bool ConnSSL_InitLibrary( void ) { #ifdef HAVE_LIBSSL SSL_CTX *newctx; if (!ssl_ctx) { SSL_library_init(); SSL_load_error_strings(); } if (!RAND_status()) { Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?"); /* * it is probably best to fail and let the user install EGD or a similar program if no kernel random device is available. * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7"; * so it makes little sense to deal with PRNGD seeding ourselves. */ return false; } newctx = SSL_CTX_new(SSLv23_method()); if (!newctx) { LogOpenSSLError("SSL_CTX_new()", NULL); return false; } if (!ConnSSL_LoadServerKey_openssl(newctx)) goto out; SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_free(ssl_ctx); ssl_ctx = newctx; Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION)); return true; out: SSL_CTX_free(newctx); return false; #endif #ifdef HAVE_LIBGNUTLS int err; static bool initialized; if (initialized) /* TODO: cannot reload gnutls keys: can't simply free x509 context -- it may still be in use */ return false; err = gnutls_global_init(); if (err) { Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err)); return false; } if (!ConnSSL_LoadServerKey_gnutls()) return false; Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL)); initialized = true; return true; #endif }
bool ConnSSL_InitLibrary( void ) { if (!Conf_SSLInUse()) { LogDebug("SSL not in use, skipping initialization."); return true; } #ifdef HAVE_LIBSSL SSL_CTX *newctx; if (!ssl_ctx) { SSL_library_init(); SSL_load_error_strings(); } if (!RAND_status()) { Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?"); /* * it is probably best to fail and let the user install EGD or * a similar program if no kernel random device is available. * According to OpenSSL RAND_egd(3): "The automatic query of * /var/run/egd-pool et al was added in OpenSSL 0.9.7"; * so it makes little sense to deal with PRNGD seeding ourselves. */ array_free(&Conf_SSLOptions.ListenPorts); return false; } newctx = SSL_CTX_new(SSLv23_method()); if (!newctx) { LogOpenSSLError("Failed to create SSL context", NULL); array_free(&Conf_SSLOptions.ListenPorts); return false; } if (!ConnSSL_LoadServerKey_openssl(newctx)) goto out; if (SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0) { Log(LOG_ERR, "Failed to apply OpenSSL cipher list \"%s\"!", Conf_SSLOptions.CipherList); goto out; } SSL_CTX_set_session_id_context(newctx, (unsigned char *)"ngircd", 6); SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, Verify_openssl); SSL_CTX_free(ssl_ctx); ssl_ctx = newctx; Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION)); return true; out: SSL_CTX_free(newctx); array_free(&Conf_SSLOptions.ListenPorts); return false; #endif #ifdef HAVE_LIBGNUTLS int err; static bool initialized; if (initialized) { /* TODO: cannot reload gnutls keys: can't simply free x509 * context -- it may still be in use */ return false; } err = gnutls_global_init(); if (err) { Log(LOG_ERR, "Failed to initialize GnuTLS: %s", gnutls_strerror(err)); goto out; } if (!ConnSSL_LoadServerKey_gnutls()) goto out; if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList, NULL) != GNUTLS_E_SUCCESS) { Log(LOG_ERR, "Failed to apply GnuTLS cipher list \"%s\"!", Conf_SSLOptions.CipherList); goto out; } Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL)); initialized = true; return true; out: array_free(&Conf_SSLOptions.ListenPorts); return false; #endif }