summary refs log tree commit diff
diff options
context:
space:
mode:
authorKlemens Nanni2021-06-20 14:42:10 +0000
committerC. McEnroe2021-06-20 20:25:56 -0400
commit585039fb6e5097cfd16bc083c6d1c9356b237882 (patch)
tree14fc7c960ac6a0d1a37bb7cab27ac105232a01cc
parent3a38e36717ff24a3c028c1c7cfe477d9fec95498 (diff)
Use "secure" libtls ciphers
d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat"
ciphers to support irc.mozilla.org which now yields NXDOMAIN.

All modern networks (should) support secure ciphers, so drop the
hopefully unneeded list of less secure ciphers by avoiding
tls_config_set_ciphers(3) and therefore sticking to the "secure" aka.
"default" set of ciphers in libtls.

A quick check shows that almost all of the big/known IRC networks
support TLS1.3 already;  those who do not at least comply with
SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this:

	echo \
	  irc.hackint.org \
	  irc.tilde.chat \
	  irc.libera.chat \
	  irc.efnet.nl \
	  irc.oftc.net |
	xargs -tn1 \
	openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
-rw-r--r--irc.c9
1 files changed, 1 insertions, 8 deletions
diff --git a/irc.c b/irc.c
index 089f9ea..3f0de3c 100644
--- a/irc.c
+++ b/irc.c
@@ -49,14 +49,7 @@ void ircConfig(
 	struct tls_config *config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
-	int error = tls_config_set_ciphers(config, "compat");
-	if (error) {
-		errx(
-			EX_SOFTWARE, "tls_config_set_ciphers: %s",
-			tls_config_error(config)
-		);
-	}
-
+	int error;
 	if (insecure) {
 		tls_config_insecure_noverifycert(config);
 		tls_config_insecure_noverifyname(config);