diff options
| author | Sadie Powell <sadie@witchery.services> | 2024-01-09 21:04:33 +0000 |
|---|---|---|
| committer | Sadie Powell <sadie@witchery.services> | 2024-01-09 21:25:44 +0000 |
| commit | 1e9c6d7931644b6becf05de800d9e74d59df3d2c (patch) | |
| tree | 9b1d7334be249791119c6d357112e16e60f16fcb | |
| parent | 5772b924cc11df5981d81afa82809eaf14f8ef91 (diff) | |
Always disable SSLv3 support, allow disabling TLSv1.[012].
| -rw-r--r-- | data/modules.example.conf | 11 | ||||
| -rw-r--r-- | modules/extra/m_ssl_openssl.cpp | 45 |
2 files changed, 38 insertions, 18 deletions
diff --git a/data/modules.example.conf b/data/modules.example.conf index f1706e7b3..fb4f6a6d9 100644 --- a/data/modules.example.conf +++ b/data/modules.example.conf @@ -630,12 +630,13 @@ module { name = "m_sasl" } key = "data/privkey.pem" /* - * As of 2014 SSL 3.0 is considered insecure, but it might be enabled - * on some systems by default for compatibility reasons. - * You can use the following option to enable or disable it explicitly. - * Leaving this option not set defaults to the default system behavior. + * If you wish to increase security you can disable support for older + * versions of TLS with no known vulnerabilities but that provide less + * security. For your security SSLv2 and SSLv3 are always disabled. */ - #sslv3 = no + #tlsv10 = no + #tlsv11 = no + #tlsv12 = yes } /* diff --git a/modules/extra/m_ssl_openssl.cpp b/modules/extra/m_ssl_openssl.cpp index 52959afee..9d1f81988 100644 --- a/modules/extra/m_ssl_openssl.cpp +++ b/modules/extra/m_ssl_openssl.cpp @@ -111,7 +111,7 @@ public: if (!client_ctx || !server_ctx) throw ModuleException("Error initializing SSL CTX"); - long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE; + long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE; SSL_CTX_set_options(client_ctx, opts); SSL_CTX_set_options(server_ctx, opts); @@ -170,19 +170,38 @@ public: Log() << "Unable to open private key " << this->keyfile; } - // Allow disabling SSLv3 - if (!config->Get<Anope::string>("sslv3").empty()) + // Allow disabling old versions of TLS + if (config->Get<bool>("tlsv10", "false")) { - if (config->Get<bool>("sslv3")) - { - SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); - } - else - { - SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv3); - } + SSL_CTX_clear_options(client_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_clear_options(server_ctx, SSL_OP_NO_TLSv1); + } + else + { + SSL_CTX_set_options(client_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_set_options(server_ctx, SSL_OP_NO_TLSv1); + } + + if (config->Get<bool>("tlsv11", "true")) + { + SSL_CTX_clear_options(client_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_clear_options(server_ctx, SSL_OP_NO_TLSv1_1); + } + else + { + SSL_CTX_set_options(client_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_set_options(server_ctx, SSL_OP_NO_TLSv1_1); + } + + if (config->Get<bool>("tlsv12", "true")) + { + SSL_CTX_clear_options(client_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_clear_options(server_ctx, SSL_OP_NO_TLSv1_2); + } + else + { + SSL_CTX_set_options(client_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_set_options(server_ctx, SSL_OP_NO_TLSv1_2); } } |