GNUTLS: Provide a default priority string, disable TLSv1.0 in it

The user can still override this choice with the ssl_cipher_list option in ircd.conf -- this is the only backend that will allow you to do so.
2016-12-30 17:39:45 +00:00 · 2016-12-30 17:39:45 +00:00 · 5bcd4c7c60
parent 1175ff837d
commit 5bcd4c7c60
2 changed files with 46 additions and 3 deletions
--- a/librb/src/gnutls.c
+++ b/librb/src/gnutls.c
@ -32,6 +32,7 @@
 #include <stdbool.h>

 #include <gnutls/gnutls.h>
+
 #include <gnutls/abstract.h>
 #include <gnutls/x509.h>

@ -41,6 +42,8 @@
 # include <gnutls/crypto.h>
 #endif

+#include "gnutls_ratbox.h"
+
 typedef enum
 {
 	RB_FD_TLS_DIRECTION_IN = 0,
@ -158,15 +161,16 @@ rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir)
 	}

 	gnutls_init((gnutls_session_t *) F->ssl, init_flags);
-	gnutls_set_default_priority(SSL_P(F));
 	gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, server_cert_key);
 	gnutls_dh_set_prime_bits(SSL_P(F), 2048);
-	gnutls_priority_set(SSL_P(F), default_priority);

 	gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) F);
 	gnutls_transport_set_pull_function(SSL_P(F), rb_sock_net_recv);
 	gnutls_transport_set_push_function(SSL_P(F), rb_sock_net_xmit);

+	if (gnutls_priority_set(SSL_P(F), default_priority) != GNUTLS_E_SUCCESS)
+		gnutls_set_default_priority(SSL_P(F));
+
 	if(dir == RB_FD_TLS_DIRECTION_IN)
 		gnutls_certificate_server_set_request(SSL_P(F), GNUTLS_CERT_REQUEST);
 }
@ -483,7 +487,7 @@ rb_init_ssl(void)

 int
 rb_setup_ssl_server(const char *const certfile, const char *keyfile,
-                    const char *const dhfile, const char *const cipherlist)
+                    const char *const dhfile, const char *cipherlist)
 {
 	if(certfile == NULL)
 	{
@ -494,6 +498,9 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
 	if(keyfile == NULL)
 		keyfile = certfile;

+	if(cipherlist == NULL)
+		cipherlist = rb_gnutls_default_priority_str;
+

 	gnutls_datum_t *const d_cert = rb_load_file_into_datum_t(certfile);
 	if(d_cert == NULL)
--- a/librb/src/gnutls_ratbox.h
+++ b/librb/src/gnutls_ratbox.h
@ -0,0 +1,36 @@
+/*
+ *  libratbox: a library used by ircd-ratbox and other things
+ *  gnutls_ratbox.h: embedded data for GNUTLS backend
+ *
+ *  Copyright (C) 2007-2008 ircd-ratbox development team
+ *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+ *  USA
+ *
+ */
+
+static const char rb_gnutls_default_priority_str[] = ""
+	"+SECURE256:"
+	"+SECURE128:"
+	"!RSA:"
+	"+NORMAL:"
+	"!ARCFOUR-128:"
+	"!3DES-CBC:"
+	"!MD5:"
+	"VERS-TLS-ALL:"
+	"!VERS-TLS1.0:"
+	"!VERS-SSL3.0:"
+	"%SAFE_RENEGOTIATION";