INN commit: trunk (doc/pod/inn.conf.pod doc/pod/news.pod nnrpd/tls.c)
INN Commit
rra at isc.org
Sat Nov 10 18:10:42 UTC 2018
Date: Saturday, November 10, 2018 @ 10:10:41
Author: iulius
Revision: 10296
Fix the use of elliptic curve selection
OpenSSL 1.1.0 removed the SSL_CTX_set_ecdh_auto function introduced
with OpenSSL 1.0.2. This removal caused INN to always enforce NIST
P-256 instead of using the most secure curve (which OpenSSL 1.1.0 does
by default).
Now fixed.
Modified:
trunk/doc/pod/inn.conf.pod
trunk/doc/pod/news.pod
trunk/nnrpd/tls.c
----------------------+
doc/pod/inn.conf.pod | 3 ++-
doc/pod/news.pod | 5 +++++
nnrpd/tls.c | 11 ++++++++---
3 files changed, 15 insertions(+), 4 deletions(-)
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2018-07-31 20:23:35 UTC (rev 10295)
+++ doc/pod/inn.conf.pod 2018-11-10 18:10:41 UTC (rev 10296)
@@ -1139,7 +1139,8 @@
-list_curves>.
The default is unset, which means an appropriate curve is auto-selected
-(if your OpenSSL version supports it) or the NIST P-256 curve is used.
+(if your OpenSSL version is at least 1.0.2) or the NIST P-256 curve
+is used.
This option is only effective if your OpenSSL version has ECDH support.
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2018-07-31 20:23:35 UTC (rev 10295)
+++ doc/pod/news.pod 2018-11-10 18:10:41 UTC (rev 10296)
@@ -4,6 +4,11 @@
=item *
+Fixed the selection of the elliptic curve to use with S<OpenSSL 1.1.0>
+or later; NIST P-256 was enforced instead of using the most secure curve.
+
+=item *
+
Support for S<Python 3> has been added to INN. Embedded Python filtering
and authentication hooks for B<innd> and B<nnrpd> can now use S<version
3.3.0> or later of the Python interpreter. In the 2.x series, S<version
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2018-07-31 20:23:35 UTC (rev 10295)
+++ nnrpd/tls.c 2018-11-10 18:10:41 UTC (rev 10296)
@@ -569,12 +569,17 @@
if (eckey != NULL) {
SSL_CTX_set_tmp_ecdh(CTX, eckey);
} else {
-# ifdef SSL_CTX_set_ecdh_auto
+# if OPENSSL_VERSION_NUMBER < 0x010100000L
+# if OPENSSL_VERSION_NUMBER >= 0x01000200fL
+ /* Function supported since OpenSSL 1.0.2.
+ * Removed since OpenSSL 1.1.0, supporting ECDH by default with
+ * the most appropriate parameters). */
SSL_CTX_set_ecdh_auto(CTX, 1);
-# else
+# else
SSL_CTX_set_tmp_ecdh(CTX,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
-# endif /* SSL_CTX_set_ecdh_auto */
+# endif /* SSL_CTX_set_ecdh_auto */
+# endif /* OpenSSL version < 1.1.0 */
}
#endif /* HAVE_OPENSSL_ECC */
More information about the inn-committers
mailing list