INN commit: trunk (4 files)

[INN Commit]

    Date: Friday, March 26, 2021 @ 11:56:31
  Author: iulius
Revision: 10549

nnrpd:  Deprecate the use of TLS versions 1.0 and 1.1

RFC 8996 has just deprecated insecure TLS versions 1.0 and 1.1.

Modified:
  trunk/doc/pod/inn.conf.pod
  trunk/doc/pod/news.pod
  trunk/nnrpd/tls.c
  trunk/samples/inn.conf.in

----------------------+
 doc/pod/inn.conf.pod |    7 +++++--
 doc/pod/news.pod     |   11 +++++++++++
 nnrpd/tls.c          |   11 ++++++++---
 samples/inn.conf.in  |    2 +-
 4 files changed, 25 insertions(+), 6 deletions(-)

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2021-03-14 09:45:51 UTC (rev 10548)
+++ doc/pod/inn.conf.pod	2021-03-26 18:56:31 UTC (rev 10549)
@@ -1206,9 +1206,9 @@
 
 The list of TLS/SSL protocol versions to support.  Valid protocols are
 B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2> and B<TLSv1.3>.
-The default value is to only allow TLS protocols:
+The default value is to only allow secure TLS protocols:
 
-    tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
+    tlsprotocols: [ TLSv1.2 TLSv1.3 ]
 
 Note that the listed protocols will be enabled only if the OpenSSL
 library INN has been built with, supports them.  In case OpenSSL supports
@@ -1216,6 +1216,9 @@
 (which anyway is fine regarding security, as newer protocols are supposed
 to be more secure).
 
+C<SSLv2> was formally deprecated by S<RFC 6176> in 2011, C<SSLv3>
+by S<RFC 7568> in 2015, C<TLSv1.0> and C<TLSv1.1> by S<RFC 8996> in 2021.
+
 =back
 
 =head2 Monitoring

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2021-03-14 09:45:51 UTC (rev 10548)
+++ doc/pod/news.pod	2021-03-26 18:56:31 UTC (rev 10549)
@@ -17,6 +17,17 @@
 
 =back
 
+=head1 Changes in 2.6.5
+
+=over 2
+
+=item *
+
+The F<inn.conf> default value for I<tlsprotocols> no longer contains
+TLS versions 1.0 and 1.1, which have been deprecated by S<RFC 8996>.
+
+=back
+
 =head1 Changes in 2.6.4
 
 =over 2

Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c	2021-03-14 09:45:51 UTC (rev 10548)
+++ nnrpd/tls.c	2021-03-26 18:56:31 UTC (rev 10549)
@@ -629,21 +629,26 @@
             }
         }
     } else {
-        /* Default value:  allow only TLS protocols. */
-        tls_protos = (INN_TLS_TLSv1 | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2
-                      | INN_TLS_TLSv1_3);
+        /* Default value:  allow only secure TLS protocols. */
+        tls_protos = (INN_TLS_TLSv1_2 | INN_TLS_TLSv1_3);
     }
 
     if ((tls_protos & INN_TLS_SSLv2) == 0) {
+#ifdef SSL_OP_NO_SSLv2
         SSL_CTX_set_options(CTX, SSL_OP_NO_SSLv2);
+#endif
     }
 
     if ((tls_protos & INN_TLS_SSLv3) == 0) {
+#ifdef SSL_OP_NO_SSLv3
         SSL_CTX_set_options(CTX, SSL_OP_NO_SSLv3);
+#endif
     }
 
     if ((tls_protos & INN_TLS_TLSv1) == 0) {
+#ifdef SSL_OP_NO_TLSv1
         SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1);
+#endif
     }
 
     if ((tls_protos & INN_TLS_TLSv1_1) == 0) {

Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in	2021-03-14 09:45:51 UTC (rev 10548)
+++ samples/inn.conf.in	2021-03-26 18:56:31 UTC (rev 10549)
@@ -145,7 +145,7 @@
 #tlscompression:             false
 #tlseccurve:
 #tlspreferserverciphers:     true
-#tlsprotocols:               [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
+#tlsprotocols:               [ TLSv1.2 TLSv1.3 ]
 
 # Monitoring