diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ngircd/conn-ssl.c | 37 | ||||
| -rw-r--r-- | src/ngircd/conn.c | 9 |
2 files changed, 27 insertions, 19 deletions
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 0c46c975..cb066dab 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -421,12 +421,6 @@ ConnSSL_LoadServerKey_gnutls(void) return false; } - cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile; - if (!cert_file) { - Log(LOG_ERR, "No SSL server key configured!"); - return false; - } - if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) Log(LOG_WARNING, "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS."); @@ -435,14 +429,21 @@ ConnSSL_LoadServerKey_gnutls(void) return false; gnutls_certificate_set_dh_params(x509_cred, dh_params); - err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM); - if (err < 0) { - Log(LOG_ERR, - "Failed to set certificate key file (cert %s, key %s): %s", - cert_file, - Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", - gnutls_strerror(err)); - return false; + + cert_file = Conf_SSLOptions.CertFile ? + Conf_SSLOptions.CertFile : Conf_SSLOptions.KeyFile; + if (Conf_SSLOptions.KeyFile) { + err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, + Conf_SSLOptions.KeyFile, + GNUTLS_X509_FMT_PEM); + if (err < 0) { + Log(LOG_ERR, + "Failed to set certificate key file (cert %s, key %s): %s", + cert_file, + Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", + gnutls_strerror(err)); + return false; + } } /* Free currently active x509 context (if any) unless it is still in use */ @@ -494,14 +495,12 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx) char *cert_key; assert(ctx); - if (!Conf_SSLOptions.KeyFile) { - Log(LOG_ERR, "No SSL server key configured!"); - return false; - } - SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ctx, &Conf_SSLOptions.KeyFilePassword); + if (!Conf_SSLOptions.KeyFile) + return true; + if (SSL_CTX_use_PrivateKey_file(ctx, Conf_SSLOptions.KeyFile, SSL_FILETYPE_PEM) != 1) { array_free_wipe(&Conf_SSLOptions.KeyFilePassword); LogOpenSSLError("Failed to add private key", Conf_SSLOptions.KeyFile); diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 7097f1ac..fe8eecf4 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -479,6 +479,15 @@ Conn_InitListeners( void ) /* not using systemd socket activation, initialize listening sockets: */ +#ifdef SSL_SUPPORT + if (!Conf_SSLOptions.KeyFile && + array_length(&Conf_SSLOptions.ListenPorts, sizeof (UINT16))) { + Log(LOG_ERR, + "Ignoring SSL-enabled listening ports: No key file set!"); + array_free(&Conf_SSLOptions.ListenPorts); + } +#endif + /* can't use Conf_ListenAddress directly, see below */ copy = strdup(Conf_ListenAddress); if (!copy) { |