INN commit: branches/2.6 (6 files)

Sun Sep 4 12:55:40 UTC 2016

Date: Sunday, September 4, 2016 @ 05:55:40
  Author: iulius
Revision: 10064

Homogenize the use of TLS/SSL in documentation

Also, when TLS-level compression is wanted, or server preferences
should be followed, be sure it is the case (if OpenSSL supports it).

Modified:
  branches/2.6/doc/pod/inn.conf.pod
  branches/2.6/doc/pod/news.pod
  branches/2.6/doc/pod/nnrpd.pod
  branches/2.6/include/inn/innconf.h
  branches/2.6/lib/innconf.c
  branches/2.6/nnrpd/tls.c

-----------------------+
 doc/pod/inn.conf.pod  |    7 +++++--
 doc/pod/news.pod      |   16 ++++++++--------
 doc/pod/nnrpd.pod     |    2 +-
 include/inn/innconf.h |    4 ++--
 lib/innconf.c         |    2 +-
 nnrpd/tls.c           |   12 +++++++++---
 6 files changed, 26 insertions(+), 17 deletions(-)

Modified: doc/pod/inn.conf.pod
===================================================================

--- doc/pod/inn.conf.pod	2016-09-04 12:53:12 UTC (rev 10063)
+++ doc/pod/inn.conf.pod	2016-09-04 12:55:40 UTC (rev 10064)
@@ -1096,11 +1096,14 @@
 
 =item I<tlscompression>
 
-Whether to enable or disable SSL/TLS-level compression support.
+Whether to enable or disable TLS/SSL-level compression support.
 This is a boolean and the default is false, that is to say compression
 is disabled, so as to follow the best current practices for a secure
 use of TLS in application protocols like NNTP.
 
+Note that enabling TLS/SSL-level compression will be possible only if
+the OpenSSL library INN has been built with, supports that feature.
+
 =item I<tlseccurve>
 
 The name of the elliptic curve to use for ephemeral key exchanges.
@@ -1121,7 +1124,7 @@
 
 =item I<tlsprotocols>
 
-The list of SSL/TLS protocol versions to support.  Valid protocols are
+The list of TLS/SSL protocol versions to support.  Valid protocols are
 B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>.  The default
 value is to only allow TLS protocols:
 

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2016-09-04 12:53:12 UTC (rev 10063)
+++ doc/pod/news.pod	2016-09-04 12:55:40 UTC (rev 10064)
@@ -59,12 +59,6 @@
 
 =item *
 
-The I<tlscompression> parameter in F<inn.conf> now also permits to
-disable TLS compression with S<OpenSSL 0.9.8>.  It previously had an
-effect only when S<OpenSSL 1.0.0> or later was used.
-
-=item *
-
 When a data integrity layer was negotiated during a successful SASL
 authentication, B<nnrpd> was wrongly reseting any knowledge obtained
 from the client, such as the current newsgroup and article number.
@@ -72,6 +66,12 @@
 
 =item *
 
+The I<tlscompression> parameter in F<inn.conf> now also permits to
+disable TLS-level compression with S<OpenSSL 0.9.8>.  It previously
+had an effect only when S<OpenSSL 1.0.0> or later was used.
+
+=item *
+
 B<nntpsend> now correctly waits until all of the child B<innxmit>
 processes exit before it does.  It was causing B<nntpsend> to fail
 to work properly on systems that use systemd, because when it exits
@@ -108,7 +108,7 @@
 
 =item *
 
-If you have been using SSL/TLS with B<nnrpd> before, be aware that the
+If you have been using TLS/SSL with B<nnrpd> before, be aware that the
 default value of a few F<inn.conf> parameters have changed:  the server
 now decides the preferred cipher (instead of the client), and only TLS
 protocols are allowed (using the flawed SSLv2 and SSLv3 protocols is
@@ -342,7 +342,7 @@
 
 =item *
 
-New F<inn.conf> parameters used by B<nnrpd> to fine-tune the SSL/TLS
+New F<inn.conf> parameters used by B<nnrpd> to fine-tune the TLS/SSL
 configuration have been added:  I<tlsciphers>, I<tlscompression>,
 I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols>.
 Many thanks to Christian Mock for his contribution that permits to

Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod	2016-09-04 12:53:12 UTC (rev 10063)
+++ doc/pod/nnrpd.pod	2016-09-04 12:55:40 UTC (rev 10064)
@@ -233,7 +233,7 @@
 
 Optionally, you may set the I<tlsciphers>, I<tlscompression>,
 I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols> parameters
-in F<inn.conf> to fine-tune the behaviour of the SSL/TLS negotiation
+in F<inn.conf> to fine-tune the behaviour of the TLS/SSL negotiation
 whenever a new attack on the TLS protocol or some supported cipher
 suite is discovered.
 

Modified: include/inn/innconf.h
===================================================================
--- include/inn/innconf.h	2016-09-04 12:53:12 UTC (rev 10063)
+++ include/inn/innconf.h	2016-09-04 12:55:40 UTC (rev 10064)
@@ -122,9 +122,9 @@
     unsigned long backoffpostslow; /* Lower time limit for slow posting */
     unsigned long backofftrigger;  /* Number of postings before triggered */
 
-    /* Reading and posting -- SSL and TLS support */
+    /* Reading and posting -- TLS/SSL support */
     /* Do not test HAVE_OPENSSL.  This relieves customers of /usr/include/inn
-     * from the need to guess whether INN was built with SSL/TLS support in
+     * from the need to guess whether INN was built with TLS/SSL support in
      * order to get a header that matches the installed libraries.
      */
     char *tlscafile;            /* Path to a certificate authority file */

Modified: lib/innconf.c
===================================================================
--- lib/innconf.c	2016-09-04 12:53:12 UTC (rev 10063)
+++ lib/innconf.c	2016-09-04 12:55:40 UTC (rev 10064)
@@ -378,7 +378,7 @@
     if (innconf->extraoverviewhidden == NULL)
         innconf->extraoverviewhidden = vector_new();
 
-    /* Defaults used only if TLS (SSL) is supported. */
+    /* Defaults used only if TLS/SSL is supported. */
 #ifdef HAVE_OPENSSL
     if (innconf->tlscapath == NULL)
         innconf->tlscapath = xstrdup(innconf->pathetc);

Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c	2016-09-04 12:53:12 UTC (rev 10063)
+++ nnrpd/tls.c	2016-09-04 12:55:40 UTC (rev 10064)
@@ -578,11 +578,13 @@
      }
 #endif /* HAVE_OPENSSL_ECC */
 
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
     if (prefer_server_ciphers) {
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
         SSL_CTX_set_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    } else {
+        SSL_CTX_clear_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    }
 #endif
-    }
 
     if ((tls_proto_vect != NULL) && (tls_proto_vect->count > 0)) {
         for (i = 0; i < tls_proto_vect->count; i++) {
@@ -639,8 +641,12 @@
         }
     }
 
-    if (!tls_compression) {
+    if (tls_compression) {
 #ifdef SSL_OP_NO_COMPRESSION
+        SSL_CTX_clear_options(CTX, SSL_OP_NO_COMPRESSION);
+#endif
+    } else {
+#ifdef SSL_OP_NO_COMPRESSION
         /* Option implemented in OpenSSL 1.0.0. */
         SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
 #elif OPENSSL_VERSION_NUMBER >= 0x00090800fL

