INN commit: trunk (8 files)
INN Commit
rra at isc.org
Sun Nov 11 07:34:54 UTC 2018
Date: Saturday, November 10, 2018 @ 23:34:53
Author: iulius
Revision: 10300
inn.conf: Add new tlsciphers13 parameter to fine-tune TLS 1.3 cipher suites
A separate cipher suite configuration parameter is needed for
TLS 1.3 as TLS 1.3 cipher suites are not compatible with
TLS 1.2, and vice-versa.
The tlsciphers13 parameter is based on the already existing tlsciphers
parameter for TLS 1.2 and below.
Modified:
trunk/doc/pod/inn.conf.pod
trunk/doc/pod/news.pod
trunk/doc/pod/nnrpd.pod
trunk/include/inn/innconf.h
trunk/lib/innconf.c
trunk/nnrpd/tls.c
trunk/nnrpd/tls.h
trunk/samples/inn.conf.in
-----------------------+
doc/pod/inn.conf.pod | 21 ++++++++++++++++++---
doc/pod/news.pod | 11 +++++++++++
doc/pod/nnrpd.pod | 10 +++++-----
include/inn/innconf.h | 1 +
lib/innconf.c | 1 +
nnrpd/tls.c | 14 +++++++++++++-
nnrpd/tls.h | 1 +
samples/inn.conf.in | 1 +
8 files changed, 51 insertions(+), 9 deletions(-)
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2018-11-10 22:13:41 UTC (rev 10299)
+++ doc/pod/inn.conf.pod 2018-11-11 07:34:53 UTC (rev 10300)
@@ -1118,10 +1118,25 @@
=item I<tlsciphers>
-The string describing the cipher suites OpenSSL will support. See
-OpenSSL's ciphers(1) command documentation for details. The default
-is unset, which uses OpenSSL's default cipher suite list.
+The string describing the cipher suites OpenSSL will support for S<TLS
+1.2> and below. See OpenSSL's ciphers(1) command documentation for
+details. The default is unset, which uses OpenSSL's default cipher
+suite list.
+=item I<tlsciphers13>
+
+The string describing the cipher suites OpenSSL will support for S<TLS
+1.3>. See OpenSSL's ciphers(1) command documentation for
+details. The default is unset, which uses OpenSSL's default cipher
+suite list.
+
+Note that a separate cipher suite configuration parameter is needed for
+S<TLS 1.3> because S<TLS 1.3> cipher suites are not compatible with
+S<TLS 1.2>, and vice-versa. In order to avoid issues where legacy
+S<TLS 1.2> cipher suite configuration configured in the I<tlsciphers>
+parameter would inadvertently disable all S<TLS 1.3> cipher suites,
+the F<inn.conf> configuration has been separated out.
+
=item I<tlscompression>
Whether to enable or disable TLS/SSL-level compression support.
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2018-11-10 22:13:41 UTC (rev 10299)
+++ doc/pod/news.pod 2018-11-11 07:34:53 UTC (rev 10300)
@@ -9,6 +9,17 @@
=item *
+A new F<inn.conf> parameter has been added to fine-tune the cipher suites
+to use with S<TLS 1.3>: the I<tlsciphers13> now permits configuring
+them. A separate cipher suite configuration parameter is needed for
+S<TLS 1.3> because S<TLS 1.3> cipher suites are not compatible with
+S<TLS 1.2>, and vice-versa. In order to avoid issues where legacy
+S<TLS 1.2> cipher suite configuration configured in the I<tlsciphers>
+parameter would inadvertently disable all S<TLS 1.3> cipher suites,
+the F<inn.conf> configuration has been separated out.
+
+=item *
+
Support for S<Python 3> has been added to INN. Embedded Python filtering
and authentication hooks for B<innd> and B<nnrpd> can now use S<version
3.3.0> or later of the Python interpreter. In the 2.x series, S<version
Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod 2018-11-10 22:13:41 UTC (rev 10299)
+++ doc/pod/nnrpd.pod 2018-11-11 07:34:53 UTC (rev 10300)
@@ -230,11 +230,11 @@
You may need to replace C<nntps> with C<563> if C<nntps> isn't
defined in F</etc/services> on your system.
-Optionally, you may set the I<tlsciphers>, I<tlscompression>,
-I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols> parameters
-in F<inn.conf> to fine-tune the behaviour of the TLS/SSL negotiation
-whenever a new attack on the TLS protocol or some supported cipher
-suite is discovered.
+Optionally, you may set the I<tlsciphers>, I<tlsciphers13>,
+I<tlscompression>, I<tlseccurve>, I<tlspreferserverciphers>, and
+I<tlsprotocols> parameters in F<inn.conf> to fine-tune the behaviour
+of the TLS/SSL negotiation whenever a new attack on the TLS protocol
+or some supported cipher suite is discovered.
=head1 PROTOCOL DIFFERENCES
Modified: include/inn/innconf.h
===================================================================
--- include/inn/innconf.h 2018-11-10 22:13:41 UTC (rev 10299)
+++ include/inn/innconf.h 2018-11-11 07:34:53 UTC (rev 10300)
@@ -133,6 +133,7 @@
char *tlscertfile; /* Path to the TLS/SSL certificate to use */
char *tlskeyfile; /* Path to the key for the certificate */
char *tlsciphers; /* OpenSSL-style cipher string */
+ char *tlsciphers13; /* OpenSSL-style cipher string for TLS 1.3 */
bool tlscompression; /* Turn TLS compression on/off */
char *tlseccurve; /* ECDH curve name */
bool tlspreferserverciphers; /* Make server select the cipher */
Modified: lib/innconf.c
===================================================================
--- lib/innconf.c 2018-11-10 22:13:41 UTC (rev 10299)
+++ lib/innconf.c 2018-11-11 07:34:53 UTC (rev 10300)
@@ -234,6 +234,7 @@
{ K(tlscertfile), STRING (NULL) },
{ K(tlskeyfile), STRING (NULL) },
{ K(tlsciphers), STRING (NULL) },
+ { K(tlsciphers13), STRING (NULL) },
{ K(tlscompression), BOOL (false) },
{ K(tlseccurve), STRING (NULL) },
{ K(tlspreferserverciphers), BOOL (true) },
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2018-11-10 22:13:41 UTC (rev 10299)
+++ nnrpd/tls.c 2018-11-11 07:34:53 UTC (rev 10300)
@@ -472,7 +472,8 @@
char *tls_CAfile, char *tls_CApath, char *tls_cert_file,
char *tls_key_file, bool prefer_server_ciphers,
bool tls_compression, struct vector *tls_proto_vect,
- char *tls_ciphers, char *tls_ec_curve UNUSED)
+ char *tls_ciphers, char *tls_ciphers13 UNUSED,
+ char *tls_ec_curve UNUSED)
{
int off = 0;
int verify_flags = SSL_VERIFY_NONE;
@@ -652,6 +653,16 @@
}
}
+#if OPENSSL_VERSION_NUMBER >= 0x01010100fL
+ /* New API added in OpenSSL 1.1.1 for TLSv1.3 cipher suites. */
+ if (tls_ciphers13 != NULL) {
+ if (SSL_CTX_set_ciphersuites(CTX, tls_ciphers13) == 0) {
+ syslog(L_ERROR, "TLS engine: cannot set ciphersuites");
+ return (-1);
+ }
+ }
+#endif
+
if (tls_compression) {
#if defined(SSL_OP_NO_COMPRESSION) && OPENSSL_VERSION_NUMBER >= 0x0009080dfL && OPENSSL_VERSION_NUMBER != 0x000909000L
/* Function first added in OpenSSL 0.9.8m, and not present
@@ -709,6 +720,7 @@
innconf->tlscompression,
innconf->tlsprotocols,
innconf->tlsciphers,
+ innconf->tlsciphers13,
innconf->tlseccurve);
if (ssl_result == -1) {
Modified: nnrpd/tls.h
===================================================================
--- nnrpd/tls.h 2018-11-10 22:13:41 UTC (rev 10299)
+++ nnrpd/tls.h 2018-11-11 07:34:53 UTC (rev 10300)
@@ -53,6 +53,7 @@
bool tls_compression,
struct vector *tls_protocols,
char *tls_ciphers,
+ char *tls_ciphers13,
char *tls_ec_curve);
/* Init TLS. */
Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in 2018-11-10 22:13:41 UTC (rev 10299)
+++ samples/inn.conf.in 2018-11-11 07:34:53 UTC (rev 10300)
@@ -141,6 +141,7 @@
#tlscertfile: @sysconfdir@/cert.pem
#tlskeyfile: @sysconfdir@/key.pem
#tlsciphers:
+#tlsciphers13:
#tlscompression: false
#tlseccurve:
#tlspreferserverciphers: true
More information about the inn-committers
mailing list