ngIRCd release 18~rc2

For outgoing connections, we use 2048 (DH_BITS) since commit 49b2d0e.

This patch enables ngIRCd to accept incoming connections from other servers
and clients that use at least 1024 bits (and no longer requires 2048 for
incoming connections, too).

Patch proposed by Florian Westphal.

ChangeLog

@@ -11,15 +11,24 @@
 
 ngIRCd Release 18
 
+  ngIRCd 18~rc2 (2011-06-29)
+  - Update documentation, fix some wording, and use a spellchecker :-)
+  - ngircd.conf.5: strip "SSL" prefix from variables in [SSL] section.
+  - ngircd.8: document debugging options.
+  - GnuTLS: use 1024 bits as minimum size of the DH prime. This enables
+    ngIRCd to accept incoming connections from other servers and clients
+    that "only" use at least 1024 bits again, like ngIRCd 17 did (and no
+    longer requires 2048 bits for incoming connections).
+
   ngIRCd 18~rc1 (2011-06-27)
   - PAM warning message: make clear which "Password" config option is ignored.
-  - New configuration opion "MorePrivacy" to "censor" some user information.
-    When enabled, signon time and idle time is censored. Part and quit
+  - New configuration option "MorePrivacy" to "censor" some user information.
+    When enabled, signon time and idle time is left out. Part and quit
     messages are made to look the same. WHOWAS requests are silently dropped.
     All of this is useful if one wish to conceal users that access the ngircd
     servers from TOR or I2P.
   - New configuration option "ScrubCTCP" to scrub incoming CTCP commands. If
-    activated, the server silently drops incomming CTCP requests from both
+    activated, the server silently drops incoming CTCP requests from both
     other servers and from users. The server that scrubs CTCP will not forward
     the CTCP requests to other servers in the network either, which can spell
     trouble if not every oper knows about the CTCP-scrubbing. Scrubbing CTCP
@@ -43,7 +52,7 @@ ngIRCd Release 18
     would be best to just use 4096 bits, but that takes minutes, even on
     current hardware ...
   - contrib/platformtest.sh: fix gcc version detection.
-  - Avoid needlesly scary 'buffer overflow' messages: When the write buffer
+  - Avoid needlessly scary 'buffer overflow' messages: When the write buffer
     space grows too large, ngIRCd has to disconnect the client to avoid
     wasting too much memory, which is logged with a scary 'write buffer
     overflow' message. Change this to a more descriptive wording.
@@ -59,8 +68,8 @@ ngIRCd Release 18
     like e.g. snircd (QuakeNet) does.
   - Generate WALLOPS message on SQUIT from IRC operators; so SQUIT now behaves
     like CONNECT and DISCONNECT commands, when called by an IRC operator.
-  - Allow servers to send more commands in the first 10 secods ("burst"). This
-    helps to speed up server login and network synchronisation.
+  - Allow servers to send more commands in the first 10 seconds ("burst"). This
+    helps to speed up server login and network synchronization.
   - Add support for up to 3 targets in WHOIS queries, also allow up to one
     wildcard query from local hosts. Follows ircd 2.10 implementation rather
     than RFC 2812. At most 10 entries are returned per wildcard expansion.
@@ -83,7 +92,7 @@ ngIRCd Release 18
   - Don't access possibly free'd CLIENT structure. Ooops.
   - Allow "Port = 0" in [Server] blocks. Port number 0 marks remote servers
     that try to connect to this daemon, but where this daemon never tries to
-    establis a connection on its own: only incoming connections are allowed.
+    establish a connection on its own: only incoming connections are allowed.
   - Configuration: fix 'Value of "..." is not a number!' for negative values.
   - Enable WHOIS command to return information about services.
   - Implement channel mode 'O': "IRC operators only". This channel mode is
@@ -100,9 +109,9 @@ ngIRCd Release 18
     in [Global] are still accepted, so there is no functional change.
   - Fix confusing "adding to invite list" debug messages: adding entries to
     ban list produced 'invite list' debug output ...
-  - Don't throttle services and servers beeing registered.
+  - Don't throttle services and servers being registered.
   - Xcode: correctly sort files :-)
-  - Don't assert() when serching a client for an invalid server token (this is
+  - Don't assert() when searching a client for an invalid server token (this is
     only relevant when a trusted server on a server-server link sends invalid
     commands).
 
@@ -113,7 +122,7 @@ ngIRCd Release 17.1 (2010-12-19)
   - Reset ID of outgoing server link on DNS error correctly
   - Don't log critical (or worse) messages to stderr
   - Manual page ngircd(8): add SIGNALS section
-  - Manual pages: update and simplyfy AUTHORS section
+  - Manual pages: update and simplify AUTHORS section
   - Remove "error file" when compiled with debug code enabled
   - README: Updated list of implemented commands
   - add doc/README-Interix.txt and doc/Bopm.txt to distribution tarball

INSTALL

@@ -134,7 +134,7 @@ Again: "end users" do not need this step!
 
 The configure-script is used to detect local system dependencies.
 
-In the perfect case, configure should recognise all needed libraries, header
+In the perfect case, configure should recognize all needed libraries, header
 files and so on. If this shouldn't work, "./configure --help" shows all
 possible options.
 

NEWS

@@ -10,14 +10,20 @@
 
 ngIRCd Release 18
 
+  ngIRCd 18~rc2 (2011-06-29)
+  - GnuTLS: use 1024 bits as minimum size of the DH prime. This enables
+    ngIRCd to accept incoming connections from other servers and clients
+    that "only" use at least 1024 bits again, like ngIRCd 17 did (and no
+    longer requires 2048 bits for incoming connections).
+
   ngIRCd 18~rc1 (2011-06-27)
-  - New configuration opion "MorePrivacy" to "censor" some user information.
-    When enabled, signon time and idle time is censored. Part and quit
+  - New configuration option "MorePrivacy" to "censor" some user information.
+    When enabled, signon time and idle time is left out. Part and quit
     messages are made to look the same. WHOWAS requests are silently dropped.
     All of this is useful if one wish to conceal users that access the ngircd
     servers from TOR or I2P.
   - New configuration option "ScrubCTCP" to scrub incoming CTCP commands. If
-    activated, the server silently drops incomming CTCP requests from both
+    activated, the server silently drops incoming CTCP requests from both
     other servers and from users. The server that scrubs CTCP will not forward
     the CTCP requests to other servers in the network either, which can spell
     trouble if not every oper knows about the CTCP-scrubbing. Scrubbing CTCP
@@ -34,7 +40,7 @@ ngIRCd Release 18
     the [Global] section are deprecated now, but are still recognized.
     => Don't forget to check your configuration, use "ngircd --configtest"!
   - New documentation "how to contribute": doc/Contributing.txt.
-  - Avoid needlesly scary 'buffer overflow' messages: When the write buffer
+  - Avoid needlessly scary 'buffer overflow' messages: When the write buffer
     space grows too large, ngIRCd has to disconnect the client to avoid
     wasting too much memory, which is logged with a scary 'write buffer
     overflow' message. Change this to a more descriptive wording.
@@ -63,7 +69,7 @@ ngIRCd Release 18
     the moment. This enhances reliability on slow links.
   - Allow "Port = 0" in [Server] blocks. Port number 0 marks remote servers
     that try to connect to this daemon, but where this daemon never tries to
-    establis a connection on its own: only incoming connections are allowed.
+    establish a connection on its own: only incoming connections are allowed.
   - Enable WHOIS command to return information about services.
   - Implement channel mode 'O': "IRC operators only". This channel mode is
     used on DALnet (bahamut), for example.

contrib/Debian/changelog

@@ -1,3 +1,9 @@
+ngircd (18~rc2-0ab1) unstable; urgency=low
+
+  * New "upstream" release candidate 2 for ngIRCd Release 18.
+
+ -- Alexander Barton <alex@barton.de>  Wed, 29 Jun 2011 10:20:51 +0200
+
 ngircd (18~rc1-0ab1) unstable; urgency=low
 
   * New "upstream" release candidate 1 for ngIRCd Release 18.

contrib/ngircd.spec

@@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 18~rc1
+%define version 18~rc2
 %define release 1
 %define prefix  %{_prefix}
 

doc/SSL.txt

@@ -34,7 +34,7 @@ possible to handle unencrypted and encrypted connections on the same port!
 This is a limitation of the IRC protocol ...
 
 You have to set (at least) the following configuration variables in the
-[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile.
+[SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile.
 
 Now IRC clients are able to connect using SSL on the configured port(s).
 (Using port 6697 for encrypted connections is common.)

doc/sample-ngircd.conf.tmpl

@@ -57,7 +57,7 @@
 	# This tells ngIRCd to write its current process ID to a file.
 	# Note that the pidfile is written AFTER chroot and switching the
 	# user ID, e.g. the directory the pidfile resides in must be
-	# writeable by the ngIRCd user and exist in the chroot directory.
+	# writable by the ngIRCd user and exist in the chroot directory.
 	;PidFile = /var/run/ngircd/ngircd.pid
 
 	# Ports on which the server should listen. There may be more than
@@ -110,7 +110,7 @@
 
 [Options]
 	# Optional features and configuration options to further tweak the
-	# behavior of ngIRCd. If you wan't to get started quickly, you most
+	# behavior of ngIRCd. If you want to get started quickly, you most
 	# probably don't have to make changes here -- they are all optional.
 
 	# Are remote IRC operators allowed to control this server, e.g.
@@ -170,7 +170,7 @@
 	# "PONG" reply.
 	;RequireAuthPing = no
 
-	# Silently drop all incomming CTCP requests.
+	# Silently drop all incoming CTCP requests.
 	;ScrubCTCP = no
 
 	# Syslog "facility" to which ngIRCd should send log messages.

man/ngircd.8.tmpl

@@ -26,7 +26,7 @@ there are good chances that it also supports other UNIX-based operating
 systems as well. By default, ngIRCd writes diagnostic and informational messages using
 the syslog mechanism.
 .SH OPTIONS
-The default behaviour of
+The default behavior of
 .BR ngircd
 is to read its standard configuration file (see below), to detach from the
 controlling terminal and to wait for clients.
@@ -68,7 +68,7 @@ Default "message of the day" (MOTD).
 The daemon understands the following signals:
 .TP
 \fBTERM\fR
-Shut down all conections and terminate the daemon.
+Shut down all connections and terminate the daemon.
 .TP
 \fBHUP\fR
 Shut down all listening sockets, re-read the configuration file and
@@ -76,6 +76,31 @@ re-initialize the daemon.
 .SH HINTS
 It's wise to use "ngircd \-\-configtest" to validate the configuration file
 after changing it.
+.SH DEBUGGING
+When ngIRCd is compiled with debug code, that is, its source code has
+been ./configure'd with "--enable-debug" and/or "--enable-sniffer" (witch
+enables debug mode automatically as well), you can use two more command
+line options and two more signals to debug problems with the daemon itself
+or IRC clients:
+.PP
+\fBOptions:\fR
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Enable debug mode and log extra messages.
+.TP
+\fB\-s\fR, \fB\-\-sniffer\fR
+Enable IRC protocol sniffer, which logs all sent and received IRC commands to
+the console/syslog. This option requires that ngIRCd has been ./configure'd
+with "--enable-sniffer" and enables debug mode automatically, too.
+.PP
+\fBSignals:\fR
+.TP
+\fBUSR1\fR
+Toggle debug mode on and off during runtime.
+.TP
+\fBUSR2\fR
+Dump internal server state to the console/syslog when debug mode is on (use
+command line option \-\-debug or signal USR1).
 .SH AUTHORS
 Alexander Barton, <alex@barton.de>
 .br

man/ngircd.conf.5.tmpl

@@ -128,7 +128,7 @@ if ngIRCd is using PAM!
 \fBPidFile\fR (string)
 This tells ngIRCd to write its current process ID to a file. Note that the
 pidfile is written AFTER chroot and switching the user ID, e.g. the directory
-the pidfile resides in must be writeable by the ngIRCd user and exist in the
+the pidfile resides in must be writable by the ngIRCd user and exist in the
 chroot directory (if configured, see above).
 .TP
 \fBPorts\fR (list of numbers)
@@ -192,7 +192,7 @@ If a client fails to answer a PING with a PONG within <PongTimeout>
 seconds, it will be disconnected by the server. Default: 20.
 .SH [OPTIONS]
 Optional features and configuration options to further tweak the behavior of
-ngIRCd. If you wan't to get started quickly, you most probably don't have to
+ngIRCd. If you want to get started quickly, you most probably don't have to
 make changes here -- they are all optional.
 .TP
 \fBAllowRemoteOper\fR (boolean)
@@ -291,7 +291,7 @@ Default: no.
 If set to true, ngIRCd will silently drop all CTCP requests sent to it from
 both clients and servers. It will also not forward CTCP requests to any
 other servers. CTCP requests can be used to query user clients about which
-software they are using and which versions said softare is. CTCP can also be
+software they are using and which versions said software is. CTCP can also be
 used to reveal clients IP numbers. ACTION CTCP requests are not blocked,
 this means that /me commands will not be dropped, but please note that
 blocking CTCP will disable file sharing between users!
@@ -314,10 +314,10 @@ All SSL-related configuration variables are located in the
 section. Please note that this whole section is only recognized by ngIRCd
 when it is compiled with support for SSL using OpenSSL or GnuTLS!
 .TP
-\fBSSLCertFile\fR (string)
+\fBCertFile\fR (string)
 SSL Certificate file of the private server key.
 .TP
-\fBSSLDHFile\fR (string)
+\fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
 "certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not
 present, it will be generated on startup when ngIRCd was compiled with GnuTLS
@@ -325,14 +325,14 @@ support (this may take some time). If ngIRCd was compiled with OpenSSL, then
 (Ephemeral)-Diffie-Hellman Key Exchanges and several Cipher Suites will not be
 available.
 .TP
-\fBSSLKeyFile\fR (string)
+\fBKeyFile\fR (string)
 Filename of SSL Server Key to be used for SSL connections. This is required
 for SSL/TLS support.
 .TP
-\fBSSLKeyFilePassword\fR (string)
+\fBKeyFilePassword\fR (string)
 OpenSSL only: Password to decrypt the private key file.
 .TP
-\fBSSLPorts\fR (list of numbers)
+\fBPorts\fR (list of numbers)
 Same as \fBPorts\fR , except that ngIRCd will expect incoming connections
 to be SSL/TLS encrypted. Common port numbers for SSL-encrypted IRC are 6669
 and 6697. Default: none.

src/ngircd/conn-ssl.c

@@ -52,9 +52,10 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c ));
 #include <gnutls/x509.h>
 
 #define DH_BITS 2048
+#define DH_BITS_MIN 1024
+
 static gnutls_certificate_credentials_t x509_cred;
 static gnutls_dh_params_t dh_params;
-
 static bool ConnSSL_LoadServerKey_gnutls PARAMS(( void ));
 #endif
 
@@ -426,7 +427,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
 		ConnSSL_Free(c);
 		return false;
 	}
-	gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS);
+	gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN);
 #endif
 	Conn_OPTION_ADD(c, CONN_SSL);
 	return true;