Cherry-pick "Respect "SSLConnect" option for incoming connections". Closes: #1067237

debian/patches/0001-Respect-SSLConnect-option-for-incoming-connections.patch

@@ -0,0 +1,42 @@
+From 65a304dab3329625b409efa161f2c31a7221ad7c Mon Sep 17 00:00:00 2001
+From: Alexander Barton <alex@barton.de>
+Date: Mon, 1 Jan 2024 18:20:26 +0100
+Subject: [PATCH 01/20] Respect "SSLConnect" option for incoming connections
+
+Don't accept incoming plain-text ("non SSL") server connections for
+servers configured with "SSLConnect" enabled.
+
+If "SSLConnect" is not set for an incoming connection the server still
+accepts both plain-text and encrypted connections.
+
+This change prevents an authenticated client-server being able to force
+the server-server to send its password on a plain-text connection when
+SSL/TLS was intended.
+
+(cherry picked from commit 21c1751b045b0be49e584a4ba191a330e0c381bb)
+---
+ src/ngircd/irc-server.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/src/ngircd/irc-server.c
++++ b/src/ngircd/irc-server.c
+@@ -87,6 +87,19 @@
+ 			return DISCONNECTED;
+ 		}
+ 
++#ifdef SSL_SUPPORT
++		/* Does this server require an SSL connection? */
++		if (Conf_Server[i].SSLConnect &&
++		    !(Conn_Options(Client_Conn(Client)) & CONN_SSL)) {
++			Log(LOG_ERR,
++			    "Connection %d: Server \"%s\" requires a secure connection!",
++			    Client_Conn(Client), Req->argv[0]);
++			Conn_Close(Client_Conn(Client), NULL,
++				   "Secure connection required", true);
++			return DISCONNECTED;
++		}
++#endif
++
+ 		/* Check server password */
+ 		if (strcmp(Conn_Password(Client_Conn(Client)),
+ 		    Conf_Server[i].pwd_in) != 0) {

debian/patches/series

@@ -1 +1,4 @@
+# cherry-picked from upstream
+0001-Respect-SSLConnect-option-for-incoming-connections.patch
+
 fix-typos.patch