From 6404663b4588d606adfc06dbceeca24a4c748122 Mon Sep 17 00:00:00 2001 From: Luke Bratch Date: Thu, 2 Apr 2026 21:13:20 +0200 Subject: Remove/update deprecated OpenSSL functions, change certificate PEM loading to allow loading a chain rather than just a single certificate. --- blabouncer.conf.example | 6 ++++-- config.c | 6 ++++-- sockets.c | 8 +++----- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/blabouncer.conf.example b/blabouncer.conf.example index f5007c4..3694f35 100644 --- a/blabouncer.conf.example +++ b/blabouncer.conf.example @@ -86,11 +86,13 @@ ircserverport = "6697" # Things such as the logs directory will be placed below this #basedir = "/home/foo/.blabouncer/" -# Certificate file (defaults to /cert.pem) +# Certificate chain PEM file (defaults to /cert.pem) +# Can contain either a single certificate, or a chain of certificates starting with the subject and +# ending with the root issuer # If clienttls = "0" then this need not be set #certfile = "/home/foo/.blabouncer/cert.pem" -# Certificate key file (defaults to /key.pem) +# Private key PEM file (defaults to /key.pem) # If clienttls = "0" then this need not be set #keyfile = "/home/foo/.blabouncer/key.pem" diff --git a/config.c b/config.c index 2a8db43..2bfb38c 100644 --- a/config.c +++ b/config.c @@ -398,11 +398,13 @@ int createconfigfile(char *filename) { "# Things such as the logs directory will be placed below this\n" "#basedir = \"/home/foo/.blabouncer/\"\n" "\n" - "# Certificate file (defaults to /cert.pem)\n" + "# Certificate chain PEM file (defaults to /cert.pem)\n" + "# Can contain either a single certificate, or a chain of certificates starting with the subject and\n" + "# ending with the root issuer\n" "# If clienttls = \"0\" then this need not be set\n" "#certfile = \"/home/foo/.blabouncer/cert.pem\"\n" "\n" - "# Certificate key file (defaults to /key.pem)\n" + "# Private key PEM file (defaults to /key.pem)\n" "# If clienttls = \"0\" then this need not be set\n" "#keyfile = \"/home/foo/.blabouncer/key.pem\"\n" "\n" diff --git a/sockets.c b/sockets.c index 0f0eefd..e4c8a00 100644 --- a/sockets.c +++ b/sockets.c @@ -173,9 +173,9 @@ SSL_CTX *create_openssl_context(int type) { SSL_CTX *ctx; if (type == 0) { - method = SSLv23_client_method(); + method = TLS_client_method(); } else { - method = SSLv23_server_method(); + method = TLS_server_method(); } ctx = SSL_CTX_new(method); @@ -192,15 +192,13 @@ SSL_CTX *create_openssl_context(int type) { // Configure OpenSSL context, with certfile and keyfile provided if // IRC server-side or set to NULL if bouncer client-side void configure_openssl_context(SSL_CTX *ctx, char *certfile, char *keyfile) { - SSL_CTX_set_ecdh_auto(ctx, 1); - /* Set the key and cert if set or return if not */ if (certfile == NULL || keyfile == NULL) { return; } - if (SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM) <= 0) { + if (SSL_CTX_use_certificate_chain_file(ctx, certfile) <= 0) { ERR_print_errors_fp(stderr); printf("Couldn't load certificate file '%s'. Hint: You can generate your own with OpenSSL. Once created, set its location in blabouncer.conf which by default is in ~/.blabouncer/.\n", certfile); debugprint(DEBUG_CRIT, "Couldn't load certificate file '%s'. Hint: You can generate your own with OpenSSL. Once created, set its location in blabouncer.conf which by default is in ~/.blabouncer/.\n", certfile); -- cgit v1.3