about summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-08-20 15:48:19 -0400
committerJune McEnroe <june@causal.agency>2021-08-20 15:48:19 -0400
commit26e6c331f51a5b23c39ffa8e172ab776fdbc3f06 (patch)
tree3e770f23ba26e4af739b031c177edbc976271a51
parentUse seprintf to build final 005 (diff)
downloadpounce-26e6c331f51a5b23c39ffa8e172ab776fdbc3f06.tar.gz
pounce-26e6c331f51a5b23c39ffa8e172ab776fdbc3f06.zip
Use "secure" libtls ciphers
Ported from catgirl:

commit 585039fb6e5097cfd16bc083c6d1c9356b237882
Author: Klemens Nanni <klemens@posteo.de>
Date:   Sun Jun 20 14:42:10 2021 +0000

Use "secure" libtls ciphers

d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat"
ciphers to support irc.mozilla.org which now yields NXDOMAIN.

All modern networks (should) support secure ciphers, so drop the
hopefully unneeded list of less secure ciphers by avoiding
tls_config_set_ciphers(3) and therefore sticking to the "secure" aka.
"default" set of ciphers in libtls.

A quick check shows that almost all of the big/known IRC networks
support TLS1.3 already;  those who do not at least comply with
SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this:

		echo \
		  irc.hackint.org \
		  irc.tilde.chat \
		  irc.libera.chat \
		  irc.efnet.nl \
		  irc.oftc.net |
		xargs -tn1 \
		openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
-rw-r--r--server.c6
1 files changed, 1 insertions, 5 deletions
diff --git a/server.c b/server.c
index 636d911..853edd8 100644
--- a/server.c
+++ b/server.c
@@ -45,14 +45,10 @@ static struct tls *client;
 void serverConfig(
 	bool insecure, const char *trust, const char *cert, const char *priv
 ) {
+	int error = 0;
 	struct tls_config *config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
-	int error = tls_config_set_ciphers(config, "compat");
-	if (error) {
-		errx(EX_SOFTWARE, "tls_config_set_ciphers: %s", tls_config_error(config));
-	}
-
 	if (insecure) {
 		tls_config_insecure_noverifycert(config);
 		tls_config_insecure_noverifyname(config);