| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Respect-SSLConnect-option-for-incoming-connections.patch | [PATCH 01/20] Respect "SSLConnect" option for incoming connections Don't accept incoming plain-text ("non SSL") server connections for servers configured with "SSLConnect" enabled. If "SSLConnect" is not set for an incoming connection the server still accepts both plain-text and encrypted connections. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended. (cherry picked from commit 21c1751b045b0be49e584a4ba191a330e0c381bb) |
Alexander Barton <alex@barton.de> | no | debian | 2024-01-01 | |
| 0002-Support-for-server-certificate-validation-on-server-.patch | [PATCH 02/20] Support for server certificate validation on server links [S2S-TLS] This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS. (cherry picked from commit 817937b218c4b57515f54216ebc936cd69df0aae) |
Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de> | no | 2014-11-02 | ||
| 0003-S2S-TLS-Add-missing-CAFile-and-CRLFile-options-to-co.patch | [PATCH 03/20] S2S-TLS: Add missing CAFile and CRLFile options to "configtest" output (cherry picked from commit 5ca567a18caf699f93495ba2bc3749fb5f65383b) |
Alexander Barton <alex@barton.de> | no | 2023-12-16 | ||
| 0004-S2S-TLS-Remove-leftover-debug-messages.patch | [PATCH 04/20] S2S-TLS: Remove leftover debug messages (cherry picked from commit 8f8bef9faee96a6033e8719fd38167017299847a) |
Alexander Barton <alex@barton.de> | no | 2023-12-16 | ||
| 0005-S2S-TLS-OpenSSL-Always-setup-host-name-verification.patch | [PATCH 05/20] S2S-TLS/OpenSSL: Always setup host name verification Setup host name verification even when the "SSLVerify" option is disabled, because even then the peer can present a valid certificate and validation would always(!) fail because of the missing host name verification setup. (cherry picked from commit 84b019b11f761b71c8239d60e7f8db0b82a55df3) |
Alexander Barton <alex@barton.de> | no | 2024-01-01 | ||
| 0006-S2S-TLS-OpenSSL-Set-the-verification-flags-only-once.patch | [PATCH 06/20] S2S-TLS/OpenSSL: Set the verification flags only once Set the verification flags in the ConnSSL_SetVerifyProperties_openssl function only, don't override them in ConnSSL_InitLibrary() afterwards. No functional changes, now ConnSSL_SetVerifyProperties_openssl() sets exactly the parameters which ConnSSL_InitLibrary() always overwrote ... (cherry picked from commit 08647ab1e7cf0d034f2d8987a3cac3201af84e02) |
Alexander Barton <alex@barton.de> | no | 2024-01-02 | ||
| 0007-S2S-TLS-OpenSSL-Fix-handling-of-certificate-informat.patch | [PATCH 07/20] S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections Show proper certificate information for incoming connections, too, and not "peer did not present a certificate", regardless if the client sent a certificate or not. And free the client certificate structure "peer_cert" on incoming connections as well! (cherry picked from commit 679505aab9fea21b27a3d4bbf99cf2a16cf3d3d5) |
Alexander Barton <alex@barton.de> | no | 2024-01-02 | ||
| 0008-S2S-TLS-OpenSSL-Postpone-verification-of-TLS-session.patch | [PATCH 08/20] S2S-TLS/OpenSSL: Postpone verification of TLS session right before server handshake The verify callback in OpenSSL is called pretty early, and at that time it is not possible yet to check which connection it belongs to, and some connections may have relaxed requirements. So always return success in the Verify_openssl() callback, and postpone validation of the TLS session until starting the server handshake in cb_connserver_login_ssl(), when we know which server this connection belongs to and which options (like "SSLVerify") are in effect. The code doing this was already present in cb_connserver_login_ssl(), but this patch adds a more prominent comment to the function. (cherry picked from commit 3db3b47fc7172a69b7d99d66eddb07a323dc6e74) |
Alexander Barton <alex@barton.de> | no | 2024-01-02 | ||
| 0009-S2S-TLS-OpenSSL-Streamline-logging.patch | [PATCH 09/20] S2S-TLS/OpenSSL: Streamline logging This includes simplifying cb_connserver_login_ssl() a bit, we do not have to code for invalid state which was ruled out by an assert() and therefore can get rid of the goto altogether (and don't log the same error twice with different messages). (cherry picked from commit 02bb99b0242ade8af78f957aa1657561374ef1d6) |
Alexander Barton <alex@barton.de> | no | 2024-01-02 | ||
| 0010-S2S-TLS-Fix-formatting-and-sort-new-SSL-options-in-n.patch | [PATCH 10/20] S2S-TLS: Fix formatting and sort new SSL options in ngircd.conf manual page (cherry picked from commit 58ee4df2ae2e4e59ae8909b69670825229158da8) |
Alexander Barton <alex@barton.de> | no | 2024-01-03 | ||
| 0011-S2S-TLS-MAX_CERT_CHAIN_LENGTH-is-only-used-by-OpenSS.patch | [PATCH 11/20] S2S-TLS: MAX_CERT_CHAIN_LENGTH is only used by OpenSSL (cherry picked from commit c8589e9890742c377c78595131ef1cdc8d784c66) |
Alexander Barton <alex@barton.de> | no | 2024-01-05 | ||
| 0012-S2S-TLS-GnuTLS-Update-SSL-code-for-GnuTLS-certificat.patch | [PATCH 12/20] S2S-TLS/GnuTLS: Update SSL code for GnuTLS certificate reloading Without this, the S2S-TLS-Patch not even compiles with GnuTLS because of the "new" GnuTLS certificate reload support implemented in commit eead4a63 ("x509_cred_slot"). (cherry picked from commit 0e176b557037b583f408229b518646804b33d745) |
Alexander Barton <alex@barton.de> | no | 2024-01-05 | ||
| 0013-S2S-TLS-GnuTLS-Fix-handling-of-certificate-informati.patch | [PATCH 13/20] S2S-TLS/GnuTLS: Fix handling of certificate information for incoming connections Show proper certificate information for incoming connections, too, and not "peer did not present a certificate", regardless if the client sent a certificate or not. This change is for GnuTLS and similar to what was implemented in commit for OpenSSL in "S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections". (cherry picked from commit 509ff6032686662328f4ecb0c5c287a34e929c53) |
Alexander Barton <alex@barton.de> | no | 2024-01-05 | ||
| 0014-S2S-TLS-GnuTLS-Streamline-logging.patch | [PATCH 14/20] S2S-TLS/GnuTLS: Streamline logging (cherry picked from commit 663972c88d3ae3e3226fe6f95ca1113694ce0618) |
Alexander Barton <alex@barton.de> | no | 2024-01-05 | ||
| 0015-S2S-TLS-Verify-the-TLS-certificates-by-default.patch | [PATCH 15/20] S2S-TLS: Verify the TLS certificates by default This is already mentioned as the default in the manual page and the sample configuration file, but was actually not enabled in the code! (cherry picked from commit 180e2ec1359378172135472148c99a2d14e873cc) |
Alexander Barton <alex@barton.de> | no | 2024-01-06 | ||
| 0016-S2S-TLS-GnuTLS-Fix-handling-of-connections-without-p.patch | [PATCH 16/20] S2S-TLS/GnuTLS: Fix handling of connections without peer certificates (cherry picked from commit 8cef3ce42cd645a3ffb0e1eded52b8b77bb8caff) |
Alexander Barton <alex@barton.de> | no | 2024-01-06 | ||
| 0017-S2S-TLS-Convert-SSL.txt-to-Markdown-and-update-infor.patch | [PATCH 17/20] S2S-TLS: Convert SSL.txt to Markdown and update information given No longer describe creating self-signed certificates or using "stunnel", as both is not recommended. (cherry picked from commit b826fad15871f73435328b1d77fd364838389adb) |
Alexander Barton <alex@barton.de> | no | 2024-01-08 | ||
| 0018-S2S-TLS-Add-notice-to-INSTALL.md.patch | [PATCH 18/20] S2S-TLS: Add notice to INSTALL.md (cherry picked from commit 6b27eabf5bdbc6bf6f71d7b1e7d059dfeab6849b) |
Alexander Barton <alex@barton.de> | no | 2024-01-11 | ||
| 0019-S2S-TLS-Fix-make-check-in-separate-build-directory.patch | [PATCH 19/20] S2S-TLS: Fix "make check" in separate build directory (cherry picked from commit b9d6a2f49c4b3607c69b298cc770c0c945f627f6) |
Alexander Barton <alex@barton.de> | no | 2024-02-10 | ||
| 0020-METADATA-Fix-unsetting-cloakhost.patch | [PATCH 20/20] METADATA: Fix unsetting "cloakhost" Correctly re-generate the "cloaked hostname" when removing the "cloakhost" using an empty string by passing down NULL instead of the empty string, which results in protocol violations (for example on WHOIS). (cherry picked from commit 1118b0e77ca961a7b082f90cb124210eca8fb6bd) |
Alexander Barton <alex@barton.de> | no | 2024-03-17 | ||
| 0001-S2S-SSL-GnuTLS-Enable-CRL-verification_26.1.patch | [PATCH] S2S-SSL/GnuTLS: Enable CRL verification (cherry picked from commit b2c9049af20b12f2fde08f4af0a35968404effdb) |
Christoph Biedl <ngircd.anoy@manchmal.in-ulm.de> | no | 2024-03-31 | ||
| 1713563399.rel-27-rc1-6-g3e3f6cbe.clarify-that-cafile-is-not-set-by-default.patch | Clarify that "CAFile" is not set by default | no | rel-27-rc1-6-g3e3f6cbe | 2024-04-19 | ||
| fix-race-in-testsuite.patch | Fix race in testsuite | Christoph Biedl <debian.axhn@manchmal.in-ulm.de> | yes | 2020-06-21 |