pissnet/pissircd
1
0
Fork 0
mirror of https://github.com/pissnet/pissircd.git synced 2024-06-05 07:48:44 +01:00
Code Issues Projects Releases Wiki Activity

Commit graph

  • 199a7e162d
         Make new functions more generic and use it from crash reporter so people with older OpenSSL libraries (and LibreSSL) benefit from the hostname validation code there as well. Bram Matthys 2017-09-01 17:28:49 +0200
  • aa829bce12
         New option link::verify-certificate [yes|no]. This will cause UnrealIRCd to validate the certificate of the link, making sure that: 1) The certificate is issued by a trusted Certificate Authority (CA). 2) The name on the certificate matches the name of the link block. Some things still need to be done: documentation, more testing, and using the X509_check_host() function when available. Bram Matthys 2017-09-01 17:10:29 +0200
  • ac66a0fe12
         Add hostname verification code from ssl conservatory & curl (will be used in next commit) Bram Matthys 2017-09-01 17:02:36 +0200
  • 5ff4fb3f87
         Remove old code.. this is already set in link->ssl_ctx by init_ctx(). (tested) Bram Matthys 2017-09-01 09:32:51 +0200
  • 6d7be72f2b
         Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead. Nobody used this option and it only caused the following confusing (and potentially insecure) behavior: Previously if you had 'verify-certificate' enabled then the certificate would be checked, BUT if it was a self-signed certificate (and thus not passing verify-cert) it was STILL allowed unless you also specified the 'no-self-signed' option. This might be correct as per documentation but is way too confusing for the user. Now you simply have to choose whether you verify the certificate or not. No special handling for self-signed certificates. Bram Matthys 2017-09-01 08:55:01 +0200
  • 08b621aa08
         +Minor issues fixed Bram Matthys 2017-08-25 20:38:30 +0200
  • 5cf28d0d46
         It was possible to have a block named 'link irc1.test.net' and then get connected to a server introducing himself as irc2.test.net. This was rather confusing, of course. Wasn't much of a security issue since this only happened in outgoing connects and naturally all authentication need to pass as well. Bram Matthys 2017-08-25 20:34:27 +0200
  • bfb3e0847b
         If you had an unknown link::someunknownitem then UnrealIRCd would not throw an error. Now it does. Bram Matthys 2017-08-25 17:48:54 +0200
  • 74466a4065
         Consider any client with the same IP as a listen::ip to be loopback. This is done for users on shared IRCd shells[*] which may be used to (or forced to) connect services via their alias IP rather than 127.0.0.1 due to bind restrictions. This, in turn, to ease the transition to set::plaintext-policy::server deny. [*] Side-note: The UnrealIRCd team recommends using a VPS and not a shared shell, as the latter is considerably less secure. Bram Matthys 2017-08-20 10:35:45 +0200
  • d490b0ee3e
         "No log { } block found -- using default: errors will be logged to 'ircd.log'" Unfortunately it was then logging to tmp/ircd.log rather than logs/ircd.log Bram Matthys 2017-08-19 12:12:06 +0200
  • efb344b9b2
         duh. Bram Matthys 2017-08-19 12:07:54 +0200
  • 6afbc4ee99
         Relative paths for sslclientcerts did not work. This has been fixed so password "ssl/something.crt" { sslclientcert; }; works OK now. Bram Matthys 2017-08-19 12:02:25 +0200
  • bfa00e95b7
         Set default plaintext-policy to be 'warn' for /OPER and 'deny' for server linking. Write some draft release notes for later use. Bram Matthys 2017-08-19 11:19:33 +0200
  • 361a354c4b
         If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is trying to connect then SASL is not advertised. Bram Matthys 2017-08-16 19:45:17 +0200
  • d53d46fce4
         Add set::plaintext-policy block by which you can warn or deny user connections, ircop /OPER attempts and incoming server linking attempts from connections that are not encrypted with SSL/TLS. Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy Bram Matthys 2017-08-16 19:39:28 +0200
  • 40e3e11b61
         UnrealIRCd 4.0.13 Bram Matthys 2017-08-15 12:12:10 +0200
  • 0b5e46cd23
         Fix extban_conv_param_nuh not marked as extern. Reported by Gottem (#4975) Bram Matthys 2017-08-15 12:08:11 +0200
  • c8a67f9436
         Update curl-ca-bundle to Wed Jun 7 03:12:05 2017. Remove CACERT. Bram Matthys 2017-08-15 11:48:48 +0200
  • c7457434c4
         .. Bram Matthys 2017-08-10 09:37:38 +0200
  • 77f8b9ed5a
         Build fix for cap/sts on Windows Bram Matthys 2017-08-10 09:36:18 +0200
  • 74d5f380dd
         A /REHASH from a WebSocket connection would cause a crash (requires IRCOp privileges). This is a rather technical issue, we now simply reject the rehash. See comments in code for more information. Bram Matthys 2017-08-10 09:02:05 +0200
  • 18202a0f73
         Fix "ban too broad" checking. Reported by Gottem in #4961. * The 'ban too broad' checking was broken. This permitted glines such as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower. To disable this safety measure you can (still) use: set { options { allow-insane-bans; }; }; Bram Matthys 2017-08-10 08:30:54 +0200
  • f5b29ed7de
         Add modules/cap directory to Windows installer. Bram Matthys 2017-08-10 07:54:01 +0200
  • 8ccf5700f1
         Prepare for 4.0.13-rc1 Bram Matthys 2017-08-10 07:46:17 +0200
  • d222a18286
         Fix "simple" spamfilters being synched as "posix" during server linking. This was due to lack of TKLEXT2 support in the m_tkl_synch() code. Bram Matthys 2017-08-10 07:07:37 +0200
  • 69a2e7d994
         Whoops. This code cleanup screwed up STS. Should work now. Bram Matthys 2017-08-09 19:11:28 +0200
  • 6c539c8566
         Bump Websocket module version to 1.0.0 Bram Matthys 2017-08-09 18:12:03 +0200
  • 06aa2ad79a
         Websocket module: don't send CR/LF in outgoing frames and don't require CR/LF in incoming frames (simply ignore them if they are present). Bram Matthys 2017-08-09 18:00:44 +0200
  • ab3e65a76f
         Load cap/sts module by default (only active if set::ssl::sts-policy is set). Bram Matthys 2017-08-09 15:49:03 +0200
  • 455420afc1
         SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec) Bram Matthys 2017-08-09 15:39:52 +0200
  • 0f612a3b30
         SNI: Fix for wildcard certificates Bram Matthys 2017-08-09 15:20:38 +0200
  • 84776eeeb2
         Add support for draft/sts http://ircv3.net/specs/core/sts-3.3.html Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port Example: set { ssl { certificate "ssl/server.cert.pem"; key "ssl/server.key.pem"; sts-policy { port 6697; duration 180d; }; }; }; IMPORTANT: Only use this if you know what STS is and what the implications are. The most important things being A) set a correct port and B) you need a 'real' SSL certificate and not a self-signed certificate. Bram Matthys 2017-08-09 14:16:03 +0200
  • 1cc6dd3d5b
         Add Makefile and placeholder module. Bram Matthys 2017-08-09 13:30:52 +0200
  • 6500af6ba5
         * Use free_ssl_options from generic conf. * Actually free ssl_options in free_ssl_options. Bram Matthys 2017-08-09 13:27:50 +0200
  • ea651384f8
         Add groundwork for draft/sts (more to follow) Bram Matthys 2017-08-09 13:21:36 +0200
  • b2129205f9
         Added support for the "Server Name Indication" (SNI) SSL/TLS extension. See https://www.unrealircd.org/docs/Sni_block Requested in #4380 by Eman. Bram Matthys 2017-08-09 12:00:04 +0200
  • 590e345b8d
         ./autogen.sh (see previous commits) Bram Matthys 2017-07-07 18:15:47 +0200
  • e6a52ec919 Merge pull request #69 from binki/unreal40-moregitignore Bram Matthys 2017-07-07 13:57:27 +0200
  • 0a8cd1347e Merge pull request #68 from binki/without-privatelibdir Bram Matthys 2017-07-07 13:57:06 +0200
  • 6591e6bcee
         Do not try to delete libcares when not using PRIVATELIBDIR. Nathan Phillip Brink 2017-07-06 06:43:20 +0000
  • 4edcb9226c
         Add src/Makefile (built) to .gitignore Nathan Phillip Brink 2017-07-06 06:19:58 +0000
  • 2b94733cbe
         Support --without-privatelibdir for packagers. Nathan Phillip Brink 2017-07-06 06:04:18 +0000
  • 7b092f7aeb
         Verify certificate when submitting bug report. Bram Matthys 2017-06-19 16:28:50 +0200
  • 0c1f299b0b
         UnrealIRCd 4.0.12.1 release Bram Matthys 2017-06-02 08:56:24 +0200
  • d27d3760c7
         CAP NAK not sent for unrecognised CAPs in all cases. Reported by jwheare (#4958). Bram Matthys 2017-06-02 08:22:19 +0200
  • 072d8537b8
         Prevent /OPER for oper blocks with non-existant operclass, as doing so would only be confusing. Reported by Gottem (#4950). Bram Matthys 2017-06-02 07:41:44 +0200
  • 7b8f17ef5e
         Rename variable (no other changes) Bram Matthys 2017-06-02 07:33:15 +0200
  • 6c3c55b4e5
         Fix new user mode +Z (secureonlymsg) not working properly across server links. Reported by HeXiLeD (#4953). Bram Matthys 2017-05-28 09:41:11 +0200
  • ffc5f0ce44
         Update modules.optional.conf Bram Matthys 2017-05-13 12:33:37 +0200
  • 2838ef6266
         Mark all shipped modules as official (non-3rd-party). Bram Matthys 2017-05-13 12:29:05 +0200
  • 50801f5068
         Add conf/modules.optional.conf. This loads all additional modules that are not in modules.default.conf. Bram Matthys 2017-05-13 12:24:55 +0200
  • 01687486f0
         Bump MAXCONNECTIONS for Windows. Due to FD number assignments this value needs to be much higher than the number of clients the IRCd should be able to hold. The new value is 10k which should allow at least 1-2k clients. Bram Matthys 2017-05-12 17:12:18 +0200
  • b86419173a
         Compile secureonlymsg module on Windows Bram Matthys 2017-05-12 17:10:53 +0200
  • bbf33b62dc
         UnrealIRCd will now refuse to run as root, as promised a couple of versions ago. https://www.unrealircd.org/docs/Do_not_run_as_root Bram Matthys 2017-05-12 11:42:01 +0200
  • 3dc27370a1
         Prepare for UnrealIRCd 4.0.12 release. Bram Matthys 2017-05-12 11:24:36 +0200
  • 5e378fb02b
         Since 95% of the crash reports are due to bugs in 3rd party modules we now have to discourage people with 3rd party modules loaded from blindly submitting crash reports. Bram Matthys 2017-05-12 10:25:45 +0200
  • 0412c86d17
         Update OpenFiles on listener close (not very common, but..) Bram Matthys 2017-05-10 17:18:47 +0200
  • a6f5460ad8
         Update OpenFiles upon failed SSL connect to remote server. Reported by Eman (#4948). Bram Matthys 2017-05-10 17:03:45 +0200
  • ee9f8441bc
         Bump lag for remote MOTD requests. Bram Matthys 2017-04-07 20:06:36 +0200
  • 0035cafdba
         Fix server setting +b even if the ban list is full when using +f. Reported by NoMiaus (#4906). Bram Matthys 2017-03-26 15:48:05 +0200
  • e62ea1dedd
         Module coders: added two functions to search for user modes: has_user_mode(acptr, 'i'): returns 1 / 0 find_user_mode('i'): returns the user mode (as 'long') Bram Matthys 2017-03-26 15:40:36 +0200
  • b6f8ddd456
         Fix Jumpserver not working for SSL users due to old #ifdef USE_SSL. Reported by NoMiaus (#4907). Bram Matthys 2017-03-26 15:38:04 +0200
  • 0c6fb46704
         Minor code cleanup Bram Matthys 2017-03-22 16:32:59 +0100
  • fcaa69157b
         Fix crash when unloading (not reloading) module that uses ModData (#4903). Bram Matthys 2017-03-22 10:51:29 +0100
  • e6a02003f5
         Delayjoin (chanmode +D): When people are de-oped we now part 'hidden' users. Prevents client desynch. Bram Matthys 2017-03-22 08:25:03 +0100
  • 4c39648b03
         Improve source code (setflags -> oldumodes) Bram Matthys 2017-03-20 16:18:43 +0100
  • cd0836572f
         Fix /mode nick -t and force-rejoin. Reported by NoMiaus (#4901). Bram Matthys 2017-03-20 16:17:23 +0100
  • ec9db8fd5f
         Move match_user() to module (efunc in m_tkl) Bram Matthys 2017-03-18 15:00:34 +0100
  • 000f9e10fc
         'nocodes' module: also strip/block italic. Suggested by The_Myth (#4898). Bram Matthys 2017-03-18 14:50:49 +0100
  • af694e0cbd
         Fix crash in Windows GUI Bram Matthys 2017-03-13 08:30:45 +0100
  • 0963cddd28
         Vhosts were not synched correctly during linking. Reported by unic0rn (#4890). This was not really noticeable on 2 server networks, but in A-B-C linking setups a vhost of user A would not show on server C. Bram Matthys 2017-03-11 10:50:00 +0100
  • abd4296d8e
         Add support for negative ip/hostmask matching in deny channel / allow channel and at some other places (any place which uses the 'mask' system). This allows things like: deny channel { channel "#help*"; }; allow channel { channel "#help-nolan"; mask !192.168.*; }; allow channel { channel "#help-lan"; mask 192.168.*; }; Similarly in vhost blocks etc etc.. Bram Matthys 2017-03-10 09:20:15 +0100
  • f65d5fce8b
         Add new option: set { hide-list { deny-channel }; }; This will hide channels in /LIST that are denied by deny channel blocks (and not exempt via allow channel blocks). Bram Matthys 2017-03-10 08:48:08 +0100
  • 5c417b4235
         Fix minor memleak on /REHASH (set::sasl-server) Bram Matthys 2017-03-08 17:30:28 +0100
  • 176566962a
         Add support for 'mask' in allow channel { } and deny channel { }. This so you can easily add allow/deny channel blocks for IP ranges. Possibly not so useful for services-networks (ban/akick is very similar) but has some use on serviceless networks. Bram Matthys 2017-03-08 17:28:15 +0100
  • 9dc4e7d31b
         Windows: shut up warning on certificate generation during installation. WARNING: can't open config file: c:/libressl/ssl/openssl.cnf Bram Matthys 2017-03-08 09:03:03 +0100
  • cb59538309
         Fix chanmode +f issue where unsetting parts were not effective. For example: '+f [5j#i1,5m#m1,3n]:3' and then '+f [5j#i1,5m]:3' In that case the '3n' was not removed and still effective, as could be seen by a '/MODE #chan'. Reported by The_Myth (#4883). Bram Matthys 2017-03-06 10:05:30 +0100
  • 9252ce30e9
         Fix *NIX build (non Mac OS) by backing out all changes of past week. Bram Matthys 2017-03-06 09:12:22 +0100
  • 2a4714ea73 Adjust curlinstall Travis McArthur 2017-02-26 11:18:38 -0800
  • efdf290bd5 Update curl install run path Travis McArthur 2017-02-26 10:30:42 -0800
  • 12aa3289b9 Update Makefile to remove dep on private libs Travis McArthur 2017-02-25 16:16:58 -0800
  • 97467d2480 Use LD_RUN_PATH instead of rpath Travis McArthur 2017-02-25 16:09:00 -0800
  • 67184f506c Support more mac build types, fix more linux build Travis McArthur 2017-02-25 15:51:25 -0800
  • 6f90a0d5f9 Update test used for rpath Travis McArthur 2017-02-25 14:11:56 -0800
  • d997ec0576 Update to support mac testing Travis McArthur 2017-02-25 13:07:10 -0800
  • b1807ea399 Update Travis-Ci to build OSX and Linux Travis McArthur 2017-02-25 12:31:47 -0800
  • fbf715af9b Fix configure script Travis McArthur 2017-02-25 10:29:05 -0800
  • 0136ac3c83 Finalize check of rpath option Travis McArthur 2017-02-25 10:20:10 -0800
  • d3518eb1ee Fix conditionals Travis McArthur 2017-02-25 09:55:29 -0800
  • 9a6ef504d0 Update configure for mac/linux compat Travis McArthur 2017-02-25 09:50:22 -0800
  • ca9f2ea82e Update make file Travis McArthur 2017-02-25 09:34:48 -0800
  • d8b67e0afb Update configure for mac os compat Travis McArthur 2017-02-25 09:30:38 -0800
  • 894ff20ddd Add testing submodules Travis McArthur 2017-02-25 02:25:02 -0800
  • 7de81c7aa6
         Credit Bram Matthys 2017-02-18 14:42:14 +0100
  • c97a3e1903
         Add user mode +Z: Only allows SSL/TLS users to private message you. Based on +R, idea seen on the forums (from Stealth ?) Bram Matthys 2017-02-18 14:39:32 +0100
  • 06485a07fb
         Windows: move service.log to logs\ folder. Bram Matthys 2017-02-17 15:55:43 +0100
  • cded56f46a
         Add timestamp in service.log Bram Matthys 2017-02-17 15:55:22 +0100
  • 43921b07ac
         re-indent this monster Bram Matthys 2017-02-17 15:51:13 +0100
  • 2a83066f67
         Channel modes were not working. Bram Matthys 2017-02-10 22:14:41 +0100
  • 906ab61518
         Updates to Windows installer for newer Inno Setup Bram Matthys 2017-02-10 15:44:04 +0100