*/
#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-128-GCM-SHA256 TLS13-AES-256-GCM-SHA384 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA"
+/* Default SSL/TLS curves for ECDH(E)
+ * This can be changed via set::ssl::options::ecdh-curve in the config file.
+ * NOTE: This requires openssl 1.0.2 or newer, otherwise these defaults
+ * are not applied, due to the missing openssl API call.
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#define UNREALIRCD_DEFAULT_ECDH_CURVES "X25519:secp521r1:secp384r1:prime256v1"
+#else
+#define UNREALIRCD_DEFAULT_ECDH_CURVES "secp521r1:secp384r1:prime256v1"
+#endif
+
/* ------------------------- END CONFIGURATION SECTION -------------------- */
#define MOTD MPATH
#define RULES RPATH
i->ssl_options->trusted_ca_file = strdup(tmp);
i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
i->ssl_options->protocols = SSL_PROTOCOL_ALL;
+#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
+ i->ssl_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
+#endif
i->plaintext_policy_user = PLAINTEXT_POLICY_ALLOW;
i->plaintext_policy_oper = PLAINTEXT_POLICY_WARN;
safestrdup(ssloptions->trusted_ca_file, tempiConf.ssl_options->trusted_ca_file);
ssloptions->protocols = tempiConf.ssl_options->protocols;
safestrdup(ssloptions->ciphers, tempiConf.ssl_options->ciphers);
+ safestrdup(ssloptions->ecdh_curves, tempiConf.ssl_options->ecdh_curves);
ssloptions->options = tempiConf.ssl_options->options;
ssloptions->renegotiate_bytes = tempiConf.ssl_options->renegotiate_bytes;
ssloptions->renegotiate_timeout = tempiConf.ssl_options->renegotiate_timeout;
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves))
{
- config_warn("Failed to set ecdh-curves '%s'. "
+ config_warn("Failed to apply ecdh-curves '%s'. "
"To get a list of supported curves with the "
"appropriate names, run "
"'openssl ecparam -list_curves' on the server. "
goto fail;
#endif
} else {
- /* Not specified by user. Set some good default */
+ /* Set some good default (note that usually we don't get here
+ * because ssloptions->ecdh_curves is typically set, either
+ * via config_setdefaultsettings or by the user).
+ */
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(ctx, 1);
#elif OPENSSL_VERSION_NUMBER < 0x10100000L