INN commit: branches/2.6 (6 files)
INN Commit
rra at isc.org
Sun Dec 10 15:22:43 UTC 2017
Date: Sunday, December 10, 2017 @ 07:22:43
Author: iulius
Revision: 10198
Add support for TLS 1.3
Modified:
branches/2.6/doc/pod/hacking.pod
branches/2.6/doc/pod/inn.conf.pod
branches/2.6/doc/pod/news.pod
branches/2.6/nnrpd/tls.c
branches/2.6/nnrpd/tls.h
branches/2.6/samples/inn.conf.in
----------------------+
doc/pod/hacking.pod | 7 ++++++
doc/pod/inn.conf.pod | 8 +++----
doc/pod/news.pod | 6 +++++
nnrpd/tls.c | 51 +++++++++++++++++++++++++++++--------------------
nnrpd/tls.h | 1
samples/inn.conf.in | 2 -
6 files changed, 50 insertions(+), 25 deletions(-)
Modified: doc/pod/hacking.pod
===================================================================
--- doc/pod/hacking.pod 2017-12-10 15:21:26 UTC (rev 10197)
+++ doc/pod/hacking.pod 2017-12-10 15:22:43 UTC (rev 10198)
@@ -692,6 +692,13 @@
L<https://ftp.isc.org/pub/usenet/CONFIG/control.ctl> and
L<http://rosalind.home.xs4all.nl/nocemreg/nocemreg.html>.
+=item *
+
+Check whether patches from OpenSSL (F<apps/s_cb.c>, F<apps/s_server.c>
+and F<crypto/bio/b_dump.c>) could be merged into F<nnrpd/tls.c>, as
+well as support for new TLS versions in the F<tlsprotocols> parameter
+in F<inn.conf>.
+
=back
=item 2.
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2017-12-10 15:21:26 UTC (rev 10197)
+++ doc/pod/inn.conf.pod 2017-12-10 15:22:43 UTC (rev 10198)
@@ -1153,14 +1153,14 @@
=item I<tlsprotocols>
The list of TLS/SSL protocol versions to support. Valid protocols are
-B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The default
-value is to only allow TLS protocols:
+B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2> and B<TLSv1.3>.
+The default value is to only allow TLS protocols:
- tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
+ tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
Note that the listed protocols will be enabled only if the OpenSSL
library INN has been built with, supports them. In case OpenSSL supports
-protocols more recent than TLSv1.2, they will be automatically enabled
+protocols more recent than TLSv1.3, they will be automatically enabled
(which anyway is fine regarding security, as newer protocols are supposed
to be more secure).
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2017-12-10 15:21:26 UTC (rev 10197)
+++ doc/pod/news.pod 2017-12-10 15:22:43 UTC (rev 10198)
@@ -44,6 +44,12 @@
=item *
+The I<tlsprotocols> parameter in F<inn.conf> now recognizes the
+C<TLSv1.3> value (for OpenSSL versions implementing S<TLS 1.3>, that
+is to say starting from S<OpenSSL 1.1.1>).
+
+=item *
+
Other minor bug fixes and documentation improvements.
=back
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2017-12-10 15:21:26 UTC (rev 10197)
+++ nnrpd/tls.c 2017-12-10 15:22:43 UTC (rev 10198)
@@ -81,20 +81,20 @@
if (where & SSL_CB_LOOP) {
if (tls_serverengine && (tls_loglevel >= 2))
- Printf("%s:%s", str, SSL_state_string_long(s));
+ syslog(L_NOTICE, "%s:%s", str, SSL_state_string_long(s));
} else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ) ? "read" : "write";
if ((tls_serverengine && (tls_loglevel >= 2)) ||
((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY))
- Printf("SSL3 alert %s:%s:%s", str,
+ syslog(L_NOTICE, "SSL3 alert %s:%s:%s", str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0)
- Printf("%s:failed in %s",
+ syslog(L_ERROR, "%s:failed in %s",
str, SSL_state_string_long(s));
else if (ret < 0) {
- Printf("%s:error in %s",
+ syslog(L_ERROR, "%s:error in %s",
str, SSL_state_string_long(s));
}
}
@@ -244,10 +244,12 @@
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
- if (err_cert != NULL) {
- X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
- if ((tls_serveractive) && (tls_loglevel >= 1)) {
- Printf("Peer cert verify depth=%d %s", depth, buf);
+ if ((tls_serveractive) && (tls_loglevel >= 1)) {
+ if (err_cert != NULL) {
+ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+ syslog(L_NOTICE, "Peer cert verify depth=%d %s", depth, buf);
+ } else {
+ syslog(L_NOTICE, "Peer cert verify depth=%d <no cert>", depth);
}
}
@@ -280,7 +282,7 @@
break;
}
if ((tls_serveractive) && (tls_loglevel >= 1))
- Printf("verify return:%d", ok);
+ syslog(L_NOTICE, "verify return:%d", ok);
return (ok);
}
@@ -348,7 +350,7 @@
/* If this is the last call, then update the ddt_dump thing so that
* we will move the selection point in the debug window. */
if (tls_loglevel>0)
- Printf("%s", buf);
+ syslog(L_NOTICE, "%s", buf);
ret += strlen(buf);
}
#ifdef TRUNCATE
@@ -355,7 +357,7 @@
if (trunc > 0) {
snprintf(buf, sizeof(buf), "%04x - <SPACES/NULS>\n", len+ trunc);
if (tls_loglevel>0)
- Printf("%s", buf);
+ syslog(L_NOTICE, "%s", buf);
ret += strlen(buf);
}
#endif
@@ -496,7 +498,7 @@
return (0); /* Already running. */
if (tls_loglevel >= 2)
- Printf("starting TLS engine");
+ syslog(L_NOTICE, "starting TLS engine");
/* New functions have been introduced in OpenSSL 1.1.0. */
#if OPENSSL_VERSION_NUMBER < 0x010100000L
@@ -530,7 +532,7 @@
if ((!SSL_CTX_load_verify_locations(CTX, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(CTX))) {
if (tls_loglevel >= 2)
- Printf("TLS engine: cannot load CA data\n");
+ syslog(L_ERROR, "TLS engine: cannot load CA data");
return (-1);
}
@@ -545,7 +547,7 @@
if (!set_cert_stuff(CTX, s_cert_file, s_key_file)) {
if (tls_loglevel >= 2)
- Printf("TLS engine: cannot load cert/key data\n");
+ syslog(L_ERROR, "TLS engine: cannot load cert/key data");
return (-1);
}
@@ -600,6 +602,8 @@
tls_protos |= INN_TLS_TLSv1_1;
} else if (strcmp(tls_proto_vect->strings[i], "TLSv1.2") == 0) {
tls_protos |= INN_TLS_TLSv1_2;
+ } else if (strcmp(tls_proto_vect->strings[i], "TLSv1.3") == 0) {
+ tls_protos |= INN_TLS_TLSv1_3;
} else {
syslog(L_ERROR, "TLS engine: unknown protocol '%s' in tlsprotocols",
tls_proto_vect->strings[i]);
@@ -608,7 +612,8 @@
}
} else {
/* Default value: allow only TLS protocols. */
- tls_protos = (INN_TLS_TLSv1 | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2);
+ tls_protos = (INN_TLS_TLSv1 | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2
+ | INN_TLS_TLSv1_3);
}
if ((tls_protos & INN_TLS_SSLv2) == 0) {
@@ -635,6 +640,12 @@
#endif
}
+ if ((tls_protos & INN_TLS_TLSv1_3) == 0) {
+#ifdef SSL_OP_NO_TLSv1_3
+ SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1_3);
+#endif
+ }
+
if (tls_ciphers != NULL) {
if (SSL_CTX_set_cipher_list(CTX, tls_ciphers) == 0) {
syslog(L_ERROR, "TLS engine: cannot set cipher list");
@@ -728,15 +739,15 @@
return (ret);
if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
- Printf("read from %08lX [%08lX] (%d bytes => %ld (0x%X))",
+ syslog(L_NOTICE, "read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
(unsigned long) bio, (unsigned long) argp,
- argi, ret, (unsigned int) ret);
+ argi, ret, (unsigned long) ret);
tls_dump(argp, (int) ret);
return (ret);
} else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
- Printf("write to %08lX [%08lX] (%d bytes => %ld (0x%X))",
+ syslog(L_NOTICE, "write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
(unsigned long) bio, (unsigned long) argp,
- argi, ret, (unsigned int) ret);
+ argi, ret, (unsigned long) ret);
tls_dump(argp, (int) ret);
}
return (ret);
@@ -767,7 +778,7 @@
return (-1);
}
if (tls_loglevel >= 1)
- Printf("setting up TLS connection");
+ syslog(L_NOTICE, "setting up TLS connection");
if (tls_conn == NULL)
{
Modified: nnrpd/tls.h
===================================================================
--- nnrpd/tls.h 2017-12-10 15:21:26 UTC (rev 10197)
+++ nnrpd/tls.h 2017-12-10 15:22:43 UTC (rev 10198)
@@ -49,6 +49,7 @@
#define INN_TLS_TLSv1 4
#define INN_TLS_TLSv1_1 8
#define INN_TLS_TLSv1_2 16
+#define INN_TLS_TLSv1_3 32
/* Init TLS engine. */
int tls_init_serverengine(int verifydepth, /* Depth to verify. */
Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in 2017-12-10 15:21:26 UTC (rev 10197)
+++ samples/inn.conf.in 2017-12-10 15:22:43 UTC (rev 10198)
@@ -144,7 +144,7 @@
#tlscompression: false
#tlseccurve:
#tlspreferserverciphers: true
-#tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
+#tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
# Monitoring
More information about the inn-committers
mailing list