| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- From d09dc33e7d0f148ff9c0afff905414cc13d636fc Mon Sep 17 00:00:00 2001
- From: Alexander Barton <alex@barton.de>
- Date: Mon, 1 Jan 2024 18:20:26 +0100
- Subject: [PATCH 01/20] Respect "SSLConnect" option for incoming connections
- Bug-Debian: https://bugs.debian.org/1067237
- Don't accept incoming plain-text ("non SSL") server connections for
- servers configured with "SSLConnect" enabled.
- If "SSLConnect" is not set for an incoming connection the server still
- accepts both plain-text and encrypted connections.
- This change prevents an authenticated client-server being able to force
- the server-server to send its password on a plain-text connection when
- SSL/TLS was intended.
- (cherry picked from commit 21c1751b045b0be49e584a4ba191a330e0c381bb)
- ---
- src/ngircd/irc-server.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
- --- a/src/ngircd/irc-server.c
- +++ b/src/ngircd/irc-server.c
- @@ -87,6 +87,19 @@
- return DISCONNECTED;
- }
-
- +#ifdef SSL_SUPPORT
- + /* Does this server require an SSL connection? */
- + if (Conf_Server[i].SSLConnect &&
- + !(Conn_Options(Client_Conn(Client)) & CONN_SSL)) {
- + Log(LOG_ERR,
- + "Connection %d: Server \"%s\" requires a secure connection!",
- + Client_Conn(Client), Req->argv[0]);
- + Conn_Close(Client_Conn(Client), NULL,
- + "Secure connection required", true);
- + return DISCONNECTED;
- + }
- +#endif
- +
- /* Check server password */
- if (strcmp(Conn_Password(Client_Conn(Client)),
- Conf_Server[i].pwd_in) != 0) {
|
