Using INN 2.5.1 with Openssl with SSLv2 disabled

Julien ÉLIE julien at
Fri Oct 28 22:09:57 UTC 2011

Hi Evans,

> My customer(Government) wants to block use of SSLv2 with the INN server
> due to security vulnerabilities. I have recompiled openssl 0.9.8r with
> the option for no SSLv2. I then staticly link the openssl libraries
> (libcrypto and libssl) into my INN build.

Couldn't you just rebuild INN with the following change?
nnrpd will then refuse an SSLv2 cipher.

--- nnrpd/tls.c	(révision 9380)
+++ nnrpd/tls.c	(copie de travail)
@@ -450,6 +450,7 @@

      off |= SSL_OP_ALL;		/* Work around all known bugs. */
+    off |= SSL_OP_NO_SSLv2;
      SSL_CTX_set_options(CTX, off);
      SSL_CTX_set_info_callback(CTX, apps_ssl_info_callback);
      SSL_CTX_sess_set_cache_size(CTX, 128);

> Has anyone seen any problems with INN 2.5.1 and the newer openssl
> versions? Or when SSLv2 compiled out of openssl?

I have not tested a special build of openssl.

Note for inn-workers people:

Maybe we should add an inn.conf parameter named "tlsoptions" to allow 
the news administrator to restrict a few things?
A list could be expected, with three possible values:  NO_SSLv2, 
NO_SSLv3, NO_TLSv1.  INN would then set the appropriate flag 
Would other flags be useful?
   -> for more 

Unless there is a way in C to convert the string "SSL_OP_NO_SSLv2" into 
the long-typed SSL_OP_NO_SSLv2 macro defined by OpenSSL, which would 
then allow the news administrator to give any flag he wants to 

Anyway, the first solution could be enough (but would imply an upgrade 
of INN in case new TLS protocols are defined in the future).

Julien ÉLIE

« Donec eris felix, multos numerabis amicos. » (Ovide)

More information about the inn-workers mailing list