deepend/zoitechat
1
0
Fork 0
mirror of https://github.com/ZoiteChat/zoitechat.git synced 2026-06-11 09:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Harden TLS defaults, cert checks, and hostname failures

Browse Source
This commit is contained in:
deepend-tildeclub
2026-06-10 16:13:59 -06:00
parent 62672ade04
commit 2e4a0b92fc
2 changed files with 26 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/common/server.c
View File

@@ -522,7 +522,7 @@ ssl_cb_verify (int ok, X509_STORE_CTX * ctx)
X509 *current_cert = X509_STORE_CTX_get_current_cert (ctx); X509 *current_cert = X509_STORE_CTX_get_current_cert (ctx);
if (!current_cert) if (!current_cert)
return TRUE; return ok;
X509_NAME_oneline (X509_get_subject_name (current_cert), X509_NAME_oneline (X509_get_subject_name (current_cert),
subject, sizeof (subject)); subject, sizeof (subject));
@@ -534,13 +534,21 @@ ssl_cb_verify (int ok, X509_STORE_CTX * ctx)
g_snprintf (buf, sizeof (buf), "* Issuer: %s", issuer); g_snprintf (buf, sizeof (buf), "* Issuer: %s", issuer);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0); EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0);
return TRUE; if (!ok)
{
int err = X509_STORE_CTX_get_error (ctx);
g_snprintf (buf, sizeof (buf), "* Verify E: %s (%d)",
X509_verify_cert_error_string (err), err);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0);
}
return ok;
} }
static int static int
ssl_do_connect (server * serv) ssl_do_connect (server * serv)
{ {
char buf[256]; // ERR_error_string() MUST have this size char buf[256];
g_sess = serv->server_session; g_sess = serv->server_session;
@@ -559,9 +567,10 @@ ssl_do_connect (server * serv)
if (SSL_connect (serv->ssl) <= 0) if (SSL_connect (serv->ssl) <= 0)
{ {
char err_buf[128]; char err_buf[128];
int err; int err, ssl_err;
g_sess = NULL; g_sess = NULL;
ssl_err = SSL_get_error (serv->ssl, -1);
if ((err = ERR_get_error ()) > 0) if ((err = ERR_get_error ()) > 0)
{ {
ERR_error_string (err, err_buf); ERR_error_string (err, err_buf);
@@ -571,6 +580,8 @@ ssl_do_connect (server * serv)
if (ERR_GET_REASON (err) == SSL_R_WRONG_VERSION_NUMBER) if (ERR_GET_REASON (err) == SSL_R_WRONG_VERSION_NUMBER)
PrintText (serv->server_session, _("Are you sure this is a SSL capable server and port?\n")); PrintText (serv->server_session, _("Are you sure this is a SSL capable server and port?\n"));
else if (ssl_err == SSL_ERROR_SSL)
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, "* TLS handshake rejected by protocol/certificate/cipher policy", NULL, NULL, NULL, 0);
server_cleanup (serv); server_cleanup (serv);
@@ -649,29 +660,13 @@ ssl_do_connect (server * serv)
int hostname_err; int hostname_err;
if ((hostname_err = _SSL_check_hostname(cert, serv->hostname)) != 0) if ((hostname_err = _SSL_check_hostname(cert, serv->hostname)) != 0)
{ {
g_snprintf (buf, sizeof (buf), "* Verify E: Failed to validate hostname? (%d)%s", g_snprintf (buf, sizeof (buf), "* Verify E: Failed to validate hostname (%d)",
hostname_err, serv->accept_invalid_cert ? " -- Ignored" : ""); hostname_err);
if (serv->accept_invalid_cert)
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL, NULL, 0); EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL, NULL, 0);
else
goto conn_fail; goto conn_fail;
} }
break; break;
} }
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_CERT_HAS_EXPIRED:
if (serv->accept_invalid_cert)
{
g_snprintf (buf, sizeof (buf), "* Verify E: %s.? (%d) -- Ignored",
X509_verify_cert_error_string (verify_error),
verify_error);
EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL,
NULL, 0);
break;
}
default: default:
g_snprintf (buf, sizeof (buf), "%s.? (%d)", g_snprintf (buf, sizeof (buf), "%s.? (%d)",
X509_verify_cert_error_string (verify_error), X509_verify_cert_error_string (verify_error),

12
src/common/ssl.c
View File

@@ -86,15 +86,17 @@ _SSL_context_init (void (*info_cb_func))
SSLeay_add_ssl_algorithms (); SSLeay_add_ssl_algorithms ();
SSL_load_error_strings (); SSL_load_error_strings ();
ctx = SSL_CTX_new (SSLv23_client_method ()); ctx = SSL_CTX_new (TLS_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH); SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300); SSL_CTX_set_timeout (ctx, 300);
SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 SSL_CTX_set_options (ctx, SSL_OP_NO_COMPRESSION
|SSL_OP_NO_COMPRESSION
|SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE |SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
|SSL_OP_NO_TICKET |SSL_OP_NO_TICKET
|SSL_OP_CIPHER_SERVER_PREFERENCE); |SSL_OP_NO_RENEGOTIATION);
SSL_CTX_set_min_proto_version (ctx, TLS1_2_VERSION);
SSL_CTX_set_cipher_list (ctx, "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!DSS");
SSL_CTX_set_ciphersuites (ctx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256");
#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined (OPENSSL_NO_COMP) /* workaround for OpenSSL 0.9.8 */ #if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined (OPENSSL_NO_COMP) /* workaround for OpenSSL 0.9.8 */
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
@@ -311,7 +313,7 @@ _SSL_socket (SSL_CTX *ctx, int sd)
#else #else
method = SSL_CTX_get_ssl_method (ctx); method = SSL_CTX_get_ssl_method (ctx);
#endif #endif
if (method == SSLv23_client_method()) if (method == TLS_client_method())
SSL_set_connect_state (ssl); SSL_set_connect_state (ssl);
else else
SSL_set_accept_state(ssl); SSL_set_accept_state(ssl);