bx/catgirl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use "secure" libtls ciphers

Browse Source 
d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat"
ciphers to support irc.mozilla.org which now yields NXDOMAIN.

All modern networks (should) support secure ciphers, so drop the
hopefully unneeded list of less secure ciphers by avoiding
tls_config_set_ciphers(3) and therefore sticking to the "secure" aka.
"default" set of ciphers in libtls.

A quick check shows that almost all of the big/known IRC networks
support TLS1.3 already;  those who do not at least comply with
SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this:

	echo \
	  irc.hackint.org \
	  irc.tilde.chat \
	  irc.libera.chat \
	  irc.efnet.nl \
	  irc.oftc.net |
	xargs -tn1 \
	openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
This commit is contained in:
Klemens Nanni 2021-06-20 14:42:10 +00:00 committed by C. McEnroe
parent 3a38e36717
commit 585039fb6e
1 changed files with 1 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
irc.c
View File

@ -49,14 +49,7 @@ void ircConfig(
struct tls_config *config = tls_config_new();
if (!config) errx(EX_SOFTWARE, "tls_config_new");
int error = tls_config_set_ciphers(config, "compat");
if (error) {
errx(
EX_SOFTWARE, "tls_config_set_ciphers: %s",
tls_config_error(config)
);
}
int error;
if (insecure) {
tls_config_insecure_noverifycert(config);
tls_config_insecure_noverifyname(config);