INN commit: trunk (6 files)
INN Commit
rra at isc.org
Thu Sep 1 15:09:04 UTC 2016
Date: Thursday, September 1, 2016 @ 08:09:03
Author: iulius
Revision: 10057
Homogenize the use of TLS/SSL in documentation
Also, when TLS-level compression is wanted, or server preferences
should be followed, be sure it is the case (if OpenSSL supports it).
Modified:
trunk/doc/pod/inn.conf.pod
trunk/doc/pod/news.pod
trunk/doc/pod/nnrpd.pod
trunk/include/inn/innconf.h
trunk/lib/innconf.c
trunk/nnrpd/tls.c
-----------------------+
doc/pod/inn.conf.pod | 7 +++++--
doc/pod/news.pod | 8 ++++----
doc/pod/nnrpd.pod | 2 +-
include/inn/innconf.h | 4 ++--
lib/innconf.c | 2 +-
nnrpd/tls.c | 12 +++++++++---
6 files changed, 22 insertions(+), 13 deletions(-)
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2016-09-01 15:04:55 UTC (rev 10056)
+++ doc/pod/inn.conf.pod 2016-09-01 15:09:03 UTC (rev 10057)
@@ -1096,11 +1096,14 @@
=item I<tlscompression>
-Whether to enable or disable SSL/TLS-level compression support.
+Whether to enable or disable TLS/SSL-level compression support.
This is a boolean and the default is false, that is to say compression
is disabled, so as to follow the best current practices for a secure
use of TLS in application protocols like NNTP.
+Note that enabling TLS/SSL-level compression will be possible only if
+the OpenSSL library INN has been built with, supports that feature.
+
=item I<tlseccurve>
The name of the elliptic curve to use for ephemeral key exchanges.
@@ -1121,7 +1124,7 @@
=item I<tlsprotocols>
-The list of SSL/TLS protocol versions to support. Valid protocols are
+The list of TLS/SSL protocol versions to support. Valid protocols are
B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The default
value is to only allow TLS protocols:
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2016-09-01 15:04:55 UTC (rev 10056)
+++ doc/pod/news.pod 2016-09-01 15:09:03 UTC (rev 10057)
@@ -67,8 +67,8 @@
=item *
The I<tlscompression> parameter in F<inn.conf> now also permits to
-disable TLS compression with S<OpenSSL 0.9.8>. It previously had an
-effect only when S<OpenSSL 1.0.0> or later was used.
+disable TLS-level compression with S<OpenSSL 0.9.8>. It previously
+had an effect only when S<OpenSSL 1.0.0> or later was used.
=item *
@@ -108,7 +108,7 @@
=item *
-If you have been using SSL/TLS with B<nnrpd> before, be aware that the
+If you have been using TLS/SSL with B<nnrpd> before, be aware that the
default value of a few F<inn.conf> parameters have changed: the server
now decides the preferred cipher (instead of the client), and only TLS
protocols are allowed (using the flawed SSLv2 and SSLv3 protocols is
@@ -342,7 +342,7 @@
=item *
-New F<inn.conf> parameters used by B<nnrpd> to fine-tune the SSL/TLS
+New F<inn.conf> parameters used by B<nnrpd> to fine-tune the TLS/SSL
configuration have been added: I<tlsciphers>, I<tlscompression>,
I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols>.
Many thanks to Christian Mock for his contribution that permits to
Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod 2016-09-01 15:04:55 UTC (rev 10056)
+++ doc/pod/nnrpd.pod 2016-09-01 15:09:03 UTC (rev 10057)
@@ -233,7 +233,7 @@
Optionally, you may set the I<tlsciphers>, I<tlscompression>,
I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols> parameters
-in F<inn.conf> to fine-tune the behaviour of the SSL/TLS negotiation
+in F<inn.conf> to fine-tune the behaviour of the TLS/SSL negotiation
whenever a new attack on the TLS protocol or some supported cipher
suite is discovered.
Modified: include/inn/innconf.h
===================================================================
--- include/inn/innconf.h 2016-09-01 15:04:55 UTC (rev 10056)
+++ include/inn/innconf.h 2016-09-01 15:09:03 UTC (rev 10057)
@@ -122,9 +122,9 @@
unsigned long backoffpostslow; /* Lower time limit for slow posting */
unsigned long backofftrigger; /* Number of postings before triggered */
- /* Reading and posting -- SSL and TLS support */
+ /* Reading and posting -- TLS/SSL support */
/* Do not test HAVE_OPENSSL. This relieves customers of /usr/include/inn
- * from the need to guess whether INN was built with SSL/TLS support in
+ * from the need to guess whether INN was built with TLS/SSL support in
* order to get a header that matches the installed libraries.
*/
char *tlscafile; /* Path to a certificate authority file */
Modified: lib/innconf.c
===================================================================
--- lib/innconf.c 2016-09-01 15:04:55 UTC (rev 10056)
+++ lib/innconf.c 2016-09-01 15:09:03 UTC (rev 10057)
@@ -378,7 +378,7 @@
if (innconf->extraoverviewhidden == NULL)
innconf->extraoverviewhidden = vector_new();
- /* Defaults used only if TLS (SSL) is supported. */
+ /* Defaults used only if TLS/SSL is supported. */
#ifdef HAVE_OPENSSL
if (innconf->tlscapath == NULL)
innconf->tlscapath = xstrdup(innconf->pathetc);
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2016-09-01 15:04:55 UTC (rev 10056)
+++ nnrpd/tls.c 2016-09-01 15:09:03 UTC (rev 10057)
@@ -578,11 +578,13 @@
}
#endif /* HAVE_OPENSSL_ECC */
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (prefer_server_ciphers) {
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSL_CTX_clear_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
#endif
- }
if ((tls_proto_vect != NULL) && (tls_proto_vect->count > 0)) {
for (i = 0; i < tls_proto_vect->count; i++) {
@@ -639,8 +641,12 @@
}
}
- if (!tls_compression) {
+ if (tls_compression) {
#ifdef SSL_OP_NO_COMPRESSION
+ SSL_CTX_clear_options(CTX, SSL_OP_NO_COMPRESSION);
+#endif
+ } else {
+#ifdef SSL_OP_NO_COMPRESSION
/* Option implemented in OpenSSL 1.0.0. */
SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
#elif OPENSSL_VERSION_NUMBER >= 0x00090800fL
More information about the inn-committers
mailing list