenSSL security level, -1 is treated as "unset"
   int clienttls;
   int servertls;
   char basedir[PATH_MAX];