Respect "SSLConnect" option for incoming connections

Don't accept incoming plain-text ("non SSL") server connections for servers configured with "SSLConnect" enabled. If "SSLConnect" is not set for an incoming connection the server still accepts both plain-text and encrypted connections. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended.
2025-05-03 07:54:06 +00:00 · 2024-01-01 18:20:26 +01:00 · 2024-01-01 18:20:26 +01:00 · 21c1751b04
commit 21c1751b04
parent 843cbfc0f3
1 changed files with 14 additions and 1 deletions
--- a/src/ngircd/irc-server.c
+++ b/src/ngircd/irc-server.c
@ -1,6 +1,6 @@
 /*
 * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2022 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -88,6 +88,19 @@ IRC_SERVER( CLIENT *Client, REQUEST *Req )
 			return DISCONNECTED;
 		}

+#ifdef SSL_SUPPORT
+		/* Does this server require an SSL connection? */
+		if (Conf_Server[i].SSLConnect &&
+		    !(Conn_Options(Client_Conn(Client)) & CONN_SSL)) {
+			Log(LOG_ERR,
+			    "Connection %d: Server \"%s\" requires a secure connection!",
+			    Client_Conn(Client), Req->argv[0]);
+			Conn_Close(Client_Conn(Client), NULL,
+				   "Secure connection required", true);
+			return DISCONNECTED;
+		}
+#endif
+
 		/* Check server password */
 		if (strcmp(Conn_Password(Client_Conn(Client)),
 		    Conf_Server[i].pwd_in) != 0) {