pissnet/pissircd
1
0
Fork 0
mirror of https://github.com/pissnet/pissircd.git synced 2025-05-05 21:15:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Commit graph

  • 6dd147b941
         Fix 2nd crash bug. Found when searching for related crash issues. Bram Matthys 2017-10-01 13:19:12 +02:00
  • 47eebad53d
         Fix crash bug, reported by Joseph Bisch. Bram Matthys 2017-10-01 13:18:45 +02:00
  • 5399e060fa
         Send CAP DEL sasl if set::sasl-server squits and CAP NEW when it returns. (Only to cap-notify and v3.2 clients, of course) Also fix a "bug" where sts parameters were not shown in CAP NEW tls. Bram Matthys 2017-09-30 15:19:29 +02:00
  • ac65e32a26
         Add CAP v3.2 support. Add 'cap-notify' support. Delete CAP CLEAR as it's use is discouraged (too much trouble). Delete CAP ACK (from client2server) as this is only for CAP's with ack modifiers. This is something we don't use, and which has been deprecated in v3.2 of the spec. Bram Matthys 2017-09-30 14:34:06 +02:00
  • 461fa9a48a
         Store CAP version in use in sptr->local->cap_protocol. Bram Matthys 2017-09-30 12:50:36 +02:00
  • 7d381086ad
         Remove CLICAP_FLAGS_CLIACK. Never understood this idea. Unused and deprecated it seems. Bram Matthys 2017-09-30 12:35:56 +02:00
  • 44052b86c0
         Remove CLICAP_FLAGS_STICKY. We don't use this anyway. Bram Matthys 2017-09-30 12:33:57 +02:00
  • fbd4e74663
         You can now have multiple webirc { } blocks with the same mask. This permits multiple blocks like.. webirc { mask *; password "....." { sslclientcertfp; }; }; ..should you need it. In other words: we don't stop matching upon an authentication failure. Bram Matthys 2017-09-30 09:53:04 +02:00
  • 638b189804
         Users connecting to the IRC server from the same machine could be seen as "localhost", even though they were using an IP other than 127.0.0.1. So, they were local but not using loopback. Reported by The_Myth (#5013). Bram Matthys 2017-09-20 15:51:41 +02:00
  • 838354f155
         UnrealIRCd 4.0.14 Bram Matthys 2017-09-15 10:23:49 +02:00
  • de9216a339
         * Please do not use UmodeDel, CmdoverrideDel and any other *Del() functions from MOD_UNLOAD. [..] Bram Matthys 2017-09-15 10:19:55 +02:00
  • 217ea69fe8
         Use ircs:// link instead of irc:// Bram Matthys 2017-09-15 08:24:30 +02:00
  • 3de335ea0c
         Update curlinstall link to use https. Previously this wasn't done because so many people had a broken system/wget/curl, that is: without the appropriate trusted CA certificates installed. If this is still the case, then: too bad. People who DO have a proper setup shouldn't be held back with regards to security by such users. Bram Matthys 2017-09-15 08:19:39 +02:00
  • 91e108499e
         Convert remaining http:// links to https:// Bram Matthys 2017-09-15 08:19:08 +02:00
  • a20dc5f8c1
         Use static buffer in cipher_check() like in verify_certificate() - duh. Bram Matthys 2017-09-10 16:41:34 +02:00
  • e7c7b1daff
         Don't show draft/sts and other unREQ'able CAP's in "CAP LIST" (only in "CAP LS"). Bram Matthys 2017-09-09 12:37:50 +02:00
  • 3cbf2536b2
         Clarify Bram Matthys 2017-09-08 08:26:53 +02:00
  • 1f856745e5
         4.0.14-rc1 Bram Matthys 2017-09-08 08:16:21 +02:00
  • 366a494c00
         Last update of release notes before -rc1? Bram Matthys 2017-09-08 08:15:54 +02:00
  • 2914695681
         We can't prevent all user mistakes, but we can at least prevent some.. Bram Matthys 2017-09-08 07:53:20 +02:00
  • 461ce8016a
         Some modes in set::modes-on-connect gave an error. These were old user modes such as +N and +A that were previously forbidden but may nowadays be (re-)used by 3rd party modules. Reported by marco500 (#4980). Bram Matthys 2017-09-08 07:39:56 +02:00
  • ea974ed018
         Update Windows makefile (+SRC/OPENSSL_HOSTNAME_VALIDATION.OBJ) Bram Matthys 2017-09-06 16:51:18 +02:00
  • 296decf648
         This code can be removed now that we have a working verify_certificate(). Also broke LibreSSL (SSL_CTX_get0_param undefined). Bram Matthys 2017-09-06 16:49:25 +02:00
  • a21222a672
         Bump MODDATA_MAX_CLIENT from 8 to 12 and move MODDATA_MAX_* to include/config.h Bram Matthys 2017-09-06 16:29:48 +02:00
  • 05c6dfbb35
         Update release notes Bram Matthys 2017-09-06 16:22:13 +02:00
  • edb144d570
         Update cipher suite to include TLSv1.3 ciphers. This so upcoming UnrealIRCd version will work with TLSv1.3 whenever it becomes an official standard and is included in OpenSSL/LibreSSL. (Verified to work with openssl git master branch) Bram Matthys 2017-09-06 16:09:22 +02:00
  • a5dbd3aa7c
         SSL/TLS: Use SNI in outgoing server link. Bram Matthys 2017-09-06 14:32:21 +02:00
  • b757d2eff0
         Show set::sasl-server in '/STATS set'. Suggested by Gottem (#0004997). Bram Matthys 2017-09-06 08:44:12 +02:00
  • 08bc61ec00
         We now refuse to enable SSL/TLS with weak ciphers: DES, 3DES, RC4. Bram Matthys 2017-09-06 08:21:14 +02:00
  • 959195e7d7
         Update Windows makefile to match *NIX objects Bram Matthys 2017-09-03 16:27:55 +02:00
  • 58ebc9c6be
         Move previous release notes (4.0.13) to doc/RELEASE-NOTES.old Bram Matthys 2017-09-03 16:23:05 +02:00
  • 788f628403
         Update release notes Bram Matthys 2017-09-03 16:22:44 +02:00
  • 3510a98e50
         Shorten the set::plaintext-policy text. Content was good but it was too long. Bram Matthys 2017-09-03 16:10:37 +02:00
  • 8fad7c563d
         Add cap/link-security and cap/plaintext-policy modules. Bram Matthys 2017-09-03 16:06:39 +02:00
  • 1faa91ed0e
         Add helper function plaintextpolicy_valtochar(). Bram Matthys 2017-09-02 15:49:02 +02:00
  • 78695f3eea
         Permit attaching client moddata to servers (and synch properly, if .synch=1) Bram Matthys 2017-09-02 15:47:58 +02:00
  • 0da1fdb2d2
         Fix possible crash in /STATS due to change from yesterday. Other than that, some minor style and real things. Bram Matthys 2017-09-02 08:27:55 +02:00
  • 3ade6c7ecb
         :D Bram Matthys 2017-09-01 18:15:47 +02:00
  • 199a7e162d
         Make new functions more generic and use it from crash reporter so people with older OpenSSL libraries (and LibreSSL) benefit from the hostname validation code there as well. Bram Matthys 2017-09-01 17:28:49 +02:00
  • aa829bce12
         New option link::verify-certificate [yes|no]. This will cause UnrealIRCd to validate the certificate of the link, making sure that: 1) The certificate is issued by a trusted Certificate Authority (CA). 2) The name on the certificate matches the name of the link block. Some things still need to be done: documentation, more testing, and using the X509_check_host() function when available. Bram Matthys 2017-09-01 17:10:29 +02:00
  • ac66a0fe12
         Add hostname verification code from ssl conservatory & curl (will be used in next commit) Bram Matthys 2017-09-01 17:02:36 +02:00
  • 5ff4fb3f87
         Remove old code.. this is already set in link->ssl_ctx by init_ctx(). (tested) Bram Matthys 2017-09-01 09:32:51 +02:00
  • 6d7be72f2b
         Remove ssl option 'no-self-signed'. Use 'verify-certificate' instead. Nobody used this option and it only caused the following confusing (and potentially insecure) behavior: Previously if you had 'verify-certificate' enabled then the certificate would be checked, BUT if it was a self-signed certificate (and thus not passing verify-cert) it was STILL allowed unless you also specified the 'no-self-signed' option. This might be correct as per documentation but is way too confusing for the user. Now you simply have to choose whether you verify the certificate or not. No special handling for self-signed certificates. Bram Matthys 2017-09-01 08:55:01 +02:00
  • 08b621aa08
         +Minor issues fixed Bram Matthys 2017-08-25 20:38:30 +02:00
  • 5cf28d0d46
         It was possible to have a block named 'link irc1.test.net' and then get connected to a server introducing himself as irc2.test.net. This was rather confusing, of course. Wasn't much of a security issue since this only happened in outgoing connects and naturally all authentication need to pass as well. Bram Matthys 2017-08-25 20:34:27 +02:00
  • bfb3e0847b
         If you had an unknown link::someunknownitem then UnrealIRCd would not throw an error. Now it does. Bram Matthys 2017-08-25 17:48:54 +02:00
  • 74466a4065
         Consider any client with the same IP as a listen::ip to be loopback. This is done for users on shared IRCd shells[*] which may be used to (or forced to) connect services via their alias IP rather than 127.0.0.1 due to bind restrictions. This, in turn, to ease the transition to set::plaintext-policy::server deny. [*] Side-note: The UnrealIRCd team recommends using a VPS and not a shared shell, as the latter is considerably less secure. Bram Matthys 2017-08-20 10:35:45 +02:00
  • d490b0ee3e
         "No log { } block found -- using default: errors will be logged to 'ircd.log'" Unfortunately it was then logging to tmp/ircd.log rather than logs/ircd.log Bram Matthys 2017-08-19 12:12:06 +02:00
  • efb344b9b2
         duh. Bram Matthys 2017-08-19 12:07:54 +02:00
  • 6afbc4ee99
         Relative paths for sslclientcerts did not work. This has been fixed so password "ssl/something.crt" { sslclientcert; }; works OK now. Bram Matthys 2017-08-19 12:02:25 +02:00
  • bfa00e95b7
         Set default plaintext-policy to be 'warn' for /OPER and 'deny' for server linking. Write some draft release notes for later use. Bram Matthys 2017-08-19 11:19:33 +02:00
  • 361a354c4b
         If set::plaintext-policy::user is 'deny' and a non-SSL/TLS-user is trying to connect then SASL is not advertised. Bram Matthys 2017-08-16 19:45:17 +02:00
  • d53d46fce4
         Add set::plaintext-policy block by which you can warn or deny user connections, ircop /OPER attempts and incoming server linking attempts from connections that are not encrypted with SSL/TLS. Documentation: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy Bram Matthys 2017-08-16 19:39:28 +02:00
  • 40e3e11b61
         UnrealIRCd 4.0.13 Bram Matthys 2017-08-15 12:12:10 +02:00
  • 0b5e46cd23
         Fix extban_conv_param_nuh not marked as extern. Reported by Gottem (#4975) Bram Matthys 2017-08-15 12:08:11 +02:00
  • c8a67f9436
         Update curl-ca-bundle to Wed Jun 7 03:12:05 2017. Remove CACERT. Bram Matthys 2017-08-15 11:48:48 +02:00
  • c7457434c4
         .. Bram Matthys 2017-08-10 09:37:38 +02:00
  • 77f8b9ed5a
         Build fix for cap/sts on Windows Bram Matthys 2017-08-10 09:36:18 +02:00
  • 74d5f380dd
         A /REHASH from a WebSocket connection would cause a crash (requires IRCOp privileges). This is a rather technical issue, we now simply reject the rehash. See comments in code for more information. Bram Matthys 2017-08-10 09:02:05 +02:00
  • 18202a0f73
         Fix "ban too broad" checking. Reported by Gottem in #4961. * The 'ban too broad' checking was broken. This permitted glines such as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower. To disable this safety measure you can (still) use: set { options { allow-insane-bans; }; }; Bram Matthys 2017-08-10 08:30:54 +02:00
  • f5b29ed7de
         Add modules/cap directory to Windows installer. Bram Matthys 2017-08-10 07:54:01 +02:00
  • 8ccf5700f1
         Prepare for 4.0.13-rc1 Bram Matthys 2017-08-10 07:46:17 +02:00
  • d222a18286
         Fix "simple" spamfilters being synched as "posix" during server linking. This was due to lack of TKLEXT2 support in the m_tkl_synch() code. Bram Matthys 2017-08-10 07:07:37 +02:00
  • 69a2e7d994
         Whoops. This code cleanup screwed up STS. Should work now. Bram Matthys 2017-08-09 19:11:28 +02:00
  • 6c539c8566
         Bump Websocket module version to 1.0.0 Bram Matthys 2017-08-09 18:12:03 +02:00
  • 06aa2ad79a
         Websocket module: don't send CR/LF in outgoing frames and don't require CR/LF in incoming frames (simply ignore them if they are present). Bram Matthys 2017-08-09 18:00:44 +02:00
  • ab3e65a76f
         Load cap/sts module by default (only active if set::ssl::sts-policy is set). Bram Matthys 2017-08-09 15:49:03 +02:00
  • 455420afc1
         SNI-specific sts-policy is now possible. (As recommended by IRCv3 draft spec) Bram Matthys 2017-08-09 15:39:52 +02:00
  • 0f612a3b30
         SNI: Fix for wildcard certificates Bram Matthys 2017-08-09 15:20:38 +02:00
  • 84776eeeb2
         Add support for draft/sts http://ircv3.net/specs/core/sts-3.3.html Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port Example: set { ssl { certificate "ssl/server.cert.pem"; key "ssl/server.key.pem"; sts-policy { port 6697; duration 180d; }; }; }; IMPORTANT: Only use this if you know what STS is and what the implications are. The most important things being A) set a correct port and B) you need a 'real' SSL certificate and not a self-signed certificate. Bram Matthys 2017-08-09 14:16:03 +02:00
  • 1cc6dd3d5b
         Add Makefile and placeholder module. Bram Matthys 2017-08-09 13:30:52 +02:00
  • 6500af6ba5
         * Use free_ssl_options from generic conf. * Actually free ssl_options in free_ssl_options. Bram Matthys 2017-08-09 13:27:50 +02:00
  • ea651384f8
         Add groundwork for draft/sts (more to follow) Bram Matthys 2017-08-09 13:21:36 +02:00
  • b2129205f9
         Added support for the "Server Name Indication" (SNI) SSL/TLS extension. See https://www.unrealircd.org/docs/Sni_block Requested in #4380 by Eman. Bram Matthys 2017-08-09 12:00:04 +02:00
  • 590e345b8d
         ./autogen.sh (see previous commits) Bram Matthys 2017-07-07 18:15:47 +02:00
  • e6a52ec919 Merge pull request #69 from binki/unreal40-moregitignore Bram Matthys 2017-07-07 13:57:27 +02:00
  • 0a8cd1347e Merge pull request #68 from binki/without-privatelibdir Bram Matthys 2017-07-07 13:57:06 +02:00
  • 6591e6bcee
         Do not try to delete libcares when not using PRIVATELIBDIR. Nathan Phillip Brink 2017-07-06 06:43:20 +00:00
  • 4edcb9226c
         Add src/Makefile (built) to .gitignore Nathan Phillip Brink 2017-07-06 06:19:58 +00:00
  • 2b94733cbe
         Support --without-privatelibdir for packagers. Nathan Phillip Brink 2017-07-06 06:04:18 +00:00
  • 7b092f7aeb
         Verify certificate when submitting bug report. Bram Matthys 2017-06-19 16:28:50 +02:00
  • 0c1f299b0b
         UnrealIRCd 4.0.12.1 release Bram Matthys 2017-06-02 08:56:24 +02:00
  • d27d3760c7
         CAP NAK not sent for unrecognised CAPs in all cases. Reported by jwheare (#4958). Bram Matthys 2017-06-02 08:22:19 +02:00
  • 072d8537b8
         Prevent /OPER for oper blocks with non-existant operclass, as doing so would only be confusing. Reported by Gottem (#4950). Bram Matthys 2017-06-02 07:41:44 +02:00
  • 7b8f17ef5e
         Rename variable (no other changes) Bram Matthys 2017-06-02 07:33:15 +02:00
  • 6c3c55b4e5
         Fix new user mode +Z (secureonlymsg) not working properly across server links. Reported by HeXiLeD (#4953). Bram Matthys 2017-05-28 09:41:11 +02:00
  • ffc5f0ce44
         Update modules.optional.conf Bram Matthys 2017-05-13 12:33:37 +02:00
  • 2838ef6266
         Mark all shipped modules as official (non-3rd-party). Bram Matthys 2017-05-13 12:29:05 +02:00
  • 50801f5068
         Add conf/modules.optional.conf. This loads all additional modules that are not in modules.default.conf. Bram Matthys 2017-05-13 12:24:55 +02:00
  • 01687486f0
         Bump MAXCONNECTIONS for Windows. Due to FD number assignments this value needs to be much higher than the number of clients the IRCd should be able to hold. The new value is 10k which should allow at least 1-2k clients. Bram Matthys 2017-05-12 17:12:18 +02:00
  • b86419173a
         Compile secureonlymsg module on Windows Bram Matthys 2017-05-12 17:10:53 +02:00
  • bbf33b62dc
         UnrealIRCd will now refuse to run as root, as promised a couple of versions ago. https://www.unrealircd.org/docs/Do_not_run_as_root Bram Matthys 2017-05-12 11:42:01 +02:00
  • 3dc27370a1
         Prepare for UnrealIRCd 4.0.12 release. Bram Matthys 2017-05-12 11:24:36 +02:00
  • 5e378fb02b
         Since 95% of the crash reports are due to bugs in 3rd party modules we now have to discourage people with 3rd party modules loaded from blindly submitting crash reports. Bram Matthys 2017-05-12 10:25:45 +02:00
  • 0412c86d17
         Update OpenFiles on listener close (not very common, but..) Bram Matthys 2017-05-10 17:18:47 +02:00
  • a6f5460ad8
         Update OpenFiles upon failed SSL connect to remote server. Reported by Eman (#4948). Bram Matthys 2017-05-10 17:03:45 +02:00
  • ee9f8441bc
         Bump lag for remote MOTD requests. Bram Matthys 2017-04-07 20:06:36 +02:00
  • 0035cafdba
         Fix server setting +b even if the ban list is full when using +f. Reported by NoMiaus (#4906). Bram Matthys 2017-03-26 15:48:05 +02:00
  • e62ea1dedd
         Module coders: added two functions to search for user modes: has_user_mode(acptr, 'i'): returns 1 / 0 find_user_mode('i'): returns the user mode (as 'long') Bram Matthys 2017-03-26 15:40:36 +02:00
  • b6f8ddd456
         Fix Jumpserver not working for SSL users due to old #ifdef USE_SSL. Reported by NoMiaus (#4907). Bram Matthys 2017-03-26 15:38:04 +02:00