InspIRCd-2.0.23 r0 - How to disable old ciphers #2129

GabrieleMax · 2024-11-27T10:37:25Z

GabrieleMax
Nov 27, 2024

I have an old version of InspIRCd (2.0.23 r0), in the future plans obviously it'll be an update action asap but now I should disable weak ciphers like:
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-CAMELLIA256-GCM-SHA384
DHE-RSA-AES256-CCM

I tried in the config file the option priority="PFS" but it doesn't disable weak ciphers, after it I tried something like priority="PFS:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-CHACHA20-POLY1305:!DHE-RSA-CAMELLIA256-GCM-SHA384:!DHE-RSA-AES256-CCM" but InspIRCd's log said it doesn't work and it switches to priority="NORMAL".

Is there a way to manage\disable weak ciphers?

SadieCat · 2024-11-27T10:50:49Z

SadieCat
Nov 27, 2024
Maintainer

How to configure a GnuTLS priority string is documented here:

https://gnutls.org/manual/html_node/Priority-Strings.html#Using-Priority-Strings

You can get a list of cipher suites with gnutls-cli --list.

4 replies

GabrieleMax Nov 29, 2024
Author

Thanks SadieCat for your reply! :)

I already knew the list of GnuTLS strings, I also tried SECURE256 but when I check the ciphers by:

openssl s_client -connect <server_ip>:6667 -cipher DHE-RSA-AES256-GCM-SHA384

the result is "connected" so I need to know if in the InspIRCd's config file I could use\add a tag like ciphers= where I can exclude particular ciphers.

SadieCat Nov 29, 2024
Maintainer

You can disable ciphers using a priority string. They are documented on the GnuTLS docs page I linked as well as on the page linked from that.

GnuTLS does not use the same names as OpenSSL. You need to use the the GnuTLS names if you are using the ssl_gnutls module.

GabrieleMax Dec 13, 2024
Author

Thanks SadieCat for your reply, I updated my irc server to the latest version 4.4.0, there are enabled TLS v1.3 and v1.2, I'd like to use just TLS v1.3 and I'd like to set the max values of security (now I have priority="SECURE256").

Obviously I'm reading Inspircd's doc and I hope to find what I'd like to do but if you know something about it you can feel free to write it! Thanks! :)

SadieCat Dec 19, 2024
Maintainer

You probably want a priority string like SECURE192:-VERS-TLS-ALL:+VERS-TLS1.3.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

InspIRCd

InspIRCd-2.0.23 r0 - How to disable old ciphers #2129

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

InspIRCd

InspIRCd-2.0.23 r0 - How to disable old ciphers #2129

GabrieleMax Nov 27, 2024

Replies: 1 comment · 4 replies

SadieCat Nov 27, 2024 Maintainer

GabrieleMax Nov 29, 2024 Author

SadieCat Nov 29, 2024 Maintainer

GabrieleMax Dec 13, 2024 Author

SadieCat Dec 19, 2024 Maintainer

GabrieleMax
Nov 27, 2024

Replies: 1 comment 4 replies

SadieCat
Nov 27, 2024
Maintainer

GabrieleMax Nov 29, 2024
Author

SadieCat Nov 29, 2024
Maintainer

GabrieleMax Dec 13, 2024
Author

SadieCat Dec 19, 2024
Maintainer