Using INN 2.5.1 with Openssl with SSLv2 disabled
julien at trigofacile.com
Fri Oct 28 22:09:57 UTC 2011
> My customer(Government) wants to block use of SSLv2 with the INN server
> due to security vulnerabilities. I have recompiled openssl 0.9.8r with
> the option for no SSLv2. I then staticly link the openssl libraries
> (libcrypto and libssl) into my INN build.
Couldn't you just rebuild INN with the following change?
nnrpd will then refuse an SSLv2 cipher.
--- nnrpd/tls.c (révision 9380)
+++ nnrpd/tls.c (copie de travail)
@@ -450,6 +450,7 @@
off |= SSL_OP_ALL; /* Work around all known bugs. */
+ off |= SSL_OP_NO_SSLv2;
> Has anyone seen any problems with INN 2.5.1 and the newer openssl
> versions? Or when SSLv2 compiled out of openssl?
I have not tested a special build of openssl.
Note for inn-workers people:
Maybe we should add an inn.conf parameter named "tlsoptions" to allow
the news administrator to restrict a few things?
A list could be expected, with three possible values: NO_SSLv2,
NO_SSLv3, NO_TLSv1. INN would then set the appropriate flag
SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
Would other flags be useful?
-> http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html for more
Unless there is a way in C to convert the string "SSL_OP_NO_SSLv2" into
the long-typed SSL_OP_NO_SSLv2 macro defined by OpenSSL, which would
then allow the news administrator to give any flag he wants to
Anyway, the first solution could be enough (but would imply an upgrade
of INN in case new TLS protocols are defined in the future).
« Donec eris felix, multos numerabis amicos. » (Ovide)
More information about the inn-workers