INN commit: branches/2.6 (3 files)

INN Commit rra at isc.org
Sat Nov 10 21:56:22 UTC 2018 

    Date: Saturday, November 10, 2018 @ 13:56:21
  Author: iulius
Revision: 10297

Fix the use of elliptic curve selection

OpenSSL 1.1.0 removed the SSL_CTX_set_ecdh_auto function introduced
with OpenSSL 1.0.2.  This removal caused INN to always enforce NIST
P-256 instead of using the most secure curve (which OpenSSL 1.1.0 does
by default).
Now fixed.

Modified:
  branches/2.6/doc/pod/inn.conf.pod
  branches/2.6/doc/pod/news.pod
  branches/2.6/nnrpd/tls.c

----------------------+
 doc/pod/inn.conf.pod |    3 ++-
 doc/pod/news.pod     |    5 +++++
 nnrpd/tls.c          |   11 ++++++++---
 3 files changed, 15 insertions(+), 4 deletions(-)

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2018-11-10 18:10:41 UTC (rev 10296)
+++ doc/pod/inn.conf.pod	2018-11-10 21:56:21 UTC (rev 10297)
@@ -1139,7 +1139,8 @@
 -list_curves>.
 
 The default is unset, which means an appropriate curve is auto-selected
-(if your OpenSSL version supports it) or the NIST P-256 curve is used.
+(if your OpenSSL version is at least 1.0.2) or the NIST P-256 curve
+is used.
 
 This option is only effective if your OpenSSL version has ECDH support.
 

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2018-11-10 18:10:41 UTC (rev 10296)
+++ doc/pod/news.pod	2018-11-10 21:56:21 UTC (rev 10297)
@@ -4,6 +4,11 @@
 
 =item *
 
+Fixed the selection of the elliptic curve to use with S<OpenSSL 1.1.0>
+or later; NIST P-256 was enforced instead of using the most secure curve.
+
+=item *
+
 Support for S<Python 3> has been added to INN.  Embedded Python filtering
 and authentication hooks for B<innd> and B<nnrpd> can now use S<version
 3.3.0> or later of the Python interpreter.  In the 2.x series, S<version

Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c	2018-11-10 18:10:41 UTC (rev 10296)
+++ nnrpd/tls.c	2018-11-10 21:56:21 UTC (rev 10297)
@@ -569,12 +569,17 @@
     if (eckey != NULL) {
         SSL_CTX_set_tmp_ecdh(CTX, eckey);
     } else {
-# ifdef SSL_CTX_set_ecdh_auto
+# if OPENSSL_VERSION_NUMBER < 0x010100000L
+#  if OPENSSL_VERSION_NUMBER >= 0x01000200fL
+        /* Function supported since OpenSSL 1.0.2.
+         * Removed since OpenSSL 1.1.0, supporting ECDH by default with
+         * the most appropriate parameters. */
         SSL_CTX_set_ecdh_auto(CTX, 1);
-# else
+#  else
         SSL_CTX_set_tmp_ecdh(CTX,
                              EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
-# endif /* SSL_CTX_set_ecdh_auto */
+#  endif /* SSL_CTX_set_ecdh_auto */
+# endif /* OpenSSL version < 1.1.0 */
      }
 #endif /* HAVE_OPENSSL_ECC */

More information about the inn-committers mailing list