[patch] more TLS configuration options for nnrpd

Julien ÉLIE julien at trigofacile.com
Tue Nov 11 14:08:27 UTC 2014

Hi Christian,

>> Many thanks for this new patch. I will integrate it into INN and
>> tell you when it has been committed.
> Great!
> Yes, I'd really like to see this in the 2.5 series.

Done for both 2.6.0:
and 2.5.5:

I have done several tests with the patch, and it works like a charm.
SSLv3 is now disabled on my news server, as I can see with:

     openssl s_client -connect news.trigofacile.com:563 -ssl3

Feel free to have a look at the two commits.
The default value is all protocols, compression possible and client 
decides the cipher for 2.5.5; only TLS protocols, without compression 
and server decides the cipher for 2.6.0.

Note that no inn.conf parameter contains "_" so I used 
tlspreferserverciphers instead of tlsprefer_server_ciphers.
I also used booleans instead of integers for the new parameters given to 
tls_init_serverengine(), and size_t instead of int for positive variables.

Also, I wrote:

     if (!tls_compression) {
         SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);

instead of:

     if (!tls_compression) {
         SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);

because I otherwise had a gcc warning for an unused tls_compression 

I also wrote:

     if ((tls_protos & INN_TLS_TLSv1) == 0)

instead of:

     if (!(tls_protos & INN_TLS_TLSv1))

for more clarity (the result is not a boolean).

I hope these changes are fine for you.

Julien ÉLIE

« Confessio est regina probatio. »

More information about the inn-workers mailing list