[patch] more TLS configuration options for nnrpd
christian mock
cm at tahina.priv.at
Sun Nov 9 02:11:38 UTC 2014
nnrpd's TLS support is basically using OpenSSL's defaults WRT issues
such as protocol support and cipher suites. In these days of POODLEs
and other vulnerabilities, I wanted to be able to have better control
over what's offered there, so I wrote this patch.
What it does is to add a few options to inn.conf:
- tlsprotocols: allows to select the SSL/TLS versions that are
supported
- tlsciphers: allows to give an OpenSSL cipher string to tailor the
cipher suites that are offered to clients
- tlsprefer_server_ciphers: switches on the server-side selection of
the cipher suite (TLS default is "client choses")
Additionally, TLS compression is turned off unconditionally (because
of the CRIME attack) if the OpenSSL version supports this.
The patch is against 2.5.4, and I hope it holds up to your coding
standards.
regards,
cm.
--
** christian mock in vienna, austria -- http://www.tahina.priv.at/
** http://www.vibe.at/ ** http://quintessenz.org/ ** sig at foo.woas.net
The Library has been Certified "FAMILY FRIENDLY" [by the Manson,
Addams & Homer Simpson families] -- http://www.lectlaw.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inn-2.5.4-sslconf.patch
Type: text/x-diff
Size: 5358 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20141109/e5758540/attachment.bin>
More information about the inn-workers
mailing list