diff options
| author | Alexander Barton <alex@barton.de> | 2024-01-06 19:53:33 +0100 |
|---|---|---|
| committer | Alexander Barton <alex@barton.de> | 2024-01-11 15:12:54 +0100 |
| commit | 2448d047f9808833bb95964f7c6e713154f21064 (patch) | |
| tree | 91991d696c1b03ed40d2e5231959f730d1903723 | |
| parent | 07219281ef2092a29050a3934937a2a0c8916e43 (diff) | |
| download | ngircd-2448d047f9808833bb95964f7c6e713154f21064.tar.gz ngircd-2448d047f9808833bb95964f7c6e713154f21064.zip | |
Allow SSL client-only configurations without keys/certificates
You don't need to configure certificates/keys as long as you don't configure SSL-enabled listening ports. This can make sense when you want to only link your local daemon to an uplink server using SSL and only have clients on your local host or in you fully trusted network, where SSL is not required.
| -rw-r--r-- | src/ngircd/conn-ssl.c | 37 | ||||
| -rw-r--r-- | src/ngircd/conn.c | 9 |
2 files changed, 27 insertions, 19 deletions
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 0c46c975..cb066dab 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -421,12 +421,6 @@ ConnSSL_LoadServerKey_gnutls(void) return false; } - cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile; - if (!cert_file) { - Log(LOG_ERR, "No SSL server key configured!"); - return false; - } - if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) Log(LOG_WARNING, "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS."); @@ -435,14 +429,21 @@ ConnSSL_LoadServerKey_gnutls(void) return false; gnutls_certificate_set_dh_params(x509_cred, dh_params); - err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM); - if (err < 0) { - Log(LOG_ERR, - "Failed to set certificate key file (cert %s, key %s): %s", - cert_file, - Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", - gnutls_strerror(err)); - return false; + + cert_file = Conf_SSLOptions.CertFile ? + Conf_SSLOptions.CertFile : Conf_SSLOptions.KeyFile; + if (Conf_SSLOptions.KeyFile) { + err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, + Conf_SSLOptions.KeyFile, + GNUTLS_X509_FMT_PEM); + if (err < 0) { + Log(LOG_ERR, + "Failed to set certificate key file (cert %s, key %s): %s", + cert_file, + Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", + gnutls_strerror(err)); + return false; + } } /* Free currently active x509 context (if any) unless it is still in use */ @@ -494,14 +495,12 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx) char *cert_key; assert(ctx); - if (!Conf_SSLOptions.KeyFile) { - Log(LOG_ERR, "No SSL server key configured!"); - return false; - } - SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ctx, &Conf_SSLOptions.KeyFilePassword); + if (!Conf_SSLOptions.KeyFile) + return true; + if (SSL_CTX_use_PrivateKey_file(ctx, Conf_SSLOptions.KeyFile, SSL_FILETYPE_PEM) != 1) { array_free_wipe(&Conf_SSLOptions.KeyFilePassword); LogOpenSSLError("Failed to add private key", Conf_SSLOptions.KeyFile); diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 7097f1ac..fe8eecf4 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -479,6 +479,15 @@ Conn_InitListeners( void ) /* not using systemd socket activation, initialize listening sockets: */ +#ifdef SSL_SUPPORT + if (!Conf_SSLOptions.KeyFile && + array_length(&Conf_SSLOptions.ListenPorts, sizeof (UINT16))) { + Log(LOG_ERR, + "Ignoring SSL-enabled listening ports: No key file set!"); + array_free(&Conf_SSLOptions.ListenPorts); + } +#endif + /* can't use Conf_ListenAddress directly, see below */ copy = strdup(Conf_ListenAddress); if (!copy) { |