Add/use option: SCFG->System->Security->Create Self-signed Certificate

Default to false / No. Maybe this should default to true / Yes until a certificate (e.g. from Let's Encrypt) is successfully provisioned? Anyway, this is just a quick-hack to address the issue where a sysop's CA-sigend certificate may be overwritten with a self-signed certificate if for some reason Synchronet can't find/read the ssl.cert file. See issue #881.

Add/use option: SCFG->System->Security->Create Self-signed Certificate
cc717b40 · Rob Swindell · db19ad6f · cc717b40 · cc717b40 · cc717b40
Commit cc717b40 authored 2 months ago by Rob Swindell
--- a/src/sbbs3/scfg/scfgsys.c
+++ b/src/sbbs3/scfg/scfgsys.c
@@ -633,7 +633,8 @@ void security_cfg(void)
 		snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "Open to New Users", str);
 		snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "User Expires When Out-of-time"
 		         , cfg.sys_misc & SM_TIME_EXP ? "Yes" : "No");
-
+		snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "Create Self-signed Certificate"
+		         , cfg.create_self_signed_cert ? "Yes" : "No");
 		strcpy(opt[i++], "Security Level Values...");
 		strcpy(opt[i++], "Expired Account Values...");
 		strcpy(opt[i++], "Quick-Validation Values...");
@@ -896,6 +897,24 @@ void security_cfg(void)
 					cfg.sys_misc &= ~SM_TIME_EXP;
 				}
 				break;
+			case __COUNTER__:
+				i = cfg.create_self_signed_cert ? 0 : 1;
+				uifc.helpbuf =
+					"`Create Self-signed TLS Certificate:`\n"
+					"\n"
+					"If you want Synchronet to automatically create a self-signed certificate\n"
+					"(for TLS connections) when the certificate file (`ctrl/ssl.cert`) cannot\n"
+					"be found or read, set this option to `Yes`.\n"
+				;
+				i = uifc.list(WIN_MID | WIN_SAV, 0, 0, 0, &i, 0
+				              , "Create Self-signed Certificate", uifcYesNoOpts);
+				if (!i && !cfg.create_self_signed_cert) {
+					cfg.create_self_signed_cert = true;
+				}
+				else if (i == 1 && cfg.create_self_signed_cert) {
+					cfg.create_self_signed_cert = false;
+				}
+				break;
 			case __COUNTER__: /* Security Levels */
 				k = 0;
 				while (1) {

--- a/src/sbbs3/scfgdefs.h
+++ b/src/sbbs3/scfgdefs.h
@@ -506,6 +506,8 @@ typedef struct
 	uint16_t		filename_maxlen;	/* Maximum filename length */
 	str_list_t      supported_archive_formats;    /* Full support in libachive */

+	bool			create_self_signed_cert;
+
 	fevent_t		node_daily;			/* Node's daily event */
 	uint32_t		node_misc;			/* Misc bits for node setup */
 	bool			spinning_pause_prompt;

--- a/src/sbbs3/scfglib1.c
+++ b/src/sbbs3/scfglib1.c
@@ -127,6 +127,7 @@ bool read_main_cfg(scfg_t* cfg, char* error, size_t maxerrlen)
 	cfg->max_getkey_inactivity = (uint)iniGetDuration(ini, ROOT_SECTION, "max_getkey_inactivity", 300);
 	cfg->inactivity_warn = (uchar)iniGetUInteger(ini, ROOT_SECTION, "inactivity_warn", 75);
 	cfg->spinning_pause_prompt = iniGetBool(ini, ROOT_SECTION, "spinning_pause_prompt", true);
+	cfg->create_self_signed_cert = iniGetBool(ini, ROOT_SECTION, "create_self_signed_cert", false);

 	cfg->user_backup_level = iniGetUInteger(ini, ROOT_SECTION, "user_backup_level", 5);
 	cfg->mail_backup_level = iniGetUInteger(ini, ROOT_SECTION, "mail_backup_level", 5);

--- a/src/sbbs3/scfgsave.c
+++ b/src/sbbs3/scfgsave.c
@@ -147,6 +147,7 @@ bool write_main_cfg(scfg_t* cfg)
 	iniSetDuration(&ini, ROOT_SECTION, "max_getkey_inactivity", cfg->max_getkey_inactivity, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "inactivity_warn", cfg->inactivity_warn, NULL);
 	iniSetBool(&ini, ROOT_SECTION, "spinning_pause_prompt", cfg->spinning_pause_prompt, NULL);
+	iniSetBool(&ini, ROOT_SECTION, "create_self_signed_cert", cfg->create_self_signed_cert, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "user_backup_level", cfg->user_backup_level, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "mail_backup_level", cfg->mail_backup_level, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "config_backup_level", cfg->config_backup_level, NULL);

--- a/src/sbbs3/ssl.c
+++ b/src/sbbs3/ssl.c
@@ -476,6 +476,12 @@ static struct cert_list * get_ssl_cert(scfg_t *cfg, int (*lprintf)(int level, co
 		}
 	}
 	else {
+		lprintf(LOG_WARNING, "Failed to open/read TLS certificate: %s", cert_path);
+		if (!cfg->create_self_signed_cert) {
+			assert_pthread_mutex_unlock(&get_ssl_cert_mutex);
+			free(cert_entry);
+			return NULL;
+		}
 		lprintf(LOG_NOTICE, "Creating self-signed TLS certificate");
 		/* Couldn't do that... create a new context and use the cert from there... */
 		if (!DO("creating TLS context", CRYPT_UNUSED, cryptCreateContext(&cert_entry->cert, CRYPT_UNUSED, CRYPT_ALGO_RSA))) {