New set::ssl::options::ciphersuites option for TLSv1.3.

Since OpenSSL decided not to use the regular ciphers but make this a
separate option, we now make this a separate option as well.
So there is ::ciphers for <=TLSv1.2 and ::ciphersuites for TLSv1.3
More documentation will follow.
Patch from 'i' in https://bugs.unrealircd.org/view.php?id=5149

diff --git a/include/config.h b/include/config.h
index 1de804478f2adefb5f689e92466c0526631c68cb..e6ad88b87be3b9c7077d725c89fce6f1bf834fda 100644 (file)
--- a/include/config.h
+++ b/include/config.h
@@ -313,11 +313,16 @@
  */
 #undef EXPERIMENTAL
 
-/* Default SSL/TLS cipherlist.
+/* Default SSL/TLS cipherlist (except for TLS1.3, see further down).
  * This can be changed via set::ssl::options::ciphers in the config file.
  */
 #define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-128-GCM-SHA256 TLS13-AES-256-GCM-SHA384 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA"
 
+/* Default TLS 1.3 ciphersuites.
+ * This can be changed via set::ssl::options::ciphersuites in the config file.
+ */
+#define UNREALIRCD_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256"
+
 /* Default SSL/TLS curves for ECDH(E)
  * This can be changed via set::ssl::options::ecdh-curve in the config file.
  * NOTE: This requires openssl 1.0.2 or newer, otherwise these defaults

diff --git a/include/struct.h b/include/struct.h
index a2809b8b87b2c08a2fa00d1a6e85ef9fb9e5b235..845b668ca10f4b98c9b0a5c6a70d40dafd9aabc9 100644 (file)
--- a/include/struct.h
+++ b/include/struct.h
@@ -1126,6 +1126,7 @@ struct _ssloptions {
        char *trusted_ca_file;
        unsigned int protocols;
        char *ciphers;
+       char *ciphersuites;
        char *ecdh_curves;
        long options;
        int renegotiate_bytes;

diff --git a/src/s_conf.c b/src/s_conf.c
index c94ef626c0d0d9757ca06ab81ebae778c00d04a6..8c9e6d847445f6caf561b608296dce6dc55354e4 100644 (file)
--- a/src/s_conf.c
+++ b/src/s_conf.c
@@ -1513,6 +1513,7 @@ void config_setdefaultsettings(aConfiguration *i)
        snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
        i->ssl_options->trusted_ca_file = strdup(tmp);
        i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
+       i->ssl_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES);
        i->ssl_options->protocols = SSL_PROTOCOL_ALL;
 #ifdef HAS_SSL_CTX_SET1_CURVES_LIST
        i->ssl_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
@@ -7229,6 +7230,10 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
                {
                        CheckNull(cepp);
                }
+               else if (!strcmp(cepp->ce_varname, "ciphersuites"))
+               {
+                       CheckNull(cepp);
+               }
                else if (!strcmp(cepp->ce_varname, "ecdh-curves"))
                {
                        CheckNull(cepp);
@@ -7399,6 +7404,7 @@ void free_ssl_options(SSLOptions *ssloptions)
        safefree(ssloptions->dh_file);
        safefree(ssloptions->trusted_ca_file);
        safefree(ssloptions->ciphers);
+       safefree(ssloptions->ciphersuites);
        memset(ssloptions, 0, sizeof(SSLOptions));
        MyFree(ssloptions);
 }
@@ -7417,6 +7423,7 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
                safestrdup(ssloptions->trusted_ca_file, tempiConf.ssl_options->trusted_ca_file);
                ssloptions->protocols = tempiConf.ssl_options->protocols;
                safestrdup(ssloptions->ciphers, tempiConf.ssl_options->ciphers);
+               safestrdup(ssloptions->ciphersuites, tempiConf.ssl_options->ciphersuites);
                safestrdup(ssloptions->ecdh_curves, tempiConf.ssl_options->ecdh_curves);
                ssloptions->options = tempiConf.ssl_options->options;
                ssloptions->renegotiate_bytes = tempiConf.ssl_options->renegotiate_bytes;
@@ -7432,8 +7439,12 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
                if (!strcmp(cepp->ce_varname, "ciphers") || !strcmp(cepp->ce_varname, "server-cipher-list"))
                {
                        safestrdup(ssloptions->ciphers, cepp->ce_vardata);
-               } else
-               if (!strcmp(cepp->ce_varname, "ecdh-curves"))
+               }
+               else if (!strcmp(cepp->ce_varname, "ciphersuites"))
+               {
+                       safestrdup(ssloptions->ciphersuites, cepp->ce_vardata);
+               }
+               else if (!strcmp(cepp->ce_varname, "ecdh-curves"))
                {
                        safestrdup(ssloptions->ecdh_curves, cepp->ce_vardata);
                }

diff --git a/src/ssl.c b/src/ssl.c
index b276c1788ca6ad95795152c6181f0d05ea0a59f6..15d596b71f70f158480795057ade974eb2ae300f 100644 (file)
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -361,6 +361,15 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
                goto fail;
        }
 
+#ifdef SSL_OP_NO_TLSv1_3
+       if (SSL_CTX_set_ciphersuites(ctx, ssloptions->ciphersuites) == 0)
+       {
+               config_warn("Failed to set SSL ciphersuites list");
+               config_report_ssl_error();
+               goto fail;
+       }
+#endif
+
        if (!cipher_check(ctx, &errstr))
        {
                config_warn("There is a problem with your SSL/TLS 'ciphers' configuration setting: %s", errstr);