From 4a51c367fa192adba69fac4bf0305ed38290ef19 Mon Sep 17 00:00:00 2001 From: Luke Bratch Date: Thu, 2 Apr 2026 21:09:01 +0200 Subject: Allow configuring the OpenSSL security level, see https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour for further details. --- blabouncer.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'blabouncer.c') diff --git a/blabouncer.c b/blabouncer.c index 443c75c..8f2aaf6 100644 --- a/blabouncer.c +++ b/blabouncer.c @@ -463,6 +463,18 @@ void dochat(int *serversockfd, int *clientsockfd, struct settings *settings) { // Set up and configure client OpenSSL context ctx = create_openssl_context(SOURCE_CLIENT); configure_openssl_context(ctx, settings->certfile, settings->keyfile); + + // Optionally set OpenSSL security level + int ssl_sec_level = -1; + if (settings->sslseclevel >= 0) { + // SSL_CTX_set_security_level is void, no return to check + SSL_CTX_set_security_level(ctx, settings->sslseclevel); + ssl_sec_level = SSL_CTX_get_security_level(ctx); + debugprint(DEBUG_FULL, "dochat(): Client SSL_CTX security level '%d' requested and got set to '%d'.\n", settings->sslseclevel, ssl_sec_level); + } else { + ssl_sec_level = SSL_CTX_get_security_level(ctx); + debugprint(DEBUG_FULL, "dochat(): sslseclevel unset, no change to SSL_CTX security level requested, still set to '%d'.\n", ssl_sec_level); + } } // Let's set up signal handling stuff here since we're about to enter The Big Loop (TM) @@ -1250,7 +1262,7 @@ int main(int argc, char *argv[]) { strncat(conffailmsg, "Error getting 'clienttls' from configuration file.\n", sizeof conffailmsg - strlen(conffailmsg) - 1); } - // If so, load the certificates + // If so, load the certificates and optionally configure the security level if (settings.clienttls) { // What is the certificate file path? if (!getconfstr("certfile", settings.conffile, settings.certfile)) { @@ -1269,6 +1281,12 @@ int main(int argc, char *argv[]) { exit(1); } } + + // Has an OpenSSL security level been specified? + settings.sslseclevel = getconfint("sslseclevel", settings.conffile); + if (errno == ECONFINT) { + settings.sslseclevel = -1; + } } // Make sure the base directory exists -- cgit v1.3