Find a file
Aaron Jones a90f22c92d OpenSSL: Support configuration of TLSv1.3 ciphersuites
The OpenSSL developers decided, during the OpenSSL 1.1.1 development
phase, to use a different API and different set of lists for TLSv1.3
ciphersuites, than for every TLS version preceeding it.

This is stupid, but we have to work with it.

This commit also improves configuration fault resilience. The reason
is that if you don't pass any valid old-style ciphersuites, OpenSSL
will not negotiate an older protocol at all. However, when they
implemented the new API, they decided that lack of any valid
ciphersuites should result in using the defaults. This means that if
you pass a completely invalid ciphersuite list (like "foo"), OR if
you pass a TLSv1.2-only ciphersuite list, TLSv1.3 continues to work.
This is not mirrored; passing a TLSv1.3-only ciphersuite list will
break TLSv1.2 and below.

Therefore we work around this lack of mirroring by falling back to
the default list for each protocol. This means that if
ssl_cipher_list is complete garbage, the default will be used, and
TLS setup will succeed for both protocols. This is logged, so that
administrators can fix their configuration.

I prefer this approach over explicitly disabling the protocols if
their respective ciphersuite lists are invalid, because it will
result in unusable TLSv1.3 if people run newer solanum with their
older charybdis/solanum configuration files that contain custom
ssl_cipher_list definitions. Hindering TLSv1.3 adoption is not an
option, in my opinion.

The downside of this is that it is no longer possible to disable a
protocol family by not including any of its ciphersuites. This could
be remedied by an ssl_protocol_list configuration directive if it is
decided that this functionality is ultimately necessary.

This work is not required for either of the other TLS backends,
because neither of those libraries yet support TLSv1.3, and in the
event that they eventually do, I expect them to allow configuration
of newer ciphersuites with the existing APIs. This can be revisited
if it turns out not to be the case.

Signed-off-by: Aaron Jones <me@aaronmdjones.net>
Tested-by: Aaron Jones <me@aaronmdjones.net>
2021-02-07 11:52:58 +00:00
.github/workflows CI: test on gcc-10 too 2021-01-25 23:59:59 -05:00
authd Undo overzealous seddery 2020-10-23 12:57:02 +01:00
bandb bandb: remove embedded sqlite 2020-11-28 12:53:05 -05:00
doc doc: Change missed chadybdis name to solanum (#111) 2021-01-28 14:14:40 +00:00
extensions Add +R channel mode module requiring services account to chat (#102) 2021-01-24 05:13:03 -08:00
help wallops: require new oper:wallops right (#110) 2021-01-28 14:09:31 +00:00
include /accept list should track nick changes when you share channels (#96) 2021-01-24 21:00:34 -08:00
ircd chmode: centralise + test mode limits (#94) 2021-01-26 11:22:39 +00:00
librb OpenSSL: Support configuration of TLSv1.3 ciphersuites 2021-02-07 11:52:58 +00:00
m4 Innovation by sed 2020-10-15 15:52:41 +01:00
modules wallops: require new oper:wallops right (#110) 2021-01-28 14:09:31 +00:00
scripts Innovation by sed 2020-10-15 15:52:41 +01:00
ssld Innovation by sed 2020-10-15 15:52:41 +01:00
tests chmode: centralise + test mode limits (#94) 2021-01-26 11:22:39 +00:00
testsuite Get rid of hub_mask/leaf_mask 2020-11-14 18:22:08 +00:00
tools Innovation by sed 2020-10-15 15:52:41 +01:00
wsockd Innovation by sed 2020-10-15 15:52:41 +01:00
.gitignore Update .gitignore for 25d169b649 (#69) 2020-11-11 14:14:12 -08:00
.mailmap mailmap: Sam is Christine now apparently. 2016-03-17 14:48:46 -05:00
autogen.sh *sigh* comment these out until travis is fixed. 2016-04-10 17:12:42 -05:00
configure.ac bandb: remove embedded sqlite 2020-11-28 12:53:05 -05:00
CREDITS Update credits 2020-10-16 21:57:22 +01:00
LICENSE Remove more $Id tags. 2016-03-06 02:58:32 -06:00
Makefile.am Remove *.la from install/lib 2020-11-10 09:37:55 +00:00
NEWS.md wallops: require new oper:wallops right (#110) 2021-01-28 14:09:31 +00:00
README.md README: update build statusbadge to use GH Actions 2020-12-14 05:28:27 -05:00
shtool Add these for now until travis actually gets their shit together. 2016-04-10 17:07:33 -05:00

solanum [Build Status]

Solanum is an IRCv3 server designed to be highly scalable. It implements IRCv3.1 and some parts of IRCv3.2.

It is meant to be used with an IRCv3-capable services implementation such as Atheme or Anope.

necessary requirements

  • A supported platform
  • A working dynamic library system
  • A working lex and yacc - flex and bison should work

platforms

Solanum is designed with portability in mind, but does not target older systems nor those of solely academic interest.

Do note that operating systems are only supported if they are supported by their vendor.

Tier 1

These platforms are the best supported, and should always work. They are actively tested. If you encounter problems, please file a bug.

  • FreeBSD 10.x and above (i386 and amd64)
  • Linux 2.6.x and above with glibc or musl (i386, x86_64, and ARM)
  • macOS 10.7 and above
  • Windows Vista/Server 2008 and above (x86 or x64)

Tier 2

These platforms are supported and occasionally tested, and most features should work, but this is not guaranteed. If you find any problems, file a bug, but as these are not regularly tested platforms, a timely resolution may not be possible.

  • DragonflyBSD 4.4 and above (i386)
  • Linux with uClibc (i386 or x86_64)
  • NetBSD 6.1.x and above (i386, amd64)
  • OpenBSD 5.6 and above (i386, amd64)
  • Solaris 10 and above (i386)

Tier 3

Anything else that hasn't been tested. Solanum may or may not work on it; patches welcome if they don't.

platform specific errata

These are known issues and workarounds for supported platforms.

  • macOS: you must set the LIBTOOLIZE environment variable to point to glibtoolize before running autogen.sh:

    brew install libtool
    export LIBTOOLIZE="/usr/local/bin/glibtoolize"
    ./autogen.sh
    
  • FreeBSD: if you are compiling with ipv6 you may experience problems with ipv4 due to the way the socket code is written. To fix this you must: "sysctl net.inet6.ip6.v6only=0"

  • Solaris: you may have to set your PATH to include /usr/gnu/bin and /usr/gnu/sbin before /usr/bin and /usr/sbin. Solaris's default tools don't seem to play nicely with the configure script.

building

./autogen.sh
./configure --prefix=/path/to/installation
make
make check # run tests
make install

See ./configure --help for build options.

feature specific requirements

  • For SSL/TLS client and server connections, one of:

    • OpenSSL 1.0.0 or newer (--enable-openssl)
    • LibreSSL (--enable-openssl)
    • mbedTLS (--enable-mbedtls)
    • GnuTLS (--enable-gnutls)
  • For certificate-based oper CHALLENGE, OpenSSL 1.0.0 or newer. (Using CHALLENGE is not recommended for new deployments, so if you want to use a different TLS library, feel free.)

  • For ECDHE under OpenSSL, on Solaris and RHEL/Fedora (and its derivatives such as CentOS) you will need to compile your own OpenSSL on these systems, as they have removed support for ECC/ECDHE. Alternatively, consider using another library (see above).

tips

  • To report bugs in solanum, visit us at chat.freenode.net #solanum

  • Please read doc/index.txt to get an overview of the current documentation.

  • Read the NEWS file for what's new in this release.

  • The files, /etc/services, /etc/protocols, and /etc/resolv.conf, SHOULD be readable by the user running the server in order for ircd to start with the correct settings. If these files are wrong, solanum will try to use 127.0.0.1 for a resolver as a last-ditch effort.

git access

  • The Solanum GIT repository can be checked out using the following command: git clone https://github.com/solanum-ircd/solanum

  • Solanum's GIT repository depot can be browsed over the Internet at the following address: https://github.com/solanum-ircd/solanum