INN commit: trunk (4 files)

INN Commit rra at isc.org
Thu Aug 4 19:56:42 UTC 2016


    Date: Thursday, August 4, 2016 @ 12:56:42
  Author: iulius
Revision: 10043

Disable TLS-level compression by default in inn.conf

Modified:
  trunk/doc/pod/inn.conf.pod
  trunk/doc/pod/news.pod
  trunk/lib/innconf.c
  trunk/samples/inn.conf.in

----------------------+
 doc/pod/inn.conf.pod |   13 ++++++++-----
 doc/pod/news.pod     |    7 +++++++
 lib/innconf.c        |    2 +-
 samples/inn.conf.in  |    2 +-
 4 files changed, 17 insertions(+), 7 deletions(-)

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2016-08-04 19:52:13 UTC (rev 10042)
+++ doc/pod/inn.conf.pod	2016-08-04 19:56:42 UTC (rev 10043)
@@ -1096,8 +1096,10 @@
 
 =item I<tlscompression>
 
-Whether to enable or disable SSL/TLS compression support.  This is a
-boolean and the default is true, that is to say compression is enabled.
+Whether to enable or disable SSL/TLS-level compression support.
+This is a boolean and the default is false, that is to say compression
+is disabled, so as to follow the best current practices for a secure
+use of TLS in application protocols like NNTP.
 
 =item I<tlseccurve>
 
@@ -1112,9 +1114,10 @@
 
 =item I<tlspreferserverciphers>
 
-Whether to let the client or the server decide the preferred cipher.
-This is a boolean and the default is true, that is to say the server
-decides the preferred cipher.
+Whether to let the client or the server decide the preferred cipher
+suite, signature algorithm or elliptic curve to use for an incoming
+connection.  This is a boolean and the default is true, that is to say
+the server will choose following its own preferences.
 
 =item I<tlsprotocols>
 

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2016-08-04 19:52:13 UTC (rev 10042)
+++ doc/pod/news.pod	2016-08-04 19:56:42 UTC (rev 10043)
@@ -21,6 +21,13 @@
 
 =item *
 
+The default value for the I<tlscompression> parameter in F<inn.conf>
+has changed.  TLS-level compression is now disabled by default, to comply
+with the best current practices for a secure use of TLS in application
+protocols like NNTP.  Using the new COMPRESS command is recommended.
+
+=item *
+
 B<rnews> no longer segfaults at startup when started setuid news.
 Thanks to Marcus Jodorf for the bug report.
 

Modified: lib/innconf.c
===================================================================
--- lib/innconf.c	2016-08-04 19:52:13 UTC (rev 10042)
+++ lib/innconf.c	2016-08-04 19:56:42 UTC (rev 10043)
@@ -233,7 +233,7 @@
     { K(tlscertfile),             STRING  (NULL) },
     { K(tlskeyfile),              STRING  (NULL) },
     { K(tlsciphers),              STRING  (NULL) },
-    { K(tlscompression),          BOOL    (true) },
+    { K(tlscompression),          BOOL   (false) },
     { K(tlseccurve),              STRING  (NULL) },
     { K(tlspreferserverciphers),  BOOL    (true) },
     { K(tlsprotocols),            LIST    (NULL) },

Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in	2016-08-04 19:52:13 UTC (rev 10042)
+++ samples/inn.conf.in	2016-08-04 19:56:42 UTC (rev 10043)
@@ -140,7 +140,7 @@
 #tlscertfile:                @sysconfdir@/cert.pem
 #tlskeyfile:                 @sysconfdir@/key.pem
 #tlsciphers:
-#tlscompression:             true
+#tlscompression:             false
 #tlseccurve:
 #tlspreferserverciphers:     true
 #tlsprotocols:               [ TLSv1 TLSv1.1 TLSv1.2 ]



More information about the inn-committers mailing list