deepend/zoitechat
1
0
Fork 0
mirror of https://github.com/ZoiteChat/zoitechat.git synced 2026-06-11 01:10:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Harden TLS defaults, cert checks, and hostname failures

Browse Source
This commit is contained in:
deepend-tildeclub
2026-06-10 16:13:59 -06:00
parent 62672ade04
commit 2e4a0b92fc
2 changed files with 26 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/common/server.c
View File

@@ -522,7 +522,7 @@ ssl_cb_verify (int ok, X509_STORE_CTX * ctx)
X509 *current_cert = X509_STORE_CTX_get_current_cert (ctx);
if (!current_cert)
return TRUE;
return ok;
X509_NAME_oneline (X509_get_subject_name (current_cert),
subject, sizeof (subject));
@@ -534,13 +534,21 @@ ssl_cb_verify (int ok, X509_STORE_CTX * ctx)
g_snprintf (buf, sizeof (buf), "* Issuer: %s", issuer);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0);
return TRUE;
if (!ok)
{
int err = X509_STORE_CTX_get_error (ctx);
g_snprintf (buf, sizeof (buf), "* Verify E: %s (%d)",
X509_verify_cert_error_string (err), err);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0);
}
return ok;
}
static int
ssl_do_connect (server * serv)
{
char buf[256]; // ERR_error_string() MUST have this size
char buf[256];
g_sess = serv->server_session;
@@ -559,9 +567,10 @@ ssl_do_connect (server * serv)
if (SSL_connect (serv->ssl) <= 0)
{
char err_buf[128];
int err;
int err, ssl_err;
g_sess = NULL;
ssl_err = SSL_get_error (serv->ssl, -1);
if ((err = ERR_get_error ()) > 0)
{
ERR_error_string (err, err_buf);
@@ -571,6 +580,8 @@ ssl_do_connect (server * serv)
if (ERR_GET_REASON (err) == SSL_R_WRONG_VERSION_NUMBER)
PrintText (serv->server_session, _("Are you sure this is a SSL capable server and port?\n"));
else if (ssl_err == SSL_ERROR_SSL)
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, "* TLS handshake rejected by protocol/certificate/cipher policy", NULL, NULL, NULL, 0);
server_cleanup (serv);
@@ -649,29 +660,13 @@ ssl_do_connect (server * serv)
int hostname_err;
if ((hostname_err = _SSL_check_hostname(cert, serv->hostname)) != 0)
{
g_snprintf (buf, sizeof (buf), "* Verify E: Failed to validate hostname? (%d)%s",
hostname_err, serv->accept_invalid_cert ? " -- Ignored" : "");
if (serv->accept_invalid_cert)
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL, NULL, 0);
else
goto conn_fail;
g_snprintf (buf, sizeof (buf), "* Verify E: Failed to validate hostname (%d)",
hostname_err);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL, NULL, 0);
goto conn_fail;
}
break;
}
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_CERT_HAS_EXPIRED:
if (serv->accept_invalid_cert)
{
g_snprintf (buf, sizeof (buf), "* Verify E: %s.? (%d) -- Ignored",
X509_verify_cert_error_string (verify_error),
verify_error);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL,
NULL, 0);
break;
}
default:
g_snprintf (buf, sizeof (buf), "%s.? (%d)",
X509_verify_cert_error_string (verify_error),

12
src/common/ssl.c
View File

@@ -86,15 +86,17 @@ _SSL_context_init (void (*info_cb_func))
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (SSLv23_client_method ());
ctx = SSL_CTX_new (TLS_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
|SSL_OP_NO_COMPRESSION
SSL_CTX_set_options (ctx, SSL_OP_NO_COMPRESSION
|SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
|SSL_OP_NO_TICKET
|SSL_OP_CIPHER_SERVER_PREFERENCE);
|SSL_OP_NO_RENEGOTIATION);
SSL_CTX_set_min_proto_version (ctx, TLS1_2_VERSION);
SSL_CTX_set_cipher_list (ctx, "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!DSS");
SSL_CTX_set_ciphersuites (ctx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256");
#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined (OPENSSL_NO_COMP) /* workaround for OpenSSL 0.9.8 */
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
@@ -311,7 +313,7 @@ _SSL_socket (SSL_CTX *ctx, int sd)
#else
method = SSL_CTX_get_ssl_method (ctx);
#endif
if (method == SSLv23_client_method())
if (method == TLS_client_method())
SSL_set_connect_state (ssl);
else
SSL_set_accept_state(ssl);