Page 1 of 1

Updated UnrealIRCd 4.0.10 for Windows

Posted: Thu Feb 02, 2017 8:06 am
by Syzop
LibreSSL, the library we use for SSL/TLS on Windows, has released an update. There seemed to be a security issue in the way they implemented ECDSA. This is only an issue if you use elliptic curve certificates, not if you use RSA certificates (=the default).
We have replaced the Windows download of UnrealIRCd 4.0.10 on our website (new filename: unrealircd-4.0.10-sslfix.exe). If you use Windows and elliptic curve certificates then you should upgrade to this version.

For reference, the exact text from the LibreSSL folks is as follows:

Code: Select all

    * Avoid a side-channel cache-timing attack that can leak the ECDSA
      private keys when signing. This is due to BN_mod_inverse() being
      used without the constant time flag being set. Reported by Cesar
      Pereida Garcia and Billy Brumley (Tampere University of Technology).
      The fix was developed by Cesar Pereida Garcia.
You can use /VERSION on IRC as an IRCOp(!) to figure out which LibreSSL version is in use.
If you see this then it's the old version with the ECDSA bug:

Code: Select all

[08:18:08] -irc.test.net- LibreSSL 2.4.4
After upgrading you should see this, which confirms you are using the new version:

Code: Select all

[08:30:24] -irc.test.net- LibreSSL 2.4.5
As always, you can download UnrealIRCd from https://www.unrealircd.org