bool
ConnSSL_InitLibrary( void )
{
#ifdef HAVE_LIBSSL
SSL_CTX *newctx;
if (!ssl_ctx) {
SSL_library_init();
SSL_load_error_strings();
}
if (!RAND_status()) {
Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?");
/*
* it is probably best to fail and let the user install EGD or a similar program if no kernel random device is available.
* According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7";
* so it makes little sense to deal with PRNGD seeding ourselves.
*/
return false;
}
newctx = SSL_CTX_new(SSLv23_method());
if (!newctx) {
LogOpenSSLError("SSL_CTX_new()", NULL);
return false;
}
if (!ConnSSL_LoadServerKey_openssl(newctx))
goto out;
SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_free(ssl_ctx);
ssl_ctx = newctx;
Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION));
return true;
out:
SSL_CTX_free(newctx);
return false;
#endif
#ifdef HAVE_LIBGNUTLS
int err;
static bool initialized;
if (initialized) /* TODO: cannot reload gnutls keys: can't simply free x509 context -- it may still be in use */
return false;
err = gnutls_global_init();
if (err) {
Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err));
return false;
}
if (!ConnSSL_LoadServerKey_gnutls())
return false;
Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL));
initialized = true;
return true;
#endif
}
bool
ConnSSL_InitLibrary( void )
{
if (!Conf_SSLInUse()) {
LogDebug("SSL not in use, skipping initialization.");
return true;
}
#ifdef HAVE_LIBSSL
SSL_CTX *newctx;
if (!ssl_ctx) {
SSL_library_init();
SSL_load_error_strings();
}
if (!RAND_status()) {
Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?");
/*
* it is probably best to fail and let the user install EGD or
* a similar program if no kernel random device is available.
* According to OpenSSL RAND_egd(3): "The automatic query of
* /var/run/egd-pool et al was added in OpenSSL 0.9.7";
* so it makes little sense to deal with PRNGD seeding ourselves.
*/
array_free(&Conf_SSLOptions.ListenPorts);
return false;
}
newctx = SSL_CTX_new(SSLv23_method());
if (!newctx) {
LogOpenSSLError("Failed to create SSL context", NULL);
array_free(&Conf_SSLOptions.ListenPorts);
return false;
}
if (!ConnSSL_LoadServerKey_openssl(newctx))
goto out;
if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) {
Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!",
Conf_SSLOptions.CipherList);
goto out;
}
SSL_CTX_set_session_id_context(newctx, (unsigned char *)"ngircd", 6);
SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
Verify_openssl);
SSL_CTX_free(ssl_ctx);
ssl_ctx = newctx;
Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION));
return true;
out:
SSL_CTX_free(newctx);
array_free(&Conf_SSLOptions.ListenPorts);
return false;
#endif
#ifdef HAVE_LIBGNUTLS
int err;
static bool initialized;
if (initialized) {
/* TODO: cannot reload gnutls keys: can't simply free x509
* context -- it may still be in use */
return false;
}
err = gnutls_global_init();
if (err) {
Log(LOG_ERR, "Failed to initialize GnuTLS: %s",
gnutls_strerror(err));
goto out;
}
if (!ConnSSL_LoadServerKey_gnutls())
goto out;
if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
NULL) != GNUTLS_E_SUCCESS) {
Log(LOG_ERR,
"Failed to apply GnuTLS cipher list \"%s\"!",
Conf_SSLOptions.CipherList);
goto out;
}
Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL));
initialized = true;
return true;
out:
array_free(&Conf_SSLOptions.ListenPorts);
return false;
#endif
}
