Move ssl_mbedtls to inspircd-contrib.

Closes #2088.
2025-03-09 10:39:02 -04:00 · 2024-04-01 14:44:34 +01:00 · 2024-04-01 14:44:34 +01:00 · e24ea1723c
commit e24ea1723c
parent c8b1c1dec6
13 changed files with 23 additions and 1105 deletions
--- a/.github/workflows/ci-alpine.yml
+++ b/.github/workflows/ci-alpine.yml
@ -30,7 +30,6 @@ jobs:
            libpsl-dev \
            make \
            mariadb-dev \
-            mbedtls-dev \
            openldap-dev \
            openssl-dev \
            pcre2-dev \
@ -42,7 +41,7 @@ jobs:

      - name: Run configure
        run: |
-          ./configure --enable-extras "argon2 geo_maxmind ldap log_json log_syslog mysql pgsql regex_pcre regex_posix regex_re2 sqlite3 ssl_gnutls ssl_mbedtls ssl_openssl sslrehashsignal"
+          ./configure --enable-extras "argon2 geo_maxmind ldap log_json log_syslog mysql pgsql regex_pcre regex_posix regex_re2 sqlite3 ssl_gnutls ssl_openssl sslrehashsignal"
          ./configure --development --disable-auto-extras --disable-ownership --socketengine ${{ matrix.socketengine }}

      - name: Build core
--- a/.github/workflows/ci-linux.yml
+++ b/.github/workflows/ci-linux.yml
@ -26,7 +26,6 @@ jobs:
            libgnutls28-dev \
            libldap2-dev \
            libmaxminddb-dev \
-            libmbedtls-dev \
            libmysqlclient-dev \
            libpcre2-dev \
            libpq-dev \
@ -40,7 +39,7 @@ jobs:

      - name: Run configure
        run: |
-          ./configure --enable-extras "argon2 geo_maxmind ldap log_json log_syslog mysql pgsql regex_pcre regex_posix regex_re2 sqlite3 ssl_gnutls ssl_mbedtls ssl_openssl sslrehashsignal"
+          ./configure --enable-extras "argon2 geo_maxmind ldap log_json log_syslog mysql pgsql regex_pcre regex_posix regex_re2 sqlite3 ssl_gnutls ssl_openssl sslrehashsignal"
          ./configure --development --disable-auto-extras --socketengine ${{ matrix.socketengine }}

      - name: Build core
--- a/.github/workflows/ci-macos.yml
+++ b/.github/workflows/ci-macos.yml
@ -25,7 +25,7 @@ jobs:
      - name: Install dependencies
        run: |
          brew update || true
-          for PACKAGE in pkg-config argon2 gnutls libmaxminddb libpq libpsl mbedtls mysql-client openssl openldap pcre2 re2 rapidjson sqlite
+          for PACKAGE in pkg-config argon2 gnutls libmaxminddb libpq libpsl mysql-client openssl openldap pcre2 re2 rapidjson sqlite
          do
            brew install $PACKAGE || brew upgrade $PACKAGE

@ -44,7 +44,7 @@ jobs:

      - name: Run configure
        run: |
-          ./configure --enable-extras "argon2 geo_maxmind ldap log_json log_syslog mysql pgsql regex_pcre regex_posix regex_re2 sqlite3 ssl_gnutls ssl_mbedtls ssl_openssl sslrehashsignal"
+          ./configure --enable-extras "argon2 geo_maxmind ldap log_json log_syslog mysql pgsql regex_pcre regex_posix regex_re2 sqlite3 ssl_gnutls ssl_openssl sslrehashsignal"
          ./configure --development --disable-auto-extras --socketengine ${{ matrix.socketengine }}

      - name: Build core
--- a/.gitignore
+++ b/.gitignore
@ -29,7 +29,6 @@
 /src/modules/m_regex_re2.cpp
 /src/modules/m_sqlite3.cpp
 /src/modules/m_ssl_gnutls.cpp
-/src/modules/m_ssl_mbedtls.cpp
 /src/modules/m_ssl_openssl.cpp
 /src/modules/m_sslrehashsignal.cpp

--- a/2
+++ b/2
@ -400,7 +400,6 @@ if (prompt_bool $interactive, $question, 0) {
 		'm_regex_re2.cpp'       => 'pkg-config --exists re2',
 		'm_sqlite3.cpp'         => 'pkg-config --exists sqlite3',
 		'm_ssl_gnutls.cpp'      => 'pkg-config --exists "gnutls >= 3.3.5"',
-		'm_ssl_mbedtls.cpp'     => "echo '#include <mbedtls/version.h>' | $config{CXX} -E -",
 		'm_ssl_openssl.cpp'     => 'pkg-config --exists "openssl >= 1.1.1"',
 		'm_sslrehashsignal.cpp' => undef,
 	);
@ -419,7 +418,6 @@ security and privacy of your IRC server and is required for linking servers.
 Please read the following documentation pages on how to enable TLS support:

 GnuTLS (recommended): https://docs.inspircd.org/$version{MAJOR}/modules/ssl_gnutls
-mbedTLS:              https://docs.inspircd.org/$version{MAJOR}/modules/ssl_mbedtls
 OpenSSL:              https://docs.inspircd.org/$version{MAJOR}/modules/ssl_openssl
 EOM
 }
--- a/docs/conf/inspircd.conf.example
+++ b/docs/conf/inspircd.conf.example
@ -139,11 +139,10 @@
      # docs page for the TLS module you are using for more details:
      #
      # GnuTLS:  https://docs.inspircd.org/4/modules/ssl_gnutls#sslprofile
-      # mbedTLS: https://docs.inspircd.org/4/modules/ssl_mbedtls#sslprofile
      # OpenSSL: https://docs.inspircd.org/4/modules/ssl_openssl#sslprofile
      #
-      # You will need to load the ssl_openssl module for OpenSSL, ssl_gnutls
-      # for GnuTLS and ssl_mbedtls for mbedTLS.
+      # You will need to load the ssl_openssl module for OpenSSL and ssl_gnutls
+      # for GnuTLS.
      sslprofile="Clients"

      # defer: When this is non-zero, connections will not be handed over to
@ -202,9 +201,9 @@
 # for this listener. See the docs page for the TLS module you are using for
 # more details.
 #
-# When linking servers, the OpenSSL, GnuTLS, and mbedTLS implementations are
-# completely link-compatible and can be used alongside each other on each end
-# of the link without any significant issues.
+# When linking servers, the OpenSSL and GnuTLS implementations are completely
+# link-compatible and can be used alongside each other on each end of the link
+# without any significant issues.


 #-#-#-#-#-#-#-#-#-#-  CONNECTIONS CONFIGURATION  -#-#-#-#-#-#-#-#-#-#-#
--- a/docs/conf/links.conf.example
+++ b/docs/conf/links.conf.example
@ -61,12 +61,11 @@
      # the TLS module you are using for more details:
      #
      # GnuTLS:  https://docs.inspircd.org/4/modules/ssl_gnutls#sslprofile
-      # mbedTLS: https://docs.inspircd.org/4/modules/ssl_mbedtls#sslprofile
      # OpenSSL: https://docs.inspircd.org/4/modules/ssl_openssl#sslprofile
      #
-      # You will need to load the ssl_openssl module for OpenSSL, ssl_gnutls
-      # for GnuTLS and ssl_mbedtls for mbedTLS. The server port that you
-      # connect to must be capable of accepting this type of connection.
+      # You will need to load the ssl_openssl module for OpenSSL and ssl_gnutls
+      # for GnuTLS. The server port that you connect to must be capable of
+      # accepting this type of connection.
      sslprofile="Servers"

      # fingerprint: If defined, this option will force servers to be
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@ -2439,7 +2439,7 @@
 # TLS info module: Allows users to retrieve information about other
 # users' peer TLS certificates and keys via the SSLINFO command.
 # This can be used by client scripts to validate users. For this to
-# work, one of ssl_gnutls, ssl_mbedtls or ssl_openssl must be loaded.
+# work either ssl_gnutls or ssl_openssl must be loaded.
 # This module also adds the "<user> is using a secure connection"
 # and "<user> has TLS client certificate fingerprint <fingerprint>"
 # WHOIS lines, the ability for opers to use TLS cert fingerprints to
@ -2484,15 +2484,6 @@
 #         warnexpiring="1w"
 #         welcomemsg="no">

-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# mbedTLS TLS module: Adds support for TLS connections using mbedTLS.
-#<module name="ssl_mbedtls">
-#
-#-#-#-#-#-#-#-#-#-#-#- MBEDTLS CONFIGURATION   -#-#-#-#-#-#-#-#-#-#-#-#
-#                                                                     #
-# ssl_mbedtls is too complex to describe here, see the docs:          #
-# https://docs.inspircd.org/4/modules/ssl_mbedtls                     #
-
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # OpenSSL TLS module: Adds support for TLS connections using OpenSSL,
 # if enabled. You must answer 'yes' in ./configure when asked or symlink
@ -2571,10 +2562,10 @@
 #<sqloper dbid="1">

 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# StartTLS module: Implements STARTTLS, which allows clients          #
-# connected to non TLS enabled ports to enable TLS, if    #
-# a proper TLS module is loaded (either ssl_gnutls,             #
-# ssl_mbedtls or ssl_openssl).                                        #
+# StartTLS module: Adds support for the IRCv3 tls capability which    #
+# allows clients to upgrade their connection to use TLS. As well as   #
+# this module you should also load one of ssl_gnutls or ssl_openssl   #
+# modules. You may also want to consider using the ircv3_sts module.  #
 #<module name="starttls">

 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
--- a/make/template/apparmor
+++ b/make/template/apparmor
@ -45,7 +45,7 @@
 	# Required by the mysql module:
 	#include <abstractions/mysql>

-	# Required by the ssl_gnutls, ssl_mbedtls, and ssl_openssl modules:
+	# Required by the ssl_gnutls and ssl_openssl modules:
 	#include <abstractions/ssl_certs>
 	#include <abstractions/ssl_keys>
 }
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
--- a/tools/testssl
+++ b/tools/testssl
@ -112,13 +112,12 @@ It appears that the server endpoint is using plaintext! Make sure that:
  * You have one or more of the following modules loaded:
    - ssl_gnutls
    - ssl_openssl
-    - ssl_mbedtls

  * The value of <bind:sslprofile> is the same as an <sslprofile:name> field.

  * The value of <sslprofile:provider> for your used TLS profile is set to
-    "gnutls" if using the ssl_gnutls module, "openssl" if using the ssl_openssl
-    module, or "mbedtls" if using the ssl_mbedtls module.
+    "gnutls" if using the ssl_gnutls module or "openssl" if using the
+    ssl_openssl module.

  * If you have your TLS configuration in a file other than inspircd.conf then
    that file is included by inspircd.conf.
@ -126,7 +125,6 @@ It appears that the server endpoint is using plaintext! Make sure that:
 See the following links for more information:

  https://docs.inspircd.org/4/modules/ssl_gnutls/#configuration
-  https://docs.inspircd.org/4/modules/ssl_mbedtls/#configuration
  https://docs.inspircd.org/4/modules/ssl_openssl/#configuration
 EOM
 	exit 1;
@ -148,8 +146,8 @@ ${\CC_RED}no${\CC_RESET}

 It appears that something is wrong with your server. Make sure that:

-  * You are not using an old version of GnuTLS, mbedTLS, or OpenSSL which only
-    supports deprecated algorithms like SSLv3.
+  * You are not using an old version of GnuTLS or OpenSSL which only supports
+    deprecated algorithms like SSLv3.
  * If you are using a self-signed certificate (not recommended) that you passed
    the `selfsigned` argument to this script.

--- a/win/conanfile.txt
+++ b/win/conanfile.txt
@ -1,6 +1,6 @@
 # Last updated: 2024-03-01
 #
-# Modules we can't legally ship: geo_maxmind, ssl_mbedtls, ssl_openssl
+# Modules we can't legally ship: geo_maxmind, ssl_openssl
 # Modules which don't apply to Windows: sslrehashsignal
 # Modules without packages: ssl_gnutls

@ -10,7 +10,6 @@ argon2/20190702
 libmysqlclient/8.1.0
 libpq/15.4
 libpsl/0.21.1
-## mbedtls/3.2.1 # unable to upgrade until mbedTLS issue #7087 is fixed
 ## openssl/3.2.1
 pcre2/10.43
 rapidjson/cci.20230929
--- a/win/modules/CMakeLists.txt
+++ b/win/modules/CMakeLists.txt
@ -49,7 +49,6 @@ if(EXISTS "${CMAKE_BINARY_DIR}/conanbuildinfo.cmake")
 	enable_extra("regex_pcre" "PCRE2")
 	enable_extra("regex_posix" "PCRE2")
 	enable_extra("regex_re2" "RE2")
-	enable_extra("ssl_mbedtls" "MBEDTLS")
 	enable_extra("ssl_openssl" "OPENSSL")
 	enable_extra("sqlite3" "SQLITE3")