From 31df56b28fdc4bc25bc42c1e41f0c33502607963 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Thu, 10 Apr 2014 10:39:29 +0200 Subject: rudimentary debian wheezy build fix --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index d106fd5..3ba3fcd 100755 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: vchat-client Section: unknown Priority: optional Maintainer: Andreas Kotes -Build-Depends: debhelper (>> 3.0.0), libreadline4-dev, libncurses-dev, libssl-dev, docbook-to-man +Build-Depends: debhelper (>> 3.0.0), libreadline-dev, libncurses-dev, libssl-dev, docbook-to-man Standards-Version: 3.5.2 Package: vchat-client -- cgit v1.2.3 From 35feadf586c9492005f71ce2f03d917f7a57a4eb Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Thu, 10 Apr 2014 10:39:49 +0200 Subject: use SHA1 instead of MD5 for cert digest --- vchat-keygen | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vchat-keygen b/vchat-keygen index fa92c60..a11a6ae 100755 --- a/vchat-keygen +++ b/vchat-keygen @@ -57,7 +57,7 @@ EOT fi echo "vchat-keygen: generating Certificate Signing Request $KEYBASE.csr" echo "vchat-keygen: please enter your nickname at the 'Name []:' prompt" - openssl req -new -config $KEYBASE.ca.keyconf -key $KEYBASE.key -out $KEYBASE.csr + openssl req -new -sha1 -config $KEYBASE.ca.keyconf -key $KEYBASE.key -out $KEYBASE.csr echo "vchat-keygen: send this ($KEYBASE.csr) Certificate Signing Request to vchat@vchat.berlin.ccc.de to get it signed by the vchat-CA. You will receive your signed Certificate shortly." -- cgit v1.2.3 From 4e3e90f5811d68a002a80d7fe1dcfc3852498e16 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Thu, 10 Apr 2014 10:45:04 +0200 Subject: request 4096 instead of 2048 bit --- vchat-keygen | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vchat-keygen b/vchat-keygen index a11a6ae..91fcbba 100755 --- a/vchat-keygen +++ b/vchat-keygen @@ -29,7 +29,7 @@ if [ ! -e $KEYBASE.key ]; then echo "vchat-keygen: generating RSA key $KEYBASE.key" echo "vchat-keygen: please set passphrase for local security" umask 0077 - openssl genrsa -des3 -out $KEYBASE.key 2048 + openssl genrsa -des3 -out $KEYBASE.key 4096 else echo "vchat-keygen: private key $KEYBASE.key exists" fi @@ -40,7 +40,7 @@ fi echo "vchat-keygen: generating config-file for self-signing $KEYBASE.ca.keyconf" cat >$KEYBASE.ca.keyconf < Date: Thu, 10 Apr 2014 10:46:58 +0200 Subject: recommend openssl 1.0.1g++ --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 402826c..9ee3529 100755 --- a/README +++ b/README @@ -11,7 +11,7 @@ cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client no autoconf yet, sorry. required libs: -openssl (0.9.6+ preferred) +openssl (1.0.1g+ preferred) readline (4.2+ preferred) ncurses (5.2 preferred) -- cgit v1.2.3 From 6119ae5156c3f01576d8bdefb8b861a45be372fb Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Thu, 10 Apr 2014 11:02:55 +0200 Subject: update manual pages to point to git --- README | 5 ++--- vchat-client.sgml | 9 ++++----- vchat-howto | 5 ++--- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/README b/README index 9ee3529..2a32f88 100755 --- a/README +++ b/README @@ -2,10 +2,9 @@ Hi! this is vchat-client, a GPLed (SSL) client for the vchat protocol. -You can get the most recent version of vchat-client via CVS, e.g: +You can get the most recent version of vchat-client via git, e.g: -cvs -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot login -cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client +git clone git://erdgeist.org/vchat-client (press return at password prompt) diff --git a/vchat-client.sgml b/vchat-client.sgml index ee0dc36..4b4f130 100755 --- a/vchat-client.sgml +++ b/vchat-client.sgml @@ -262,16 +262,15 @@ TAB nick completion DEVEL -You can get the most recent version of vchat-client via CVS, e.g: +You can get the most recent version of vchat-client via git, e.g: -$ cvs -d:pserver:anonymous@pulse.flatline.de:/home/cvsroot login -$ cvs -z3 -d:pserver:anonymous@pulse.flatline.de:/home/cvsroot co vchat-client +$ git clone git://erdgeist.org/vchat-client (press return at password prompt) no autoconf yet, sorry. required libs: - - openssl (0.9.6+ preferred) + - openssl (1.0.1g+ preferred) - readline (4.2+ preferred) - ncurses (5.2 preferred) @@ -337,7 +336,7 @@ the admins has to be logged in. SEE ALSO -gcc (1), cvs (1). +gcc (1), git (1). diff --git a/vchat-howto b/vchat-howto index 22c34b7..0ace213 100755 --- a/vchat-howto +++ b/vchat-howto @@ -4,13 +4,12 @@ Newbies Guide to vchat via 'Buntclient' 1. Get the Source, Luke ----------------------- -Make sure, you got a shell and the tool called cvs. +Make sure, you got a shell and the tool called git. cd to a directory the source shall reside in. Type: -$ cvs -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot login -$ cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client +$ git clone git://erdgeist.org/vchat-client (press return at password prompt) -- cgit v1.2.3 From 2a5819c9965b6fa296f8a2ace7aaf70156ee9f90 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 12:13:13 +0200 Subject: handle SSL I/O errors more gracefully, avoid double free --- vchat-protocol.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/vchat-protocol.c b/vchat-protocol.c index b50f511..e676b28 100755 --- a/vchat-protocol.c +++ b/vchat-protocol.c @@ -166,8 +166,11 @@ vcconnect (char *server, char *port) } /* upgrade our plain BIO to ssl */ - if( vc_connect_ssl( &server_conn, &vc_store ) ) + if( vc_connect_ssl( &server_conn, &vc_store ) ) { BIO_free_all( server_conn ); + server_conn = NULL; + errno = EIO; + } } if( !server_conn ) { @@ -188,7 +191,8 @@ vcconnect (char *server, char *port) /* disconnect from server */ void vcdisconnect () { - BIO_free_all( server_conn ); + if (server_conn) + BIO_free_all( server_conn ); serverfd = -1; } -- cgit v1.2.3 From 41ffa33b09d9bcf0902c3ef9384011c95f72ccbe Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 12:29:30 +0200 Subject: change to use TLSv1_2 (or maybe later) --- vchat-ssl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vchat-ssl.c b/vchat-ssl.c index 652ca09..7f0395b 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -61,7 +61,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) X509_STORE *store = NULL; vc_x509verify_cb_t verify_callback = NULL; - if( !(ctx = SSL_CTX_new(SSLv3_method())) ) + /* Explicitly use TLSv1_2 (or maybe later) */ + if( !(ctx = SSL_CTX_new(TLSv1_2_client_method())) ) VC_CTX_ERR_EXIT(store, ctx); if( !(store = vc_x509store_create(vc_store)) ) @@ -69,7 +70,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) SSL_CTX_set_cert_store(ctx, store); store = NULL; - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); + /* Disable A LOT of insecure protocols explicitly */ + SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From 19375e6c61bfe3bf643786b0e7318c528e4b22a0 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:05:21 +0200 Subject: show cipher being used --- vchat-ssl.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/vchat-ssl.c b/vchat-ssl.c index 7f0395b..2b41432 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -136,8 +136,24 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) BIO_push( ssl_conn, *conn ); *conn = ssl_conn; fflush(stdout); - if( BIO_do_handshake( *conn ) > 0 ) + if( BIO_do_handshake( *conn ) > 0 ) { + /* Show information about cipher used */ + const SSL *sslp = NULL; + const SSL_CIPHER * cipher = NULL; + + /* Get cipher object */ + BIO_get_ssl(ssl_conn, &sslp); + cipher = SSL_get_current_cipher(sslp); + if (cipher) { + char cipher_desc[TMPSTRSIZE]; + snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); + writecf(FS_SERV, tmpstr); + } else { + snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); + writecf(FS_ERR, tmpstr); + } return 0; + } } snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); -- cgit v1.2.3