Using INN 2.5.1 with Openssl with SSLv2 disabled

[Julien ÉLIE]

Hi Evans,

> My customer(Government) wants to block use of SSLv2 with the INN server
> due to security vulnerabilities. I have recompiled openssl 0.9.8r with
> the option for no SSLv2. I then staticly link the openssl libraries
> (libcrypto and libssl) into my INN build.

Couldn't you just rebuild INN with the following change?
nnrpd will then refuse an SSLv2 cipher.

--- nnrpd/tls.c	(révision 9380)
+++ nnrpd/tls.c	(copie de travail)
@@ -450,6 +450,7 @@
      };

      off |= SSL_OP_ALL;		/* Work around all known bugs. */
+    off |= SSL_OP_NO_SSLv2;
      SSL_CTX_set_options(CTX, off);
      SSL_CTX_set_info_callback(CTX, apps_ssl_info_callback);
      SSL_CTX_sess_set_cache_size(CTX, 128);



> Has anyone seen any problems with INN 2.5.1 and the newer openssl
> versions? Or when SSLv2 compiled out of openssl?

I have not tested a special build of openssl.



Note for inn-workers people:

Maybe we should add an inn.conf parameter named "tlsoptions" to allow 
the news administrator to restrict a few things?
A list could be expected, with three possible values:  NO_SSLv2, 
NO_SSLv3, NO_TLSv1.  INN would then set the appropriate flag 
SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
Would other flags be useful?
   -> http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html for more 
information.

Unless there is a way in C to convert the string "SSL_OP_NO_SSLv2" into 
the long-typed SSL_OP_NO_SSLv2 macro defined by OpenSSL, which would 
then allow the news administrator to give any flag he wants to 
SSL_CTX_set_options()?

Anyway, the first solution could be enough (but would imply an upgrade 
of INN in case new TLS protocols are defined in the future).

-- 
Julien ÉLIE

« Donec eris felix, multos numerabis amicos. » (Ovide)