INN commit: branches/2.6 (6 files)
INN Commit
rra at isc.org
Sun Sep 4 12:55:40 UTC 2016
Date: Sunday, September 4, 2016 @ 05:55:40
Author: iulius
Revision: 10064
Homogenize the use of TLS/SSL in documentation
Also, when TLS-level compression is wanted, or server preferences
should be followed, be sure it is the case (if OpenSSL supports it).
Modified:
branches/2.6/doc/pod/inn.conf.pod
branches/2.6/doc/pod/news.pod
branches/2.6/doc/pod/nnrpd.pod
branches/2.6/include/inn/innconf.h
branches/2.6/lib/innconf.c
branches/2.6/nnrpd/tls.c
-----------------------+
doc/pod/inn.conf.pod | 7 +++++--
doc/pod/news.pod | 16 ++++++++--------
doc/pod/nnrpd.pod | 2 +-
include/inn/innconf.h | 4 ++--
lib/innconf.c | 2 +-
nnrpd/tls.c | 12 +++++++++---
6 files changed, 26 insertions(+), 17 deletions(-)
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2016-09-04 12:53:12 UTC (rev 10063)
+++ doc/pod/inn.conf.pod 2016-09-04 12:55:40 UTC (rev 10064)
@@ -1096,11 +1096,14 @@
=item I<tlscompression>
-Whether to enable or disable SSL/TLS-level compression support.
+Whether to enable or disable TLS/SSL-level compression support.
This is a boolean and the default is false, that is to say compression
is disabled, so as to follow the best current practices for a secure
use of TLS in application protocols like NNTP.
+Note that enabling TLS/SSL-level compression will be possible only if
+the OpenSSL library INN has been built with, supports that feature.
+
=item I<tlseccurve>
The name of the elliptic curve to use for ephemeral key exchanges.
@@ -1121,7 +1124,7 @@
=item I<tlsprotocols>
-The list of SSL/TLS protocol versions to support. Valid protocols are
+The list of TLS/SSL protocol versions to support. Valid protocols are
B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The default
value is to only allow TLS protocols:
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2016-09-04 12:53:12 UTC (rev 10063)
+++ doc/pod/news.pod 2016-09-04 12:55:40 UTC (rev 10064)
@@ -59,12 +59,6 @@
=item *
-The I<tlscompression> parameter in F<inn.conf> now also permits to
-disable TLS compression with S<OpenSSL 0.9.8>. It previously had an
-effect only when S<OpenSSL 1.0.0> or later was used.
-
-=item *
-
When a data integrity layer was negotiated during a successful SASL
authentication, B<nnrpd> was wrongly reseting any knowledge obtained
from the client, such as the current newsgroup and article number.
@@ -72,6 +66,12 @@
=item *
+The I<tlscompression> parameter in F<inn.conf> now also permits to
+disable TLS-level compression with S<OpenSSL 0.9.8>. It previously
+had an effect only when S<OpenSSL 1.0.0> or later was used.
+
+=item *
+
B<nntpsend> now correctly waits until all of the child B<innxmit>
processes exit before it does. It was causing B<nntpsend> to fail
to work properly on systems that use systemd, because when it exits
@@ -108,7 +108,7 @@
=item *
-If you have been using SSL/TLS with B<nnrpd> before, be aware that the
+If you have been using TLS/SSL with B<nnrpd> before, be aware that the
default value of a few F<inn.conf> parameters have changed: the server
now decides the preferred cipher (instead of the client), and only TLS
protocols are allowed (using the flawed SSLv2 and SSLv3 protocols is
@@ -342,7 +342,7 @@
=item *
-New F<inn.conf> parameters used by B<nnrpd> to fine-tune the SSL/TLS
+New F<inn.conf> parameters used by B<nnrpd> to fine-tune the TLS/SSL
configuration have been added: I<tlsciphers>, I<tlscompression>,
I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols>.
Many thanks to Christian Mock for his contribution that permits to
Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod 2016-09-04 12:53:12 UTC (rev 10063)
+++ doc/pod/nnrpd.pod 2016-09-04 12:55:40 UTC (rev 10064)
@@ -233,7 +233,7 @@
Optionally, you may set the I<tlsciphers>, I<tlscompression>,
I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols> parameters
-in F<inn.conf> to fine-tune the behaviour of the SSL/TLS negotiation
+in F<inn.conf> to fine-tune the behaviour of the TLS/SSL negotiation
whenever a new attack on the TLS protocol or some supported cipher
suite is discovered.
Modified: include/inn/innconf.h
===================================================================
--- include/inn/innconf.h 2016-09-04 12:53:12 UTC (rev 10063)
+++ include/inn/innconf.h 2016-09-04 12:55:40 UTC (rev 10064)
@@ -122,9 +122,9 @@
unsigned long backoffpostslow; /* Lower time limit for slow posting */
unsigned long backofftrigger; /* Number of postings before triggered */
- /* Reading and posting -- SSL and TLS support */
+ /* Reading and posting -- TLS/SSL support */
/* Do not test HAVE_OPENSSL. This relieves customers of /usr/include/inn
- * from the need to guess whether INN was built with SSL/TLS support in
+ * from the need to guess whether INN was built with TLS/SSL support in
* order to get a header that matches the installed libraries.
*/
char *tlscafile; /* Path to a certificate authority file */
Modified: lib/innconf.c
===================================================================
--- lib/innconf.c 2016-09-04 12:53:12 UTC (rev 10063)
+++ lib/innconf.c 2016-09-04 12:55:40 UTC (rev 10064)
@@ -378,7 +378,7 @@
if (innconf->extraoverviewhidden == NULL)
innconf->extraoverviewhidden = vector_new();
- /* Defaults used only if TLS (SSL) is supported. */
+ /* Defaults used only if TLS/SSL is supported. */
#ifdef HAVE_OPENSSL
if (innconf->tlscapath == NULL)
innconf->tlscapath = xstrdup(innconf->pathetc);
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2016-09-04 12:53:12 UTC (rev 10063)
+++ nnrpd/tls.c 2016-09-04 12:55:40 UTC (rev 10064)
@@ -578,11 +578,13 @@
}
#endif /* HAVE_OPENSSL_ECC */
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (prefer_server_ciphers) {
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSL_CTX_clear_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
#endif
- }
if ((tls_proto_vect != NULL) && (tls_proto_vect->count > 0)) {
for (i = 0; i < tls_proto_vect->count; i++) {
@@ -639,8 +641,12 @@
}
}
- if (!tls_compression) {
+ if (tls_compression) {
#ifdef SSL_OP_NO_COMPRESSION
+ SSL_CTX_clear_options(CTX, SSL_OP_NO_COMPRESSION);
+#endif
+ } else {
+#ifdef SSL_OP_NO_COMPRESSION
/* Option implemented in OpenSSL 1.0.0. */
SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
#elif OPENSSL_VERSION_NUMBER >= 0x00090800fL
More information about the inn-committers
mailing list