diff options
| -rw-r--r-- | TODO | 2 | ||||
| -rw-r--r-- | blabouncer.c | 20 | ||||
| -rw-r--r-- | blabouncer.conf.example | 5 | ||||
| -rw-r--r-- | config.c | 5 | ||||
| -rw-r--r-- | structures.h | 1 |
5 files changed, 32 insertions, 1 deletions
@@ -63,3 +63,5 @@ NickServ HELP with SA receiving full message in one go? e.g. oper 05/01/2025 10: Allow specifying time zone for timestamps in config. Use default configuration options and stderr warn if missing and where possible. + +Implement SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version. diff --git a/blabouncer.c b/blabouncer.c index 443c75c..8f2aaf6 100644 --- a/blabouncer.c +++ b/blabouncer.c @@ -463,6 +463,18 @@ void dochat(int *serversockfd, int *clientsockfd, struct settings *settings) { // Set up and configure client OpenSSL context ctx = create_openssl_context(SOURCE_CLIENT); configure_openssl_context(ctx, settings->certfile, settings->keyfile); + + // Optionally set OpenSSL security level + int ssl_sec_level = -1; + if (settings->sslseclevel >= 0) { + // SSL_CTX_set_security_level is void, no return to check + SSL_CTX_set_security_level(ctx, settings->sslseclevel); + ssl_sec_level = SSL_CTX_get_security_level(ctx); + debugprint(DEBUG_FULL, "dochat(): Client SSL_CTX security level '%d' requested and got set to '%d'.\n", settings->sslseclevel, ssl_sec_level); + } else { + ssl_sec_level = SSL_CTX_get_security_level(ctx); + debugprint(DEBUG_FULL, "dochat(): sslseclevel unset, no change to SSL_CTX security level requested, still set to '%d'.\n", ssl_sec_level); + } } // Let's set up signal handling stuff here since we're about to enter The Big Loop (TM) @@ -1250,7 +1262,7 @@ int main(int argc, char *argv[]) { strncat(conffailmsg, "Error getting 'clienttls' from configuration file.\n", sizeof conffailmsg - strlen(conffailmsg) - 1); } - // If so, load the certificates + // If so, load the certificates and optionally configure the security level if (settings.clienttls) { // What is the certificate file path? if (!getconfstr("certfile", settings.conffile, settings.certfile)) { @@ -1269,6 +1281,12 @@ int main(int argc, char *argv[]) { exit(1); } } + + // Has an OpenSSL security level been specified? + settings.sslseclevel = getconfint("sslseclevel", settings.conffile); + if (errno == ECONFINT) { + settings.sslseclevel = -1; + } } // Make sure the base directory exists diff --git a/blabouncer.conf.example b/blabouncer.conf.example index 4e8e7f1..f5007c4 100644 --- a/blabouncer.conf.example +++ b/blabouncer.conf.example @@ -94,6 +94,11 @@ ircserverport = "6697" # If clienttls = "0" then this need not be set #keyfile = "/home/foo/.blabouncer/key.pem" +# OpenSSL security level, from 0 to 5 at the time of writing, left at the OpenSSL default if undefined, +# see https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour +# for further details +#sslseclevel = "2" + # Enable logging ("1" for yes or "0" for no) # Logs go to basedir/logs/ with one file per channel/nick logging = "1" @@ -406,6 +406,11 @@ int createconfigfile(char *filename) { "# If clienttls = \"0\" then this need not be set\n" "#keyfile = \"/home/foo/.blabouncer/key.pem\"\n" "\n" + "# OpenSSL security level, from 0 to 5 at the time of writing, left at the OpenSSL default if undefined,\n" + "# see https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour\n" + "# for further details\n" + "#sslseclevel = \"2\"\n" + "\n" "# Enable logging (\"1\" for yes or \"0\" for no)\n" "# Logs go to basedir/logs/ with one file per channel/nick\n" "logging = \"1\"\n" diff --git a/structures.h b/structures.h index 86f83b7..727640e 100644 --- a/structures.h +++ b/structures.h @@ -77,6 +77,7 @@ struct settings { char conffile[PATH_MAX]; char certfile[PATH_MAX]; char keyfile[PATH_MAX]; + int sslseclevel; // OpenSSL security level, -1 is treated as "unset" int clienttls; int servertls; char basedir[PATH_MAX]; |