Merge pull request #113 from attilamolnar/2.0+openssl

m_ssl_openssl: SSL context option changes

2 files changed, 26 insertions, 0 deletions

diff --git a/data/modules.example.conf b/data/modules.example.conf
index 7d2c076f1..3baba44eb 100644
--- a/data/modules.example.conf
+++ b/data/modules.example.conf
@@ -622,6 +622,14 @@ module { name = "help" }
 	 */
 	cert = "data/anope.crt"
 	key = "data/anope.key"
+
+	/*
+	 * As of 2014 SSL 3.0 is considered insecure, but it might be enabled
+	 * on some systems by default for compatibility reasons.
+	 * You can use the following option to enable or disable it explicitly.
+	 * Leaving this option not set defaults to the default system behavior.
+	 */
+	#sslv3 = no
 }
 
 /*
diff --git a/modules/extra/m_ssl_openssl.cpp b/modules/extra/m_ssl_openssl.cpp
index ebf88ad63..c26c63655 100644
--- a/modules/extra/m_ssl_openssl.cpp
+++ b/modules/extra/m_ssl_openssl.cpp
@@ -103,6 +103,10 @@ class SSLModule : public Module
 		if (!client_ctx || !server_ctx)
 			throw ModuleException("Error initializing SSL CTX");
 
+		long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE;
+		SSL_CTX_set_options(client_ctx, opts);
+		SSL_CTX_set_options(server_ctx, opts);
+
 		SSL_CTX_set_mode(client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 		SSL_CTX_set_mode(server_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
@@ -158,6 +162,20 @@ class SSLModule : public Module
 				Log() << "Unable to open private key " << this->keyfile;
 		}
 
+		// Allow disabling SSLv3
+		if (!config->Get<Anope::string>("sslv3").empty())
+		{
+			if (config->Get<bool>("sslv3"))
+			{
+				SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
+				SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
+			}
+			else
+			{
+				SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3);
+				SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv3);
+			}
+		}
 	}
 
 	void OnPreServerConnect() anope_override