Using INN 2.5.1 with Openssl with SSLv2 disabled
Julien ÉLIE
julien at trigofacile.com
Fri Oct 28 22:09:57 UTC 2011
Hi Evans,
> My customer(Government) wants to block use of SSLv2 with the INN server
> due to security vulnerabilities. I have recompiled openssl 0.9.8r with
> the option for no SSLv2. I then staticly link the openssl libraries
> (libcrypto and libssl) into my INN build.
Couldn't you just rebuild INN with the following change?
nnrpd will then refuse an SSLv2 cipher.
--- nnrpd/tls.c (révision 9380)
+++ nnrpd/tls.c (copie de travail)
@@ -450,6 +450,7 @@
};
off |= SSL_OP_ALL; /* Work around all known bugs. */
+ off |= SSL_OP_NO_SSLv2;
SSL_CTX_set_options(CTX, off);
SSL_CTX_set_info_callback(CTX, apps_ssl_info_callback);
SSL_CTX_sess_set_cache_size(CTX, 128);
> Has anyone seen any problems with INN 2.5.1 and the newer openssl
> versions? Or when SSLv2 compiled out of openssl?
I have not tested a special build of openssl.
Note for inn-workers people:
Maybe we should add an inn.conf parameter named "tlsoptions" to allow
the news administrator to restrict a few things?
A list could be expected, with three possible values: NO_SSLv2,
NO_SSLv3, NO_TLSv1. INN would then set the appropriate flag
SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
Would other flags be useful?
-> http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html for more
information.
Unless there is a way in C to convert the string "SSL_OP_NO_SSLv2" into
the long-typed SSL_OP_NO_SSLv2 macro defined by OpenSSL, which would
then allow the news administrator to give any flag he wants to
SSL_CTX_set_options()?
Anyway, the first solution could be enough (but would imply an upgrade
of INN in case new TLS protocols are defined in the future).
--
Julien ÉLIE
« Donec eris felix, multos numerabis amicos. » (Ovide)
More information about the inn-workers
mailing list