INN commit: branches/2.6 (4 files)
INN Commit
rra at isc.org
Fri Aug 5 11:40:25 UTC 2016
Date: Friday, August 5, 2016 @ 04:40:25
Author: iulius
Revision: 10049
Disable TLS-level compression by default in inn.conf
Modified:
branches/2.6/doc/pod/inn.conf.pod
branches/2.6/doc/pod/news.pod
branches/2.6/lib/innconf.c
branches/2.6/samples/inn.conf.in
----------------------+
doc/pod/inn.conf.pod | 13 ++++++++-----
doc/pod/news.pod | 7 +++++++
lib/innconf.c | 2 +-
samples/inn.conf.in | 2 +-
4 files changed, 17 insertions(+), 7 deletions(-)
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2016-08-04 20:05:25 UTC (rev 10048)
+++ doc/pod/inn.conf.pod 2016-08-05 11:40:25 UTC (rev 10049)
@@ -1096,8 +1096,10 @@
=item I<tlscompression>
-Whether to enable or disable SSL/TLS compression support. This is a
-boolean and the default is true, that is to say compression is enabled.
+Whether to enable or disable SSL/TLS-level compression support.
+This is a boolean and the default is false, that is to say compression
+is disabled, so as to follow the best current practices for a secure
+use of TLS in application protocols like NNTP.
=item I<tlseccurve>
@@ -1112,9 +1114,10 @@
=item I<tlspreferserverciphers>
-Whether to let the client or the server decide the preferred cipher.
-This is a boolean and the default is true, that is to say the server
-decides the preferred cipher.
+Whether to let the client or the server decide the preferred cipher
+suite, signature algorithm or elliptic curve to use for an incoming
+connection. This is a boolean and the default is true, that is to say
+the server will choose following its own preferences.
=item I<tlsprotocols>
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2016-08-04 20:05:25 UTC (rev 10048)
+++ doc/pod/news.pod 2016-08-05 11:40:25 UTC (rev 10049)
@@ -21,6 +21,13 @@
=item *
+The default value for the I<tlscompression> parameter in F<inn.conf>
+has changed. TLS-level compression is now disabled by default, to comply
+with the best current practices for a secure use of TLS in application
+protocols like NNTP. Using the new COMPRESS command is recommended.
+
+=item *
+
B<rnews> no longer segfaults at startup when started setuid news.
Thanks to Marcus Jodorf for the bug report.
Modified: lib/innconf.c
===================================================================
--- lib/innconf.c 2016-08-04 20:05:25 UTC (rev 10048)
+++ lib/innconf.c 2016-08-05 11:40:25 UTC (rev 10049)
@@ -233,7 +233,7 @@
{ K(tlscertfile), STRING (NULL) },
{ K(tlskeyfile), STRING (NULL) },
{ K(tlsciphers), STRING (NULL) },
- { K(tlscompression), BOOL (true) },
+ { K(tlscompression), BOOL (false) },
{ K(tlseccurve), STRING (NULL) },
{ K(tlspreferserverciphers), BOOL (true) },
{ K(tlsprotocols), LIST (NULL) },
Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in 2016-08-04 20:05:25 UTC (rev 10048)
+++ samples/inn.conf.in 2016-08-05 11:40:25 UTC (rev 10049)
@@ -140,7 +140,7 @@
#tlscertfile: @sysconfdir@/cert.pem
#tlskeyfile: @sysconfdir@/key.pem
#tlsciphers:
-#tlscompression: true
+#tlscompression: false
#tlseccurve:
#tlspreferserverciphers: true
#tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
More information about the inn-committers
mailing list