ChangeLog | 29 +++++++++++++++++++---------- INSTALL | 2 +- NEWS | 16 +++++++++++----- contrib/Debian/changelog | 6 ++++++ contrib/ngircd.spec | 2 +- doc/SSL.txt | 2 +- doc/sample-ngircd.conf.tmpl | 6 +++--- man/ngircd.8.tmpl | 29 +++++++++++++++++++++++++++-- man/ngircd.conf.5.tmpl | 16 ++++++++-------- src/ngircd/conn-ssl.c | 5 +++-- 10 files changed, 80 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce68efc..0b2f967 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,15 +11,24 @@ ngIRCd Release 18 + ngIRCd 18~rc2 (2011-06-29) + - Update documentation, fix some wording, and use a spellchecker :-) + - ngircd.conf.5: strip "SSL" prefix from variables in [SSL] section. + - ngircd.8: document debugging options. + - GnuTLS: use 1024 bits as minimum size of the DH prime. This enables + ngIRCd to accept incoming connections from other servers and clients + that "only" use at least 1024 bits again, like ngIRCd 17 did (and no + longer requires 2048 bits for incoming connections). + ngIRCd 18~rc1 (2011-06-27) - PAM warning message: make clear which "Password" config option is ignored. - - New configuration opion "MorePrivacy" to "censor" some user information. - When enabled, signon time and idle time is censored. Part and quit + - New configuration option "MorePrivacy" to "censor" some user information. + When enabled, signon time and idle time is left out. Part and quit messages are made to look the same. WHOWAS requests are silently dropped. All of this is useful if one wish to conceal users that access the ngircd servers from TOR or I2P. - New configuration option "ScrubCTCP" to scrub incoming CTCP commands. If - activated, the server silently drops incomming CTCP requests from both + activated, the server silently drops incoming CTCP requests from both other servers and from users. The server that scrubs CTCP will not forward the CTCP requests to other servers in the network either, which can spell trouble if not every oper knows about the CTCP-scrubbing. Scrubbing CTCP @@ -43,7 +52,7 @@ ngIRCd Release 18 would be best to just use 4096 bits, but that takes minutes, even on current hardware ... - contrib/platformtest.sh: fix gcc version detection. - - Avoid needlesly scary 'buffer overflow' messages: When the write buffer + - Avoid needlessly scary 'buffer overflow' messages: When the write buffer space grows too large, ngIRCd has to disconnect the client to avoid wasting too much memory, which is logged with a scary 'write buffer overflow' message. Change this to a more descriptive wording. @@ -59,8 +68,8 @@ ngIRCd Release 18 like e.g. snircd (QuakeNet) does. - Generate WALLOPS message on SQUIT from IRC operators; so SQUIT now behaves like CONNECT and DISCONNECT commands, when called by an IRC operator. - - Allow servers to send more commands in the first 10 secods ("burst"). This - helps to speed up server login and network synchronisation. + - Allow servers to send more commands in the first 10 seconds ("burst"). This + helps to speed up server login and network synchronization. - Add support for up to 3 targets in WHOIS queries, also allow up to one wildcard query from local hosts. Follows ircd 2.10 implementation rather than RFC 2812. At most 10 entries are returned per wildcard expansion. @@ -83,7 +92,7 @@ ngIRCd Release 18 - Don't access possibly free'd CLIENT structure. Ooops. - Allow "Port = 0" in [Server] blocks. Port number 0 marks remote servers that try to connect to this daemon, but where this daemon never tries to - establis a connection on its own: only incoming connections are allowed. + establish a connection on its own: only incoming connections are allowed. - Configuration: fix 'Value of "..." is not a number!' for negative values. - Enable WHOIS command to return information about services. - Implement channel mode 'O': "IRC operators only". This channel mode is @@ -100,9 +109,9 @@ ngIRCd Release 18 in [Global] are still accepted, so there is no functional change. - Fix confusing "adding to invite list" debug messages: adding entries to ban list produced 'invite list' debug output ... - - Don't throttle services and servers beeing registered. + - Don't throttle services and servers being registered. - Xcode: correctly sort files :-) - - Don't assert() when serching a client for an invalid server token (this is + - Don't assert() when searching a client for an invalid server token (this is only relevant when a trusted server on a server-server link sends invalid commands). @@ -113,7 +122,7 @@ ngIRCd Release 17.1 (2010-12-19) - Reset ID of outgoing server link on DNS error correctly - Don't log critical (or worse) messages to stderr - Manual page ngircd(8): add SIGNALS section - - Manual pages: update and simplyfy AUTHORS section + - Manual pages: update and simplify AUTHORS section - Remove "error file" when compiled with debug code enabled - README: Updated list of implemented commands - add doc/README-Interix.txt and doc/Bopm.txt to distribution tarball diff --git a/INSTALL b/INSTALL index 1e96e16..99fe33d 100644 --- a/INSTALL +++ b/INSTALL @@ -134,7 +134,7 @@ Again: "end users" do not need this step! The configure-script is used to detect local system dependencies. -In the perfect case, configure should recognise all needed libraries, header +In the perfect case, configure should recognize all needed libraries, header files and so on. If this shouldn't work, "./configure --help" shows all possible options. diff --git a/NEWS b/NEWS index 1d7e049..2f1e5be 100644 --- a/NEWS +++ b/NEWS @@ -10,14 +10,20 @@ ngIRCd Release 18 + ngIRCd 18~rc2 (2011-06-29) + - GnuTLS: use 1024 bits as minimum size of the DH prime. This enables + ngIRCd to accept incoming connections from other servers and clients + that "only" use at least 1024 bits again, like ngIRCd 17 did (and no + longer requires 2048 bits for incoming connections). + ngIRCd 18~rc1 (2011-06-27) - - New configuration opion "MorePrivacy" to "censor" some user information. - When enabled, signon time and idle time is censored. Part and quit + - New configuration option "MorePrivacy" to "censor" some user information. + When enabled, signon time and idle time is left out. Part and quit messages are made to look the same. WHOWAS requests are silently dropped. All of this is useful if one wish to conceal users that access the ngircd servers from TOR or I2P. - New configuration option "ScrubCTCP" to scrub incoming CTCP commands. If - activated, the server silently drops incomming CTCP requests from both + activated, the server silently drops incoming CTCP requests from both other servers and from users. The server that scrubs CTCP will not forward the CTCP requests to other servers in the network either, which can spell trouble if not every oper knows about the CTCP-scrubbing. Scrubbing CTCP @@ -34,7 +40,7 @@ ngIRCd Release 18 the [Global] section are deprecated now, but are still recognized. => Don't forget to check your configuration, use "ngircd --configtest"! - New documentation "how to contribute": doc/Contributing.txt. - - Avoid needlesly scary 'buffer overflow' messages: When the write buffer + - Avoid needlessly scary 'buffer overflow' messages: When the write buffer space grows too large, ngIRCd has to disconnect the client to avoid wasting too much memory, which is logged with a scary 'write buffer overflow' message. Change this to a more descriptive wording. @@ -63,7 +69,7 @@ ngIRCd Release 18 the moment. This enhances reliability on slow links. - Allow "Port = 0" in [Server] blocks. Port number 0 marks remote servers that try to connect to this daemon, but where this daemon never tries to - establis a connection on its own: only incoming connections are allowed. + establish a connection on its own: only incoming connections are allowed. - Enable WHOIS command to return information about services. - Implement channel mode 'O': "IRC operators only". This channel mode is used on DALnet (bahamut), for example. diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog index 1b7997e..209fcbc 100644 --- a/contrib/Debian/changelog +++ b/contrib/Debian/changelog @@ -1,3 +1,9 @@ +ngircd (18~rc2-0ab1) unstable; urgency=low + + * New "upstream" release candidate 2 for ngIRCd Release 18. + + -- Alexander Barton Wed, 29 Jun 2011 10:20:51 +0200 + ngircd (18~rc1-0ab1) unstable; urgency=low * New "upstream" release candidate 1 for ngIRCd Release 18. diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec index 6a2165b..7b7047a 100644 --- a/contrib/ngircd.spec +++ b/contrib/ngircd.spec @@ -1,5 +1,5 @@ %define name ngircd -%define version 18~rc1 +%define version 18~rc2 %define release 1 %define prefix %{_prefix} diff --git a/doc/SSL.txt b/doc/SSL.txt index b98c2fb..28ea2cd 100644 --- a/doc/SSL.txt +++ b/doc/SSL.txt @@ -34,7 +34,7 @@ possible to handle unencrypted and encrypted connections on the same port! This is a limitation of the IRC protocol ... You have to set (at least) the following configuration variables in the -[GLOBAL] section of ngircd.conf(5): SSLPorts, SSLKeyFile, and SSLCertFile. +[SSL] section of ngircd.conf(5): Ports, KeyFile, and CertFile. Now IRC clients are able to connect using SSL on the configured port(s). (Using port 6697 for encrypted connections is common.) diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 7cd8afe..fb5d826 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -57,7 +57,7 @@ # This tells ngIRCd to write its current process ID to a file. # Note that the pidfile is written AFTER chroot and switching the # user ID, e.g. the directory the pidfile resides in must be - # writeable by the ngIRCd user and exist in the chroot directory. + # writable by the ngIRCd user and exist in the chroot directory. ;PidFile = /var/run/ngircd/ngircd.pid # Ports on which the server should listen. There may be more than @@ -110,7 +110,7 @@ [Options] # Optional features and configuration options to further tweak the - # behavior of ngIRCd. If you wan't to get started quickly, you most + # behavior of ngIRCd. If you want to get started quickly, you most # probably don't have to make changes here -- they are all optional. # Are remote IRC operators allowed to control this server, e.g. @@ -170,7 +170,7 @@ # "PONG" reply. ;RequireAuthPing = no - # Silently drop all incomming CTCP requests. + # Silently drop all incoming CTCP requests. ;ScrubCTCP = no # Syslog "facility" to which ngIRCd should send log messages. diff --git a/man/ngircd.8.tmpl b/man/ngircd.8.tmpl index 4a01d71..9da7ef8 100644 --- a/man/ngircd.8.tmpl +++ b/man/ngircd.8.tmpl @@ -26,7 +26,7 @@ there are good chances that it also supports other UNIX-based operating systems as well. By default, ngIRCd writes diagnostic and informational messages using the syslog mechanism. .SH OPTIONS -The default behaviour of +The default behavior of .BR ngircd is to read its standard configuration file (see below), to detach from the controlling terminal and to wait for clients. @@ -68,7 +68,7 @@ Default "message of the day" (MOTD). The daemon understands the following signals: .TP \fBTERM\fR -Shut down all conections and terminate the daemon. +Shut down all connections and terminate the daemon. .TP \fBHUP\fR Shut down all listening sockets, re-read the configuration file and @@ -76,6 +76,31 @@ re-initialize the daemon. .SH HINTS It's wise to use "ngircd \-\-configtest" to validate the configuration file after changing it. +.SH DEBUGGING +When ngIRCd is compiled with debug code, that is, its source code has +been ./configure'd with "--enable-debug" and/or "--enable-sniffer" (witch +enables debug mode automatically as well), you can use two more command +line options and two more signals to debug problems with the daemon itself +or IRC clients: +.PP +\fBOptions:\fR +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug mode and log extra messages. +.TP +\fB\-s\fR, \fB\-\-sniffer\fR +Enable IRC protocol sniffer, which logs all sent and received IRC commands to +the console/syslog. This option requires that ngIRCd has been ./configure'd +with "--enable-sniffer" and enables debug mode automatically, too. +.PP +\fBSignals:\fR +.TP +\fBUSR1\fR +Toggle debug mode on and off during runtime. +.TP +\fBUSR2\fR +Dump internal server state to the console/syslog when debug mode is on (use +command line option \-\-debug or signal USR1). .SH AUTHORS Alexander Barton, .br diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index d25f1eb..38ac40b 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -128,7 +128,7 @@ if ngIRCd is using PAM! \fBPidFile\fR (string) This tells ngIRCd to write its current process ID to a file. Note that the pidfile is written AFTER chroot and switching the user ID, e.g. the directory -the pidfile resides in must be writeable by the ngIRCd user and exist in the +the pidfile resides in must be writable by the ngIRCd user and exist in the chroot directory (if configured, see above). .TP \fBPorts\fR (list of numbers) @@ -192,7 +192,7 @@ If a client fails to answer a PING with a PONG within seconds, it will be disconnected by the server. Default: 20. .SH [OPTIONS] Optional features and configuration options to further tweak the behavior of -ngIRCd. If you wan't to get started quickly, you most probably don't have to +ngIRCd. If you want to get started quickly, you most probably don't have to make changes here -- they are all optional. .TP \fBAllowRemoteOper\fR (boolean) @@ -291,7 +291,7 @@ Default: no. If set to true, ngIRCd will silently drop all CTCP requests sent to it from both clients and servers. It will also not forward CTCP requests to any other servers. CTCP requests can be used to query user clients about which -software they are using and which versions said softare is. CTCP can also be +software they are using and which versions said software is. CTCP can also be used to reveal clients IP numbers. ACTION CTCP requests are not blocked, this means that /me commands will not be dropped, but please note that blocking CTCP will disable file sharing between users! @@ -314,10 +314,10 @@ All SSL-related configuration variables are located in the section. Please note that this whole section is only recognized by ngIRCd when it is compiled with support for SSL using OpenSSL or GnuTLS! .TP -\fBSSLCertFile\fR (string) +\fBCertFile\fR (string) SSL Certificate file of the private server key. .TP -\fBSSLDHFile\fR (string) +\fBDHFile\fR (string) Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS "certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not present, it will be generated on startup when ngIRCd was compiled with GnuTLS @@ -325,14 +325,14 @@ support (this may take some time). If ngIRCd was compiled with OpenSSL, then (Ephemeral)-Diffie-Hellman Key Exchanges and several Cipher Suites will not be available. .TP -\fBSSLKeyFile\fR (string) +\fBKeyFile\fR (string) Filename of SSL Server Key to be used for SSL connections. This is required for SSL/TLS support. .TP -\fBSSLKeyFilePassword\fR (string) +\fBKeyFilePassword\fR (string) OpenSSL only: Password to decrypt the private key file. .TP -\fBSSLPorts\fR (list of numbers) +\fBPorts\fR (list of numbers) Same as \fBPorts\fR , except that ngIRCd will expect incoming connections to be SSL/TLS encrypted. Common port numbers for SSL-encrypted IRC are 6669 and 6697. Default: none. diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 7630420..ffb1b10 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -52,9 +52,10 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c )); #include #define DH_BITS 2048 +#define DH_BITS_MIN 1024 + static gnutls_certificate_credentials_t x509_cred; static gnutls_dh_params_t dh_params; - static bool ConnSSL_LoadServerKey_gnutls PARAMS(( void )); #endif @@ -426,7 +427,7 @@ ConnSSL_Init_SSL(CONNECTION *c) ConnSSL_Free(c); return false; } - gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS); + gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN); #endif Conn_OPTION_ADD(c, CONN_SSL); return true;