aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Sadie Powell2025-04-02 11:02:05 +0100
committerGravatar Sadie Powell2025-04-03 01:06:36 +0100
commit2374aa02748306ec55e78e68e3e5e7677aab12b9 (patch)
treebaf21db1b372d90badca37be658e31cf71a87f59
parentRelease v4.7.0. (diff)
Add <sslprofile:securitylevel>.
This allows enforcing a minimum security level on the provided cert and key. We can use this in the future to squish insecure config.
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index d3cfa0728..149486e19 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -247,6 +247,11 @@ namespace OpenSSL
}
}
+ void SetSecurityLevel(int securitylevel)
+ {
+ SSL_CTX_set_security_level(ctx, securitylevel);
+ }
+
long GetDefaultContextOptions() const
{
return ctx_options;
@@ -419,6 +424,10 @@ namespace OpenSSL
SetContextOptions("server", tag, ctx);
SetContextOptions("client", tag, clientctx);
+ const auto securitylevel = tag->getNum<int>("securitylevel", 0, 0, 10);
+ if (securitylevel)
+ ctx.SetSecurityLevel(securitylevel);
+
/* Load our keys and certificates
* NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
*/