Change cipher defaults

Switch cipher defaults to HIGH:!aNULL:@STRENGTH (OpenSSL) or
SECURE128 (GnuTLS).

2 files changed, 22 insertions, 32 deletions

diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c
index 9ab66e54..9c2c912f 100644
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@@ -93,6 +93,12 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
 #define DEFAULT_LISTEN_ADDRSTR "0.0.0.0"
 #endif
 
+#ifdef HAVE_LIBSSL
+#define DEFAULT_CIPHERS		"HIGH:!aNULL:@STRENGTH"
+#endif
+#ifdef HAVE_LIBGNUTLS
+#define DEFAULT_CIPHERS		"SECURE128"
+#endif
 
 #ifdef SSL_SUPPORT
 
@@ -435,8 +441,8 @@ Conf_Test( void )
 	puts("[SSL]");
 	printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
 					? Conf_SSLOptions.CertFile : "");
-	printf("  CipherList = %s\n", Conf_SSLOptions.CipherList
-					? Conf_SSLOptions.CipherList : "");
+	printf("  CipherList = %s\n", Conf_SSLOptions.CipherList ?
+	       Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);
 	printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
 					? Conf_SSLOptions.DHFile : "");
 	printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile
@@ -1032,6 +1038,10 @@ Read_Config(bool TestOnly, bool IsStarting)
 	CheckFileReadable("CertFile", Conf_SSLOptions.CertFile);
 	CheckFileReadable("DHFile", Conf_SSLOptions.DHFile);
 	CheckFileReadable("KeyFile", Conf_SSLOptions.KeyFile);
+
+	/* Set the default ciphers if none were configured */
+	if (!Conf_SSLOptions.CipherList)
+		Conf_SSLOptions.CipherList = strdup_warn(DEFAULT_CIPHERS);
 #endif
 
 	return true;
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index b16c6b94..a24a62da 100644
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -306,17 +306,10 @@ ConnSSL_InitLibrary( void )
 	if (!ConnSSL_LoadServerKey_openssl(newctx))
 		goto out;
 
-	if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
-		if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) {
-			Log(LOG_ERR,
-			    "Failed to apply OpenSSL cipher list \"%s\"!",
-			    Conf_SSLOptions.CipherList);
-			goto out;
-		} else {
-			Log(LOG_INFO,
-			    "Successfully applied OpenSSL cipher list \"%s\".",
-			    Conf_SSLOptions.CipherList);
-		}
+	if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
+		Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
+		    Conf_SSLOptions.CipherList);
+		goto out;
 	}
 
 	SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
@@ -352,25 +345,12 @@ out:
 	if (!ConnSSL_LoadServerKey_gnutls())
 		goto out;
 
-	if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) {
-		err = gnutls_priority_init(&priorities_cache,
-					   Conf_SSLOptions.CipherList, NULL);
-		if (err != GNUTLS_E_SUCCESS) {
-			Log(LOG_ERR,
-			    "Failed to apply GnuTLS cipher list \"%s\"!",
-			    Conf_SSLOptions.CipherList);
-			goto out;
-		}
-		Log(LOG_INFO,
-		    "Successfully applied GnuTLS cipher list \"%s\".",
+	if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
+				 NULL) != GNUTLS_E_SUCCESS) {
+		Log(LOG_ERR,
+		    "Failed to apply GnuTLS cipher list \"%s\"!",
 		    Conf_SSLOptions.CipherList);
-	} else {
-		err = gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
-		if (err != GNUTLS_E_SUCCESS) {
-			Log(LOG_ERR,
-			    "Failed to apply GnuTLS cipher list \"NORMAL\"!");
-			goto out;
-		}
+		goto out;
 	}
 
 	Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
@@ -505,7 +485,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
 #ifdef HAVE_LIBGNUTLS
 	Conn_OPTION_ADD(c, CONN_SSL);
 	ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);
-	if (ret != 0) {
+	if (ret != GNUTLS_E_SUCCESS) {
 		Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
 		    gnutls_strerror(ret));
 		ConnSSL_Free(c);