repo: ngircd
action: commit
revision: 
path_from: 
revision_from: bb20aeb9bcbb27eda540a6df2faf2d07e71d23f3:
path_to: 
revision_to:
git.thebackupbox.net
ngircd
git clone git://git.thebackupbox.net/ngircd
commit bb20aeb9bcbb27eda540a6df2faf2d07e71d23f3
Author: Alexander Barton 
Date:   Fri Sep 21 10:36:09 2012 +0200

    Initialize SSL when needed only, and disable SSL on errors

    With this patch, the SSL subsystem will only be initialized if at least
    one SSL ports is configured; so you won't get "SSL initialization failed"
    messages if you didn't configured it at all.

    And if SSL initialization fails, no SSL listen ports will be enabled
    later which never could establish a working SSL connection at all ...

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index 8f7b70afccb0e310793013e0f53ee5f38522a614..
index ..914d01651235ad16af2e81ebb3d9a045e1d39a37 100644
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -241,6 +241,9 @@ void ConnSSL_Free(CONNECTION *c)
 bool
 ConnSSL_InitLibrary( void )
 {
+	if (!array_bytes(&Conf_SSLOptions.ListenPorts))
+		return true;
+
 #ifdef HAVE_LIBSSL
 	SSL_CTX *newctx;

@@ -256,12 +259,14 @@ ConnSSL_InitLibrary( void )
 		 * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7";
 		 * so it makes little sense to deal with PRNGD seeding ourselves.
 		 */
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}

 	newctx = SSL_CTX_new(SSLv23_method());
 	if (!newctx) {
 		LogOpenSSLError("SSL_CTX_new()", NULL);
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}

@@ -276,6 +281,7 @@ ConnSSL_InitLibrary( void )
 	return true;
 out:
 	SSL_CTX_free(newctx);
+	array_free(&Conf_SSLOptions.ListenPorts);
 	return false;
 #endif
 #ifdef HAVE_LIBGNUTLS
@@ -287,10 +293,13 @@ out:
 	err = gnutls_global_init();
 	if (err) {
 		Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err));
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
 	}
-	if (!ConnSSL_LoadServerKey_gnutls())
+	if (!ConnSSL_LoadServerKey_gnutls()) {
+		array_free(&Conf_SSLOptions.ListenPorts);
 		return false;
+	}
 	Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL));
 	initialized = true;
 	return true;
@@ -313,7 +322,7 @@ ConnSSL_LoadServerKey_gnutls(void)

 	cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
 	if (!cert_file) {
-		Log(LOG_NOTICE, "No SSL server key configured, SSL disabled.");
+		Log(LOG_ERR, "No SSL server key configured!");
 		return false;
 	}

@@ -344,7 +353,7 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)

 	assert(ctx);
 	if (!Conf_SSLOptions.KeyFile) {
-		Log(LOG_NOTICE, "No SSL server key configured, SSL disabled.");
+		Log(LOG_ERR, "No SSL server key configured!");
 		return false;
 	}

diff --git a/src/ngircd/ngircd.c b/src/ngircd/ngircd.c
index 585e2ac0ae8ad1981c7e0b033855df39c2996659..
index ..a4c2fe8aabc07c72ff5fa00b21330ea087612856 100644
--- a/src/ngircd/ngircd.c
+++ b/src/ngircd/ngircd.c
@@ -662,7 +662,7 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
 	/* SSL initialization */
 	if (!ConnSSL_InitLibrary())
 		Log(LOG_WARNING,
-		    "Warning: Error during SSL initialization, continuing ...");
+		    "Error during SSL initialization, continuing without SSL ...");

 	/* Change root */
 	if (Conf_Chroot[0]) {

-----END OF PAGE-----