INN commit: trunk (4 files)
INN Commit
rra at isc.org
Fri Mar 26 18:56:32 UTC 2021
Date: Friday, March 26, 2021 @ 11:56:31
Author: iulius
Revision: 10549
nnrpd: Deprecate the use of TLS versions 1.0 and 1.1
RFC 8996 has just deprecated insecure TLS versions 1.0 and 1.1.
Modified:
trunk/doc/pod/inn.conf.pod
trunk/doc/pod/news.pod
trunk/nnrpd/tls.c
trunk/samples/inn.conf.in
----------------------+
doc/pod/inn.conf.pod | 7 +++++--
doc/pod/news.pod | 11 +++++++++++
nnrpd/tls.c | 11 ++++++++---
samples/inn.conf.in | 2 +-
4 files changed, 25 insertions(+), 6 deletions(-)
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2021-03-14 09:45:51 UTC (rev 10548)
+++ doc/pod/inn.conf.pod 2021-03-26 18:56:31 UTC (rev 10549)
@@ -1206,9 +1206,9 @@
The list of TLS/SSL protocol versions to support. Valid protocols are
B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2> and B<TLSv1.3>.
-The default value is to only allow TLS protocols:
+The default value is to only allow secure TLS protocols:
- tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
+ tlsprotocols: [ TLSv1.2 TLSv1.3 ]
Note that the listed protocols will be enabled only if the OpenSSL
library INN has been built with, supports them. In case OpenSSL supports
@@ -1216,6 +1216,9 @@
(which anyway is fine regarding security, as newer protocols are supposed
to be more secure).
+C<SSLv2> was formally deprecated by S<RFC 6176> in 2011, C<SSLv3>
+by S<RFC 7568> in 2015, C<TLSv1.0> and C<TLSv1.1> by S<RFC 8996> in 2021.
+
=back
=head2 Monitoring
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2021-03-14 09:45:51 UTC (rev 10548)
+++ doc/pod/news.pod 2021-03-26 18:56:31 UTC (rev 10549)
@@ -17,6 +17,17 @@
=back
+=head1 Changes in 2.6.5
+
+=over 2
+
+=item *
+
+The F<inn.conf> default value for I<tlsprotocols> no longer contains
+TLS versions 1.0 and 1.1, which have been deprecated by S<RFC 8996>.
+
+=back
+
=head1 Changes in 2.6.4
=over 2
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2021-03-14 09:45:51 UTC (rev 10548)
+++ nnrpd/tls.c 2021-03-26 18:56:31 UTC (rev 10549)
@@ -629,21 +629,26 @@
}
}
} else {
- /* Default value: allow only TLS protocols. */
- tls_protos = (INN_TLS_TLSv1 | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2
- | INN_TLS_TLSv1_3);
+ /* Default value: allow only secure TLS protocols. */
+ tls_protos = (INN_TLS_TLSv1_2 | INN_TLS_TLSv1_3);
}
if ((tls_protos & INN_TLS_SSLv2) == 0) {
+#ifdef SSL_OP_NO_SSLv2
SSL_CTX_set_options(CTX, SSL_OP_NO_SSLv2);
+#endif
}
if ((tls_protos & INN_TLS_SSLv3) == 0) {
+#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(CTX, SSL_OP_NO_SSLv3);
+#endif
}
if ((tls_protos & INN_TLS_TLSv1) == 0) {
+#ifdef SSL_OP_NO_TLSv1
SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1);
+#endif
}
if ((tls_protos & INN_TLS_TLSv1_1) == 0) {
Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in 2021-03-14 09:45:51 UTC (rev 10548)
+++ samples/inn.conf.in 2021-03-26 18:56:31 UTC (rev 10549)
@@ -145,7 +145,7 @@
#tlscompression: false
#tlseccurve:
#tlspreferserverciphers: true
-#tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ]
+#tlsprotocols: [ TLSv1.2 TLSv1.3 ]
# Monitoring
More information about the inn-committers
mailing list