INN commit: branches/2.6 (8 files)

INN Commit rra at isc.org
Sun Nov 11 14:42:18 UTC 2018


    Date: Sunday, November 11, 2018 @ 06:42:17
  Author: iulius
Revision: 10301

inn.conf:  Add new tlsciphers13 parameter to fine-tune TLS 1.3 cipher suites

A separate cipher suite configuration parameter is needed for
TLS 1.3 as TLS 1.3 cipher suites are not compatible with
TLS 1.2, and vice-versa.

The tlsciphers13 parameter is based on the already existing tlsciphers
parameter for TLS 1.2 and below.

Modified:
  branches/2.6/doc/pod/inn.conf.pod
  branches/2.6/doc/pod/news.pod
  branches/2.6/doc/pod/nnrpd.pod
  branches/2.6/include/inn/innconf.h
  branches/2.6/lib/innconf.c
  branches/2.6/nnrpd/tls.c
  branches/2.6/nnrpd/tls.h
  branches/2.6/samples/inn.conf.in

-----------------------+
 doc/pod/inn.conf.pod  |   21 ++++++++++++++++++---
 doc/pod/news.pod      |   11 +++++++++++
 doc/pod/nnrpd.pod     |   10 +++++-----
 include/inn/innconf.h |    1 +
 lib/innconf.c         |    1 +
 nnrpd/tls.c           |   14 +++++++++++++-
 nnrpd/tls.h           |    1 +
 samples/inn.conf.in   |    1 +
 8 files changed, 51 insertions(+), 9 deletions(-)

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2018-11-11 07:34:53 UTC (rev 10300)
+++ doc/pod/inn.conf.pod	2018-11-11 14:42:17 UTC (rev 10301)
@@ -1118,10 +1118,25 @@
 
 =item I<tlsciphers>
 
-The string describing the cipher suites OpenSSL will support.  See
-OpenSSL's ciphers(1) command documentation for details.  The default
-is unset, which uses OpenSSL's default cipher suite list.
+The string describing the cipher suites OpenSSL will support for S<TLS
+1.2> and below.  See OpenSSL's ciphers(1) command documentation for
+details.  The default is unset, which uses OpenSSL's default cipher
+suite list.
 
+=item I<tlsciphers13>
+
+The string describing the cipher suites OpenSSL will support for S<TLS
+1.3>.  See OpenSSL's ciphers(1) command documentation for
+details.  The default is unset, which uses OpenSSL's default cipher
+suite list.
+
+Note that a separate cipher suite configuration parameter is needed for
+S<TLS 1.3> because S<TLS 1.3> cipher suites are not compatible with
+S<TLS 1.2>, and vice-versa.  In order to avoid issues where legacy
+S<TLS 1.2> cipher suite configuration configured in the I<tlsciphers>
+parameter would inadvertently disable all S<TLS 1.3> cipher suites,
+the F<inn.conf> configuration has been separated out.
+
 =item I<tlscompression>
 
 Whether to enable or disable TLS/SSL-level compression support.

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2018-11-11 07:34:53 UTC (rev 10300)
+++ doc/pod/news.pod	2018-11-11 14:42:17 UTC (rev 10301)
@@ -9,6 +9,17 @@
 
 =item *
 
+A new F<inn.conf> parameter has been added to fine-tune the cipher suites
+to use with S<TLS 1.3>:  the I<tlsciphers13> now permits configuring
+them.  A separate cipher suite configuration parameter is needed for
+S<TLS 1.3> because S<TLS 1.3> cipher suites are not compatible with
+S<TLS 1.2>, and vice-versa.  In order to avoid issues where legacy
+S<TLS 1.2> cipher suite configuration configured in the I<tlsciphers>
+parameter would inadvertently disable all S<TLS 1.3> cipher suites,
+the F<inn.conf> configuration has been separated out.
+
+=item *
+
 Support for S<Python 3> has been added to INN.  Embedded Python filtering
 and authentication hooks for B<innd> and B<nnrpd> can now use S<version
 3.3.0> or later of the Python interpreter.  In the 2.x series, S<version

Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod	2018-11-11 07:34:53 UTC (rev 10300)
+++ doc/pod/nnrpd.pod	2018-11-11 14:42:17 UTC (rev 10301)
@@ -230,11 +230,11 @@
 You may need to replace C<nntps> with C<563> if C<nntps> isn't
 defined in F</etc/services> on your system.
 
-Optionally, you may set the I<tlsciphers>, I<tlscompression>,
-I<tlseccurve>, I<tlspreferserverciphers>, and I<tlsprotocols> parameters
-in F<inn.conf> to fine-tune the behaviour of the TLS/SSL negotiation
-whenever a new attack on the TLS protocol or some supported cipher
-suite is discovered.
+Optionally, you may set the I<tlsciphers>, I<tlsciphers13>,
+I<tlscompression>, I<tlseccurve>, I<tlspreferserverciphers>, and
+I<tlsprotocols> parameters in F<inn.conf> to fine-tune the behaviour
+of the TLS/SSL negotiation whenever a new attack on the TLS protocol
+or some supported cipher suite is discovered.
 
 =head1 PROTOCOL DIFFERENCES
 

Modified: include/inn/innconf.h
===================================================================
--- include/inn/innconf.h	2018-11-11 07:34:53 UTC (rev 10300)
+++ include/inn/innconf.h	2018-11-11 14:42:17 UTC (rev 10301)
@@ -133,6 +133,7 @@
     char *tlscertfile;          /* Path to the TLS/SSL certificate to use */
     char *tlskeyfile;           /* Path to the key for the certificate */
     char *tlsciphers;           /* OpenSSL-style cipher string */
+    char *tlsciphers13;         /* OpenSSL-style cipher string for TLS 1.3 */
     bool tlscompression;        /* Turn TLS compression on/off */
     char *tlseccurve;           /* ECDH curve name */
     bool tlspreferserverciphers; /* Make server select the cipher */

Modified: lib/innconf.c
===================================================================
--- lib/innconf.c	2018-11-11 07:34:53 UTC (rev 10300)
+++ lib/innconf.c	2018-11-11 14:42:17 UTC (rev 10301)
@@ -234,6 +234,7 @@
     { K(tlscertfile),             STRING  (NULL) },
     { K(tlskeyfile),              STRING  (NULL) },
     { K(tlsciphers),              STRING  (NULL) },
+    { K(tlsciphers13),            STRING  (NULL) },
     { K(tlscompression),          BOOL   (false) },
     { K(tlseccurve),              STRING  (NULL) },
     { K(tlspreferserverciphers),  BOOL    (true) },

Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c	2018-11-11 07:34:53 UTC (rev 10300)
+++ nnrpd/tls.c	2018-11-11 14:42:17 UTC (rev 10301)
@@ -479,7 +479,8 @@
                       char *tls_CAfile, char *tls_CApath, char *tls_cert_file,
                       char *tls_key_file, bool prefer_server_ciphers,
                       bool tls_compression, struct vector *tls_proto_vect,
-                      char *tls_ciphers, char *tls_ec_curve UNUSED)
+                      char *tls_ciphers, char *tls_ciphers13 UNUSED,
+                      char *tls_ec_curve UNUSED)
 {
     int     off = 0;
     int     verify_flags = SSL_VERIFY_NONE;
@@ -658,6 +659,16 @@
         }
     }
 
+#if OPENSSL_VERSION_NUMBER >= 0x01010100fL
+    /* New API added in OpenSSL 1.1.1 for TLSv1.3 cipher suites. */
+    if (tls_ciphers13 != NULL) {
+        if (SSL_CTX_set_ciphersuites(CTX, tls_ciphers13) == 0) {
+            syslog(L_ERROR, "TLS engine: cannot set ciphersuites");
+            return (-1);
+        }
+    }
+#endif
+
     if (tls_compression) {
 #if defined(SSL_OP_NO_COMPRESSION) && OPENSSL_VERSION_NUMBER >= 0x0009080dfL
         /* Function first added in OpenSSL 0.9.8m. */
@@ -714,6 +725,7 @@
                                        innconf->tlscompression,
                                        innconf->tlsprotocols,
                                        innconf->tlsciphers,
+                                       innconf->tlsciphers13,
                                        innconf->tlseccurve);
 
     if (ssl_result == -1) {

Modified: nnrpd/tls.h
===================================================================
--- nnrpd/tls.h	2018-11-11 07:34:53 UTC (rev 10300)
+++ nnrpd/tls.h	2018-11-11 14:42:17 UTC (rev 10301)
@@ -63,6 +63,7 @@
                           bool tls_compression,
                           struct vector *tls_protocols,
                           char *tls_ciphers,
+                          char *tls_ciphers13,
                           char *tls_ec_curve);
 
 /* Init TLS. */

Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in	2018-11-11 07:34:53 UTC (rev 10300)
+++ samples/inn.conf.in	2018-11-11 14:42:17 UTC (rev 10301)
@@ -141,6 +141,7 @@
 #tlscertfile:                @sysconfdir@/cert.pem
 #tlskeyfile:                 @sysconfdir@/key.pem
 #tlsciphers:
+#tlsciphers13:
 #tlscompression:             false
 #tlseccurve:
 #tlspreferserverciphers:     true



More information about the inn-committers mailing list