We have replaced the Windows download of UnrealIRCd 4.0.10 on our website (new filename: unrealircd-4.0.10-sslfix.exe). If you use Windows and elliptic curve certificates then you should upgrade to this version.
For reference, the exact text from the LibreSSL folks is as follows:
Code: Select all
* Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of Technology).
The fix was developed by Cesar Pereida Garcia.
If you see this then it's the old version with the ECDSA bug:
Code: Select all
[08:18:08] -irc.test.net- LibreSSL 2.4.4
Code: Select all
[08:30:24] -irc.test.net- LibreSSL 2.4.5