ouch/inspircd
2
0
Fork 0
mirror of https://github.com/inspircd/inspircd.git synced 2025-03-09 10:39:02 -04:00
Code Issues Packages Projects Releases Wiki Activity

Refer to encryption as TLS instead of SSL in all messages.

Browse Source
This commit is contained in:
Sadie Powell 2021-04-08 11:29:16 +01:00
parent 825599a696
commit 3c426be2a1
28 changed files with 144 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
configure vendored
View File

@ -385,14 +385,14 @@ if (prompt_bool $interactive, $question, 0) {
if (!<$RealDir/src/modules/m_ssl_*.cpp> && !defined $opt_disable_auto_extras) {
print_error <<"EOM";
You MUST build with at least one SSL module. SSL greatly enhances the
you MUST build with at least one TLS module. TLS greatly enhances the
security and privacy of your IRC server and is required for linking servers.
Please read the following documentation pages on how to enable SSL support:
Please read the following documentation pages on how to enable TLS support:
GnuTLS (recommended): https://docs.inspircd.org/3/modules/ssl_gnutls
mbedTLS: https://docs.inspircd.org/3/modules/ssl_mbedtls
OpenSSL: https://docs.inspircd.org/3/modules/ssl_openssl
GnuTLS (recommended): https://docs.inspircd.org/$version{MAJOR}/modules/ssl_gnutls
mbedTLS: https://docs.inspircd.org/$version{MAJOR}/modules/ssl_mbedtls
OpenSSL: https://docs.inspircd.org/$version{MAJOR}/modules/ssl_openssl
EOM
}

10
docs/conf/helpop.conf.example
View File

@ -51,7 +51,7 @@ against the network service nickname.
">
<helpop key="sslinfo" title="/SSLINFO <nick>" value="
Displays information on the TLS (SSL) connection and certificate of the
Displays information on the TLS connection and certificate of the
target user.
">
@ -850,7 +850,7 @@ using their cloak when they quit.
(requires the services account module).
w Receives wallops messages.
x Gives a cloaked hostname (requires the cloaking module).
z Only allow private messages from TLS (SSL) users (requires
z Only allow private messages from TLS users (requires
the sslmodes module).
B Marks as a bot (requires the botmode module).
D Privdeaf mode. User will not receive any private messages
@ -931,7 +931,7 @@ using their cloak when they quit.
For example, +w o:R:Brain will op anyone identified
to the account 'Brain' on join.
(requires the autoop module)
z Blocks non-TLS (SSL) clients from joining the channel
z Blocks non-TLS clients from joining the channel
(requires the sslmodes module).
A Allows anyone to invite users to the channel
@ -1033,7 +1033,7 @@ c Show link blocks
d Show configured DNSBLs and related statistics
m Show command statistics, number of times commands have been used
o Show a list of all valid oper usernames and hostmasks
p Show open client ports, and the port type (ssl, plaintext, etc)
p Show open client ports, and the port type (tls, plaintext, etc)
u Show server uptime
z Show memory usage statistics
i Show connect class permissions
@ -1106,7 +1106,7 @@ Matching extbans:
realnameban module).
s:<server> Matches users on a matching server (requires the
serverban module).
z:<certfp> Matches users having the given TLS (SSL) certificate
z:<certfp> Matches users having the given TLS certificate
fingerprint (requires the sslmodes module).
O:<opertype> Matches server operators of a matching type, mostly
useful as an invite exception (requires the

22
docs/conf/inspircd.conf.example
View File

@ -115,7 +115,7 @@
# Configure the port and address bindings here. #
# #
# TLS (SSL) listener that binds on a TCP/IP endpoint:
# TLS listener that binds on a TCP/IP endpoint:
<bind
# address: IP address to bind to if the box that you are hosting
# on has more than one IP, else the ircd will try to bind to all
@ -132,9 +132,9 @@
# to this bind section.
type="clients"
# sslprofile: If you want the port(s) in this bind tag to use TLS (SSL), set this
# sslprofile: If you want the port(s) in this bind tag to use TLS, set this
# to the name of a custom <sslprofile> tag that you have defined. See the
# docs page for the TLS (SSL) module you are using for more details:
# docs page for the TLS module you are using for more details:
#
# GnuTLS: https://docs.inspircd.org/3/modules/ssl_gnutls#sslprofile
# mbedTLS: https://docs.inspircd.org/3/modules/ssl_mbedtls#sslprofile
@ -196,8 +196,8 @@
# module).
#<bind address="" port="7002" type="clients" hook="websocket">
# You must define a custom <sslprofile> tag which defines the TLS (SSL) configuration
# for this listener. See the docs page for the TLS (SSL) module you are using for
# You must define a custom <sslprofile> tag which defines the TLS configuration
# for this listener. See the docs page for the TLS module you are using for
# more details.
#
# When linking servers, the OpenSSL, GnuTLS, and mbedTLS implementations are
@ -220,10 +220,10 @@
# Connect blocks are searched twice for each user - once when the TCP #
# connection is accepted, and once when the user completes their #
# registration. Most of the information (hostname, ident response, #
# password, TLS (SSL) when using STARTTLS, etc) is only available #
# during the second search. If you are trying to make a closed server #
# you will probably need a connect block just for user registration. #
# This can be done by using <connect registered="no"> #
# password, TLS when using STARTTLS, etc) is only available during #
# the second search. If you are trying to make a closed server you #
# will probably need a connect block just for user registration. This #
# can be done by using <connect registered="no"> #
# To enable IRCCloud on your network uncomment this:
#<include file="examples/providers/irccloud.conf.example">
@ -325,10 +325,10 @@
# Requires the ident module to be loaded.
#requireident="yes"
# requiressl: Require that users of this block use a TLS (SSL) connection.
# requiressl: Require that users of this block use a TLS connection.
# This can also be set to "trusted", as to only accept client certificates
# issued by a certificate authority that you can configure in the
# settings of the TLS (SSL) module that you're using.
# settings of the TLS module that you're using.
# Requires the sslinfo module to be loaded.
#requiressl="yes"

10
docs/conf/links.conf.example
View File

@ -6,7 +6,7 @@
# for more information about the available options. #
# #
# TLS (SSL) listener that binds on a TCP/IP endpoint:
# TLS listener that binds on a TCP/IP endpoint:
<bind address="1.2.3.4"
port="7005"
type="servers"
@ -56,9 +56,9 @@
# failover (see above).
timeout="5m"
# sslprofile: If defined, this states the TLS (SSL) profile that will be used
# sslprofile: If defined, this states the TLS profile that will be used
# when making an outbound connection to the server. See the docs page for
# the TLS (SSL) module you are using for more details:
# the TLS module you are using for more details:
#
# GnuTLS: https://docs.inspircd.org/3/modules/ssl_gnutls#sslprofile
# mbedTLS: https://docs.inspircd.org/3/modules/ssl_mbedtls#sslprofile
@ -70,9 +70,9 @@
sslprofile="Servers"
# fingerprint: If defined, this option will force servers to be
# authenticated using TLS (SSL) certificate fingerprints. See
# authenticated using TLS certificate fingerprints. See
# https://docs.inspircd.org/3/modules/spanningtree for more information.
# This will require a TLS (SSL) link for both inbound and outbound connections.
# This will require a TLS link for both inbound and outbound connections.
#fingerprint=""
# bind: Local IP address to bind to.

42
docs/conf/modules.conf.example
View File

@ -231,7 +231,7 @@
# For example +w o:*!Attila@127.0.0.1 will op anyone matching that mask
# on join. This can be combined with extbans, for example +w o:R:Brain
# will op anyone identified to the account "Brain".
# Another useful combination is with TLS (SSL) client certificate
# Another useful combination is with TLS client certificate
# fingerprints: +w h:z:72db600734bb9546c1bdd02377bc21d2a9690d48 will
# give halfop to the user(s) having the given certificate.
#<module name="autoop">
@ -345,7 +345,7 @@
#
# When using this method you must specify one or more wildcard masks
# or CIDR ranges to allow gateway connections from and at least one of
# either a TLS (SSL) client certificate fingerprint for the gateway or
# either a TLS client certificate fingerprint for the gateway or
# a password to be sent in the WEBIRC command.
#
# <cgihost type="webirc"
@ -1968,7 +1968,7 @@
# You must define <sasl:target> to the name of your services server so
# that InspIRCd knows where to send SASL authentication messages and
# when it should enable the SASL capability.
# You can also define <sasl:requiressl> to require users to use TLS (SSL)
# You can also define <sasl:requiressl> to require users to use TLS
# in order to be able to use SASL.
#<sasl target="services.mynetwork.com"
# requiressl="yes">
@ -2164,16 +2164,16 @@
# notifyuser="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SSL mode module: Adds support for TLS (SSL)-only channels via the '+z'
# channel mode, TLS (SSL)-only private messages via the '+z' user mode and
# the 'z:' extban which matches TLS (SSL) client certificate fingerprints.
# TLS mode module: Adds support for TLS-only channels via the '+z'
# channel mode, TLS-only private messages via the '+z' user mode and
# the 'z:' extban which matches TLS client certificate fingerprints.
#
# Does not do anything useful without a working TLS (SSL) module and the
# Does not do anything useful without a working TLS module and the
# sslinfo module (see below).
#<module name="sslmodes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SSL rehash signal module: Allows the TLS (SSL) modules to be rehashed by
# TLS rehash signal module: Allows the TLS modules to be rehashed by
# sending SIGUSR1 to a running InspIRCd process.
# This module is in extras. Re-run configure with:
# ./configure --enable-extras sslrehashsignal
@ -2181,7 +2181,7 @@
#<module name="sslrehashsignal">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# GnuTLS SSL module: Adds support for TLS (SSL) connections using GnuTLS,
# GnuTLS TLS module: Adds support for TLS connections using GnuTLS,
# if enabled. You must answer 'yes' in ./configure when asked or
# manually symlink the source for this module from the directory
# src/modules/extra, if you want to enable this, or it will not load.
@ -2193,27 +2193,27 @@
# https://docs.inspircd.org/3/modules/ssl_gnutls #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SSL info module: Allows users to retrieve information about other
# users' peer TLS (SSL) certificates and keys via the SSLINFO command.
# TLS info module: Allows users to retrieve information about other
# users' peer TLS certificates and keys via the SSLINFO command.
# This can be used by client scripts to validate users. For this to
# work, one of ssl_gnutls, ssl_mbedtls or ssl_openssl must be loaded.
# This module also adds the "<user> is using a secure connection"
# and "<user> has TLS (SSL) client certificate fingerprint <fingerprint>"
# WHOIS lines, the ability for opers to use TLS (SSL) cert fingerprints to
# verify their identity and the ability to force opers to use TLS (SSL)
# and "<user> has TLS client certificate fingerprint <fingerprint>"
# WHOIS lines, the ability for opers to use TLS cert fingerprints to
# verify their identity and the ability to force opers to use TLS
# connections in order to oper up. It is highly recommended to load
# this module if you use TLS (SSL) on your network.
# this module if you use TLS on your network.
# For how to use the oper features, please see the first
# example <oper> tag in opers.conf.example.
#
#<module name="sslinfo">
#
# If you want to prevent users from viewing TLS (SSL) certificate information
# If you want to prevent users from viewing TLS certificate information
# and fingerprints of other users, set operonly to yes.
#<sslinfo operonly="no">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS.
# mbedTLS TLS module: Adds support for TLS connections using mbedTLS.
#<module name="ssl_mbedtls">
#
#-#-#-#-#-#-#-#-#-#-#- MBEDTLS CONFIGURATION -#-#-#-#-#-#-#-#-#-#-#-#
@ -2222,7 +2222,7 @@
# https://docs.inspircd.org/3/modules/ssl_mbedtls #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# OpenSSL TLS (SSL) module: Adds support for TLS (SSL) connections using OpenSSL,
# OpenSSL TLS module: Adds support for TLS connections using OpenSSL,
# if enabled. You must answer 'yes' in ./configure when asked or symlink
# the source for this module from the directory src/modules/extra, if
# you want to enable this, or it will not load.
@ -2294,8 +2294,8 @@
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# StartTLS module: Implements STARTTLS, which allows clients #
# connected to non TLS (SSL) enabled ports to enable TLS (SSL), if #
# a proper TLS (SSL) module is loaded (either ssl_gnutls, #
# connected to non TLS enabled ports to enable TLS, if #
# a proper TLS module is loaded (either ssl_gnutls, #
# ssl_mbedtls or ssl_openssl). #
#<module name="starttls">
@ -2380,7 +2380,7 @@
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# WebSocket module: Adds HTML5 WebSocket support.
# Specify hook="websocket" in a <bind> tag to make that port accept
# WebSocket connections. Compatible with TLS (SSL).
# WebSocket connections. Compatible with TLS.
# Requires SHA-1 hash support available in the sha1 module.
#<module name="websocket">
#

10
docs/conf/opers.conf.example
View File

@ -114,21 +114,21 @@
# ** ADVANCED ** This option is disabled by default.
# fingerprint: When using the sslinfo module, you may specify a space separated
# list of TLS (SSL) client certificate fingerprints here. These can be obtained by using
# list of TLS client certificate fingerprints here. These can be obtained by using
# the /SSLINFO command while the module is loaded, and is also noticed on connect.
# This enhances security by verifying that the person opering up has
# a matching TLS (SSL) client certificate, which is very difficult to
# a matching TLS client certificate, which is very difficult to
# forge (impossible unless preimage attacks on the hash exist).
# If the sslinfo module isn't loaded, this option will be ignored.
#fingerprint="67cb9dc013248a829bb2171ed11becd4"
# autologin: If a TLS (SSL) client certificate fingerprint for this oper is specified,
# autologin: If a TLS client certificate fingerprint for this oper is specified,
# you can have the oper block automatically log in. This moves all security
# of the oper block to the protection of the TLS (SSL) client certificate, so be sure
# of the oper block to the protection of the TLS client certificate, so be sure
# that the private key is well-protected! Requires the sslinfo module.
#autologin="yes"
# sslonly: If enabled, this oper can only oper up if they're using a TLS (SSL) connection.
# sslonly: If enabled, this oper can only oper up if they're using a TLS connection.
# Setting this option adds a decent bit of security. Highly recommended
# if the oper is on wifi, or specifically, unsecured wifi. Note that it
# is redundant to specify this option if you specify a fingerprint.

2
include/modules.h
View File

@ -433,7 +433,7 @@ class CoreExport Module : public Cullable, public usecountbase
/** Called on rehash.
* This method is called when a user initiates a module-specific rehash. This can be used to do
* expensive operations (such as reloading TLS (SSL) certificates) that are not executed on a normal
* expensive operations (such as reloading TLS certificates) that are not executed on a normal
* rehash for efficiency. A rehash of this type does not reload the core configuration.
*
* @param user The user performing the rehash.

42
include/modules/ssl.h
View File

@ -31,7 +31,7 @@
#include <string>
#include "iohook.h"
/** ssl_cert is a class which abstracts TLS (SSL) certificate
/** ssl_cert is a class which abstracts TLS certificate
* and key information.
*
* Because gnutls and openssl represent key information in
@ -152,7 +152,7 @@ class ssl_cert : public refcountbase
}
};
/** I/O hook provider for SSL modules. */
/** I/O hook provider for TLS modules. */
class SSLIOHookProvider : public IOHookProvider
{
public:
@ -165,7 +165,7 @@ public:
class SSLIOHook : public IOHook
{
protected:
/** Peer TLS (SSL) certificate, set by the TLS (SSL) module
/** Peer TLS certificate, set by the TLS module
*/
reference<ssl_cert> certificate;
@ -179,7 +179,7 @@ class SSLIOHook : public IOHook
if ((sendq.size() <= 1) || (sendq.front().length() >= targetsize))
return;
// Avoid multiple repeated TLS (SSL) encryption invocations
// Avoid multiple repeated TLS encryption invocations
// This adds a single copy of the queue, but avoids
// much more overhead in terms of system calls invoked
// by an IOHook.
@ -211,7 +211,7 @@ class SSLIOHook : public IOHook
/**
* Get the certificate sent by this peer
* @return The TLS (SSL) certificate sent by the peer, NULL if no cert was sent
* @return The TLS certificate sent by the peer, NULL if no cert was sent
*/
virtual ssl_cert* GetCertificate() const
{
@ -220,7 +220,7 @@ class SSLIOHook : public IOHook
/**
* Get the fingerprint of the peer's certificate
* @return The fingerprint of the TLS (SSL) client certificate sent by the peer,
* @return The fingerprint of the TLS client certificate sent by the peer,
* empty if no cert was sent
*/
virtual std::string GetFingerprint() const
@ -238,14 +238,14 @@ class SSLIOHook : public IOHook
virtual void GetCiphersuite(std::string& out) const = 0;
/** Retrieves the name of the TLS (SSL) connection which is sent via SNI.
/** Retrieves the name of the TLS connection which is sent via SNI.
* @param out String that the server name will be appended to.
* returns True if the server name was retrieved; otherwise, false.
*/
virtual bool GetServerName(std::string& out) const = 0;
};
/** Helper functions for obtaining TLS (SSL) client certificates and key fingerprints
/** Helper functions for obtaining TLS client certificates and key fingerprints
* from StreamSockets
*/
class SSLClientCert
@ -253,8 +253,8 @@ class SSLClientCert
public:
/**
* Get the client certificate from a socket
* @param sock The socket to get the certificate from, the socket does not have to use TLS (SSL)
* @return The TLS (SSL) client certificate information, NULL if the peer is not using TLS (SSL)
* @param sock The socket to get the certificate from, the socket does not have to use TLS
* @return The TLS client certificate information, NULL if the peer is not using TLS
*/
static ssl_cert* GetCertificate(StreamSocket* sock)
{
@ -268,9 +268,9 @@ class SSLClientCert
/**
* Get the fingerprint of a client certificate from a socket
* @param sock The socket to get the certificate fingerprint from, the
* socket does not have to use TLS (SSL)
* @return The key fingerprint from the TLS (SSL) certificate sent by the peer,
* empty if no cert was sent or the peer is not using TLS (SSL)
* socket does not have to use TLS
* @return The key fingerprint from the TLS certificate sent by the peer,
* empty if no cert was sent or the peer is not using TLS
*/
static std::string GetFingerprint(StreamSocket* sock)
{
@ -289,22 +289,22 @@ class UserCertificateAPIBase : public DataProvider
{
}
/** Get the TLS (SSL) certificate of a user
/** Get the TLS certificate of a user
* @param user The user whose certificate to get, user may be remote
* @return The TLS (SSL) certificate of the user or NULL if the user is not using TLS (SSL)
* @return The TLS certificate of the user or NULL if the user is not using TLS
*/
virtual ssl_cert* GetCertificate(User* user) = 0;
/** Set the TLS (SSL) certificate of a user.
/** Set the TLS certificate of a user.
* @param user The user whose certificate to set.
* @param cert The TLS (SSL) certificate to set for the user.
* @param cert The TLS certificate to set for the user.
*/
virtual void SetCertificate(User* user, ssl_cert* cert) = 0;
/** Get the key fingerprint from a user's certificate
* @param user The user whose key fingerprint to get, user may be remote
* @return The key fingerprint from the user's TLS (SSL) certificate or an empty string
* if the user is not using TLS (SSL) or did not provide a client certificate
* @return The key fingerprint from the user's TLS certificate or an empty string
* if the user is not using TLS or did not provide a client certificate
*/
std::string GetFingerprint(User* user)
{
@ -315,9 +315,9 @@ class UserCertificateAPIBase : public DataProvider
}
};
/** API implemented by m_sslinfo that allows modules to retrieve the TLS (SSL) certificate
/** API implemented by m_sslinfo that allows modules to retrieve the TLS certificate
* information of local and remote users. It can also be used to find out whether a
* user is using TLS (SSL) or not.
* user is using TLS or not.
*/
class UserCertificateAPI : public dynamic_reference<UserCertificateAPIBase>
{

2
make/configure.pm
View File

@ -124,7 +124,7 @@ non-interactive configuration is started and any omitted values are defaulted.
stored.
[${\CONFIGURE_ROOT}/run/bin]
<|BOLD --config-dir <DIR>|> The location where the configuration files and
SSL certificates are stored.
TLS certificates are stored.
[${\CONFIGURE_ROOT}/run/conf]
<|BOLD --data-dir <DIR>|> The location where the data files, such as the
xline database, are stored.

2
src/coremods/core_stats.cpp
View File

@ -122,7 +122,7 @@ void CommandStats::DoStats(Stats::Context& stats)
const std::string sslprofile = ls->bind_tag->getString("sslprofile");
if (!sslprofile.empty())
portentry << ", ssl profile: " << sslprofile;
portentry << ", tls profile: " << sslprofile;
portentry << ')';
stats.AddRow(249, portentry.str());

2
src/helperfuncs.cpp
View File

@ -500,7 +500,7 @@ unsigned long InspIRCd::GenRandomInt(unsigned long max)
return rv % max;
}
// This is overridden by a higher-quality algorithm when TLS (SSL) support is loaded
// This is overridden by a higher-quality algorithm when TLS support is loaded
void InspIRCd::DefaultGenRandom(char* output, size_t max)
{
#if defined HAS_ARC4RANDOM_BUF

2
src/listensocket.cpp
View File

@ -245,6 +245,6 @@ void ListenSocket::ResetIOHookProvider()
if (!provname.empty())
provname.insert(0, "ssl/");
// TLS (SSL) should be the last
// TLS should be the last
iohookprovs.back().SetProvider(provname);
}

2
src/modules.cpp
View File

@ -410,7 +410,7 @@ void ModuleManager::DoSafeUnload(Module* mod)
for (user_hash::const_iterator u = users.begin(); u != users.end(); )
{
User* user = u->second;
// The module may quit the user (e.g. TLS (SSL) mod unloading) and that will remove it from the container
// The module may quit the user (e.g. TLS mod unloading) and that will remove it from the container
++u;
mod->OnCleanup(ExtensionItem::EXT_USER, user);
user->UnhookExtensions(items);

14
src/modules/extra/m_ssl_gnutls.cpp
View File

@ -790,7 +790,7 @@ info_done_dealloc:
}
CloseSession();
sock->SetError("No TLS (SSL) session");
sock->SetError("No TLS session");
return -1;
}
@ -1122,7 +1122,7 @@ class ModuleSSLGnuTLS : public Module
{
// First, store all profiles in a new, temporary container. If no problems occur, swap the two
// containers; this way if something goes wrong we can go back and continue using the current profiles,
// avoiding unpleasant situations where no new TLS (SSL) connections are possible.
// avoiding unpleasant situations where no new TLS connections are possible.
ProfileList newprofiles;
auto tags = ServerInstance->Config->ConfTags("sslprofile");
@ -1152,7 +1152,7 @@ class ModuleSSLGnuTLS : public Module
}
catch (CoreException& ex)
{
throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->source.str() + " - " + ex.GetReason());
throw ModuleException("Error while initializing TLS profile \"" + name + "\" at " + tag->source.str() + " - " + ex.GetReason());
}
newprofiles.push_back(prov);
@ -1168,7 +1168,7 @@ class ModuleSSLGnuTLS : public Module
public:
ModuleSSLGnuTLS()
: Module(VF_VENDOR, "Allows TLS (SSL) encrypted connections using the GnuTLS library.")
: Module(VF_VENDOR, "Allows TLS encrypted connections using the GnuTLS library.")
{
thismod = this;
}
@ -1188,7 +1188,7 @@ class ModuleSSLGnuTLS : public Module
try
{
ReadProfiles();
ServerInstance->SNO.WriteToSnoMask('a', "GnuTLS TLS (SSL) profiles have been reloaded.");
ServerInstance->SNO.WriteToSnoMask('a', "GnuTLS TLS profiles have been reloaded.");
}
catch (ModuleException& ex)
{
@ -1209,8 +1209,8 @@ class ModuleSSLGnuTLS : public Module
if ((user) && (user->eh.GetModHook(this)))
{
// User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports.
// Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
// User is using TLS, they're a local user, and they're using one of *our* TLS ports.
// Potentially there could be multiple TLS modules loaded at once on different ports.
ServerInstance->Users.QuitUser(user, "GnuTLS module unloading");
}
}

15
src/modules/extra/m_ssl_mbedtls.cpp
View File

@ -302,7 +302,6 @@ namespace mbedTLS
void SetVersion(int minver, int maxver)
{
// SSL v3 support cannot be enabled
if (minver)
mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, minver);
if (maxver)
@ -575,7 +574,7 @@ class mbedTLSIOHook : public SSLIOHook
}
CloseSession();
sock->SetError("No TLS (SSL) session");
sock->SetError("No TLS session");
return -1;
}
@ -855,7 +854,7 @@ class ModuleSSLmbedTLS : public Module
{
// First, store all profiles in a new, temporary container. If no problems occur, swap the two
// containers; this way if something goes wrong we can go back and continue using the current profiles,
// avoiding unpleasant situations where no new TLS (SSL) connections are possible.
// avoiding unpleasant situations where no new TLS connections are possible.
ProfileList newprofiles;
auto tags = ServerInstance->Config->ConfTags("sslprofile");
@ -885,7 +884,7 @@ class ModuleSSLmbedTLS : public Module
}
catch (CoreException& ex)
{
throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->source.str() + " - " + ex.GetReason());
throw ModuleException("Error while initializing TLS profile \"" + name + "\" at " + tag->source.str() + " - " + ex.GetReason());
}
newprofiles.push_back(prov);
@ -901,7 +900,7 @@ class ModuleSSLmbedTLS : public Module
public:
ModuleSSLmbedTLS()
: Module(VF_VENDOR, "Allows TLS (SSL) encrypted connections using the mbedTLS library.")
: Module(VF_VENDOR, "Allows TLS encrypted connections using the mbedTLS library.")
{
}
@ -924,7 +923,7 @@ class ModuleSSLmbedTLS : public Module
try
{
ReadProfiles();
ServerInstance->SNO.WriteToSnoMask('a', "mbedTLS TLS (SSL) profiles have been reloaded.");
ServerInstance->SNO.WriteToSnoMask('a', "mbedTLS TLS profiles have been reloaded.");
}
catch (ModuleException& ex)
{
@ -940,8 +939,8 @@ class ModuleSSLmbedTLS : public Module
LocalUser* user = IS_LOCAL(static_cast<User*>(item));
if ((user) && (user->eh.GetModHook(this)))
{
// User is using TLS (SSL), they're a local user, and they're using our IOHook.
// Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
// User is using TLS, they're a local user, and they're using our IOHook.
// Potentially there could be multiple TLS modules loaded at once on different ports.
ServerInstance->Users.QuitUser(user, "mbedTLS module unloading");
}
}

12
src/modules/extra/m_ssl_openssl.cpp
View File

@ -209,7 +209,7 @@ namespace OpenSSL
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if (!store)
{
throw ModuleException("Unable to get X509_STORE from TLS (SSL) context; this should never happen");
throw ModuleException("Unable to get X509_STORE from TLS context; this should never happen");
}
ERR_clear_error();
if (!X509_STORE_load_locations(store,
@ -928,7 +928,7 @@ class ModuleSSLOpenSSL : public Module
}
catch (CoreException& ex)
{
throw ModuleException("Error while initializing TLS (SSL) profile \"" + name + "\" at " + tag->source.str() + " - " + ex.GetReason());
throw ModuleException("Error while initializing TLS profile \"" + name + "\" at " + tag->source.str() + " - " + ex.GetReason());
}
newprofiles.push_back(prov);
@ -942,7 +942,7 @@ class ModuleSSLOpenSSL : public Module
public:
ModuleSSLOpenSSL()
: Module(VF_VENDOR, "Allows TLS (SSL) encrypted connections using the OpenSSL library.")
: Module(VF_VENDOR, "Allows TLS encrypted connections using the OpenSSL library.")
{
// Initialize OpenSSL
OPENSSL_init_ssl(0, NULL);
@ -975,7 +975,7 @@ class ModuleSSLOpenSSL : public Module
try
{
ReadProfiles();
ServerInstance->SNO.WriteToSnoMask('a', "OpenSSL TLS (SSL) profiles have been reloaded.");
ServerInstance->SNO.WriteToSnoMask('a', "OpenSSL TLS profiles have been reloaded.");
}
catch (ModuleException& ex)
{
@ -991,8 +991,8 @@ class ModuleSSLOpenSSL : public Module
if ((user) && (user->eh.GetModHook(this)))
{
// User is using TLS (SSL), they're a local user, and they're using one of *our* TLS (SSL) ports.
// Potentially there could be multiple TLS (SSL) modules loaded at once on different ports.
// User is using TLS, they're a local user, and they're using one of *our* TLS ports.
// Potentially there could be multiple TLS modules loaded at once on different ports.
ServerInstance->Users.QuitUser(user, "OpenSSL module unloading");
}
}

4
src/modules/extra/m_sslrehashsignal.cpp
View File

@ -32,7 +32,7 @@ class ModuleSSLRehashSignal : public Module
public:
ModuleSSLRehashSignal()
: Module(VF_VENDOR, "Allows the SIGUSR1 signal to be sent to the server to reload TLS (SSL) certificates.")
: Module(VF_VENDOR, "Allows the SIGUSR1 signal to be sent to the server to reload TLS certificates.")
{
}
@ -51,7 +51,7 @@ class ModuleSSLRehashSignal : public Module
if (!signaled)
return;
const std::string feedbackmsg = "Got SIGUSR1, reloading TLS (SSL) credentials";
const std::string feedbackmsg = "Got SIGUSR1, reloading TLS credentials";
ServerInstance->SNO.WriteGlobalSno('a', feedbackmsg);
ServerInstance->Logs.Log(MODNAME, LOG_DEFAULT, feedbackmsg);

16
src/modules/m_haproxy.cpp
View File

@ -25,7 +25,7 @@
enum
{
// The SSL TLV flag for a client being connected over SSL.
// The TLV flag for a client being connected over TLS.
PP2_CLIENT_SSL = 0x01,
// The family for TCP over IPv4.
@ -55,7 +55,7 @@ enum
// The minimum length of a Type-Length-Value entry.
PP2_TLV_LENGTH = 3,
// The identifier for a SSL TLV entry.
// The identifier for a TLS TLV entry.
PP2_TYPE_SSL = 0x20,
// The minimum length of a PP2_TYPE_SSL TLV entry.
@ -145,7 +145,7 @@ class HAProxyHook : public IOHookMiddle
// The endpoint the client is connected to.
irc::sockets::sockaddrs server;
// The API for interacting with user SSL internals.
// The API for interacting with user TLS internals.
UserCertificateAPI& sslapi;
// The current state of the PROXY parser.
@ -183,10 +183,10 @@ class HAProxyHook : public IOHookMiddle
bool ReadProxyTLVSSL(StreamSocket* sock, size_t start_index, uint16_t buffer_length)
{
// A SSL TLV must at least consist of client info (uint8_t) and verification info (uint32_t).
// A TLS TLV must at least consist of client info (uint8_t) and verification info (uint32_t).
if (buffer_length < PP2_TYPE_SSL_LENGTH)
{
sock->SetError("Truncated HAProxy PROXY SSL TLV");
sock->SetError("Truncated HAProxy PROXY TLS TLV");
return false;
}
@ -200,16 +200,16 @@ class HAProxyHook : public IOHookMiddle
if (!sslapi)
return true;
// If the client is not connecting via TLS (SSL) the rest of this TLV is irrelevant.
// If the client is not connecting via TLS the rest of this TLV is irrelevant.
std::string& recvq = GetRecvQ();
if ((recvq[start_index] & PP2_CLIENT_SSL) == 0)
return true;
// Create a fake ssl_cert for the user. Ideally we should use the user's
// TLS (SSL) client certificate here but as of 2018-10-16 this is not forwarded
// TLS client certificate here but as of 2018-10-16 this is not forwarded
// by HAProxy.
ssl_cert* cert = new ssl_cert;
cert->error = "HAProxy does not forward client TLS (SSL) certificates";
cert->error = "HAProxy does not forward client TLS certificates";
cert->invalid = true;
cert->revoked = true;
cert->trusted = false;

4
src/modules/m_ircv3_sts.cpp
View File

@ -129,7 +129,7 @@ class ModuleIRCv3STS : public Module
private:
STSCap cap;
// The IRCv3 STS specification requires that the server is listening using TLS (SSL) using a valid certificate.
// The IRCv3 STS specification requires that the server is listening using TLS using a valid certificate.
bool HasValidSSLPort(unsigned int port)
{
for (const auto& ls : ServerInstance->ports)
@ -139,7 +139,7 @@ class ModuleIRCv3STS : public Module
if (saport != port)
continue;
// Is this listener using TLS (SSL)?
// Is this listener using TLS?
if (ls->bind_tag->getString("sslprofile").empty())
continue;

8
src/modules/m_spanningtree/hmac.cpp
View File

@ -81,9 +81,9 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
/* Require fingerprint to exist and match */
if (link.Fingerprint != fp)
{
ServerInstance->SNO.WriteToSnoMask('l',"Invalid SSL certificate fingerprint on link %s: need \"%s\" got \"%s\"",
ServerInstance->SNO.WriteToSnoMask('l',"Invalid TLS certificate fingerprint on link %s: need \"%s\" got \"%s\"",
link.Name.c_str(), link.Fingerprint.c_str(), fp.c_str());
SendError("Invalid SSL certificate fingerprint " + fp + " - expected " + link.Fingerprint);
SendError("Invalid TLS certificate fingerprint " + fp + " - expected " + link.Fingerprint);
return false;
}
}
@ -103,11 +103,11 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
return false;
}
// Tell opers to set up fingerprint verification if it's not already set up and the SSL mod gave us a fingerprint
// Tell opers to set up fingerprint verification if it's not already set up and the TLS mod gave us a fingerprint
// this time
if ((!capab->auth_fingerprint) && (!fp.empty()))
{
ServerInstance->SNO.WriteToSnoMask('l', "SSL certificate fingerprint for link %s is \"%s\". "
ServerInstance->SNO.WriteToSnoMask('l', "TLS certificate fingerprint for link %s is \"%s\". "
"You can improve security by specifying this in <link:fingerprint>.", link.Name.c_str(), fp.c_str());
}

2
src/modules/m_spanningtree/main.cpp
View File

@ -721,7 +721,7 @@ restart:
TreeSocket* sock = child->GetSocket();
if (sock->GetModHook(mod))
{
sock->SendError("SSL module unloaded");
sock->SendError("TLS module unloaded");
sock->Close();
// XXX: The list we're iterating is modified by TreeServer::SQuit() which is called by Close()
goto restart;

2
src/modules/m_spanningtree/main.h
View File

@ -106,7 +106,7 @@ class ModuleSpanningTree
/** Event provider for our sync events. */
Events::ModuleEventProvider synceventprov;
/** API for accessing user SSL certificates. */
/** API for accessing user client certificates. */
UserCertificateAPI sslapi;
/** Tags for server to server messages. */

2
src/modules/m_spanningtree/netburst.cpp
View File

@ -100,7 +100,7 @@ void TreeSocket::DoBurst(TreeServer* s)
{
ServerInstance->SNO.WriteToSnoMask('l',"Bursting to \002%s\002 (Authentication: %s%s).",
s->GetName().c_str(),
capab->auth_fingerprint ? "SSL certificate fingerprint and " : "",
capab->auth_fingerprint ? "TLS certificate fingerprint and " : "",
capab->auth_challenge ? "challenge-response" : "plaintext password");
this->CleanNegotiationInfo();
this->WriteLine(CmdBuilder("BURST").push_int(ServerInstance->Time()));

2
src/modules/m_spanningtree/treesocket.h
View File

@ -86,7 +86,7 @@ struct CapabData
std::string ourchallenge; /* Challenge sent for challenge/response */
std::string theirchallenge; /* Challenge recv for challenge/response */
int capab_phase; /* Have sent CAPAB already */
bool auth_fingerprint; /* Did we auth using SSL certificate fingerprint */
bool auth_fingerprint; /* Did we auth using a client certificate fingerprint */
bool auth_challenge; /* Did we auth using challenge/response */
irc::sockets::sockaddrs remotesa; /* The remote socket address. */

26
src/modules/m_sslinfo.cpp
View File

@ -140,7 +140,7 @@ class UserCertificateAPIImpl : public UserCertificateAPIBase
void SetCertificate(User* user, ssl_cert* cert) override
{
ServerInstance->Logs.Log(MODNAME, LOG_DEBUG, "Setting TLS (SSL) client certificate for %s: %s",
ServerInstance->Logs.Log(MODNAME, LOG_DEBUG, "Setting TLS client certificate for %s: %s",
user->GetFullHost().c_str(), cert->GetMetaLine().c_str());
sslext.Set(user, cert);
}
@ -156,16 +156,16 @@ class CommandSSLInfo : public SplitCommand
ssl_cert* cert = sslapi.GetCertificate(target);
if (!cert)
{
source->WriteNotice(InspIRCd::Format("*** %s is not connected using TLS (SSL).", target->nick.c_str()));
source->WriteNotice(InspIRCd::Format("*** %s is not connected using TLS.", target->nick.c_str()));
}
else if (cert->GetError().length())
{
source->WriteNotice(InspIRCd::Format("*** %s is connected using TLS (SSL) but has not specified a valid client certificate (%s).",
source->WriteNotice(InspIRCd::Format("*** %s is connected using TLS but has not specified a valid client certificate (%s).",
target->nick.c_str(), cert->GetError().c_str()));
}
else if (!verbose)
{
source->WriteNotice(InspIRCd::Format("*** %s is connected using TLS (SSL) with a valid client certificate (%s).",
source->WriteNotice(InspIRCd::Format("*** %s is connected using TLS with a valid client certificate (%s).",
target->nick.c_str(), cert->GetFingerprint().c_str()));
}
else
@ -187,7 +187,7 @@ class CommandSSLInfo : public SplitCommand
if (operonlyfp && !source->IsOper() && source != target)
{
source->WriteNumeric(ERR_NOPRIVILEGES, "You must be a server operator to view TLS (SSL) client certificate information for other users.");
source->WriteNumeric(ERR_NOPRIVILEGES, "You must be a server operator to view TLS client certificate information for other users.");
return CmdResult::FAILURE;
}
@ -206,7 +206,7 @@ class CommandSSLInfo : public SplitCommand
if (operonlyfp && !source->IsOper())
{
source->WriteNumeric(ERR_NOPRIVILEGES, "You must be a server operator to view TLS (SSL) client certificate information for channels.");
source->WriteNumeric(ERR_NOPRIVILEGES, "You must be a server operator to view TLS client certificate information for channels.");
return CmdResult::FAILURE;
}
@ -267,7 +267,7 @@ class ModuleSSLInfo
public:
ModuleSSLInfo()
: Module(VF_VENDOR, "Adds user facing TLS (SSL) information, various TLS (SSL) configuration options, and the /SSLINFO command to look up TLS (SSL) certificate information for other users.")
: Module(VF_VENDOR, "Adds user facing TLS information, various TLS configuration options, and the /SSLINFO command to look up TLS certificate information for other users.")
, WebIRC::EventListener(this)
, Whois::EventListener(this)
, Who::EventListener(this)
@ -288,7 +288,7 @@ class ModuleSSLInfo
{
whois.SendLine(RPL_WHOISSECURE, "is using a secure connection");
if ((!cmd.operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) && !cert->fingerprint.empty())
whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has TLS (SSL) client certificate fingerprint %s", cert->fingerprint.c_str()));
whois.SendLine(RPL_WHOISCERTFP, InspIRCd::Format("has TLS client certificate fingerprint %s", cert->fingerprint.c_str()));
}
}
@ -328,7 +328,7 @@ class ModuleSSLInfo
{
user->WriteNumeric(ERR_NOOPERHOST, "Invalid oper credentials");
user->CommandFloodPenalty += 10000;
ServerInstance->SNO.WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': their TLS (SSL) client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str());
ServerInstance->SNO.WriteGlobalSno('o', "WARNING! Failed oper attempt by %s using login '%s': their TLS client certificate fingerprint does not match.", user->GetFullRealHost().c_str(), parameters[0].c_str());
return MOD_RES_DENY;
}
}
@ -353,11 +353,11 @@ class ModuleSSLInfo
std::string text = "*** You are connected to ";
if (!ssliohook->GetServerName(text))
text.append(ServerInstance->Config->GetServerName());
text.append(" using TLS (SSL) cipher '");
text.append(" using TLS cipher '");
ssliohook->GetCiphersuite(text);
text.push_back('\'');
if (cert && !cert->GetFingerprint().empty())
text.append(" and your TLS (SSL) client certificate fingerprint is ").append(cert->GetFingerprint());
text.append(" and your TLS client certificate fingerprint is ").append(cert->GetFingerprint());
user->WriteNotice(text);
if (!cert)
@ -380,12 +380,12 @@ class ModuleSSLInfo
if (stdalgo::string::equalsci(requiressl, "trusted"))
{
if (!cert || !cert->IsCAVerified())
error = "a trusted TLS (SSL) client certificate";
error = "a trusted TLS client certificate";
}
else if (myclass->config->getBool("requiressl"))
{
if (!cert)
error = "a TLS (SSL) connection";
error = "a TLS connection";
}
if (error)

12
src/modules/m_sslmodes.cpp
View File

@ -82,7 +82,7 @@ class SSLMode : public ModeHandler
{
if (!API)
{
source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via TLS (SSL)");
source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, "Unable to determine whether all members of the channel are connected via TLS");
return MODEACTION_DENY;
}
@ -96,7 +96,7 @@ class SSLMode : public ModeHandler
if (nonssl)
{
source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via TLS (SSL) (%zu/%zu are non-TLS (SSL))",
source->WriteNumeric(ERR_ALLMUSTSSL, channel->name, InspIRCd::Format("All members of the channel must be connected via TLS (%zu/%zu are non-TLS)",
nonssl, channel->GetUsers().size()));
return MODEACTION_DENY;
}
@ -174,7 +174,7 @@ class ModuleSSLModes
public:
ModuleSSLModes()
: Module(VF_VENDOR, "Adds channel mode z (sslonly) which prevents users who are not connecting using TLS (SSL) from joining the channel and user mode z (sslqueries) to prevent messages from non-TLS (SSL) users.")
: Module(VF_VENDOR, "Adds channel mode z (sslonly) which prevents users who are not connecting using TLS from joining the channel and user mode z (sslqueries) to prevent messages from non-TLS users.")
, CTCTags::EventListener(this)
, api(this)
, sslm(this, api)
@ -189,13 +189,13 @@ class ModuleSSLModes
{
if (!api)
{
user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are a TLS (SSL) user (+z is set)");
user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; unable to determine if you are a TLS user (+z is set)");
return MOD_RES_DENY;
}
if (!api->GetCertificate(user))
{
user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS (SSL) users only (+z is set)");
user->WriteNumeric(ERR_SECUREONLYCHAN, cname, "Cannot join channel; TLS users only (+z is set)");
return MOD_RES_DENY;
}
}
@ -219,7 +219,7 @@ class ModuleSSLModes
{
if (!api || !api->GetCertificate(user))
{
/* The sending user is not on an SSL connection */
/* The sending user is not on an TLS connection */
user->WriteNumeric(Numerics::CannotSendTo(target, "messages", &sslquery));
return MOD_RES_DENY;
}

2
src/modules/m_starttls.cpp
View File

@ -66,7 +66,7 @@ class CommandStartTLS : public SplitCommand
user->WriteNumeric(RPL_STARTTLS, "STARTTLS successful, go ahead with TLS handshake");
/* We need to flush the write buffer prior to adding the IOHook,
* otherwise we'll be sending this line inside the TLS (SSL) session - which
* otherwise we'll be sending this line inside the TLS session - which
* won't start its handshake until the client gets this line. Currently,
* we assume the write will not block here; this is usually safe, as
* STARTTLS is sent very early on in the registration phase, where the

10
tools/testssl
View File

@ -106,11 +106,11 @@ It appears that the server endpoint is using plaintext! Make sure that:
* The value of <bind:ssl> is the same as an <sslprofile:name> field.
* The value of <sslprofile:provider> for your used SSL profile is set to
* The value of <sslprofile:provider> for your used TLS profile is set to
"gnutls" if using the ssl_gnutle module, "openssl" if using the ssl_openssl
module, or "mbedtls" if using the ssl_mbedtls module.
* If you have your SSL configuration in a file other than inspircd.conf then
* If you have your TLS configuration in a file other than inspircd.conf then
that file is included by inspircd.conf.
See the following links for more information:
@ -124,7 +124,7 @@ EOM
$sock->close();
say "${\CC_GREEN}no${\CC_RESET}";
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} can have an SSL session negotiated ... ";
print "Checking whether ${\CC_BOLD}$hostip/$port${\CC_RESET} can have an TLS session negotiated ... ";
$sock = IO::Socket::SSL->new(
PeerAddr => $hostip,
PeerPort => $port,
@ -141,7 +141,7 @@ It appears that something is wrong with your server. Make sure that:
- You are not using an old version of GnuTLS, mbedTLS, or OpenSSL which only
supports deprecated algorithms like SSLv3.
The error provided by the SSL library was:
The error provided by the TLS library was:
$IO::Socket::SSL::SSL_ERROR
EOM
@ -152,7 +152,7 @@ EOM
say <<"EOM";
${\CC_GREEN}yes${\CC_RESET}
It seems like SSL is working fine on your server. If you are having trouble
It seems like TLS is working fine on your server. If you are having trouble
connecting try using a different client or connecting from a different host.
You may also find running some of the following commands to be helpful: