[patch] more TLS configuration options for nnrpd

christian mock cm at tahina.priv.at
Sun Nov 9 02:11:38 UTC 2014


nnrpd's TLS support is basically using OpenSSL's defaults WRT issues
such as protocol support and cipher suites. In these days of POODLEs
and other vulnerabilities, I wanted to be able to have better control
over what's offered there, so I wrote this patch.

What it does is to add a few options to inn.conf:

- tlsprotocols: allows to select the SSL/TLS versions that are
  supported

- tlsciphers: allows to give an OpenSSL cipher string to tailor the
  cipher suites that are offered to clients

- tlsprefer_server_ciphers: switches on the server-side selection of
  the cipher suite (TLS default is "client choses")

Additionally, TLS compression is turned off unconditionally (because
of the CRIME attack) if the OpenSSL version supports this.

The patch is against 2.5.4, and I hope it holds up to your coding
standards.

regards,

cm.

-- 
** christian mock in vienna, austria -- http://www.tahina.priv.at/
** http://www.vibe.at/ ** http://quintessenz.org/ ** sig at foo.woas.net
The Library has been Certified "FAMILY FRIENDLY" [by the Manson,
Addams & Homer Simpson families] -- http://www.lectlaw.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inn-2.5.4-sslconf.patch
Type: text/x-diff
Size: 5358 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20141109/e5758540/attachment.bin>


More information about the inn-workers mailing list