[patch] more TLS configuration options for nnrpd
Julien ÉLIE
julien at trigofacile.com
Tue Nov 11 14:08:27 UTC 2014
Hi Christian,
>> Many thanks for this new patch. I will integrate it into INN and
>> tell you when it has been committed.
>
> Great!
> Yes, I'd really like to see this in the 2.5 series.
Done for both 2.6.0:
https://inn.eyrie.org/trac/changeset/9744
and 2.5.5:
https://inn.eyrie.org/trac/changeset/9745
I have done several tests with the patch, and it works like a charm.
SSLv3 is now disabled on my news server, as I can see with:
openssl s_client -connect news.trigofacile.com:563 -ssl3
Feel free to have a look at the two commits.
The default value is all protocols, compression possible and client
decides the cipher for 2.5.5; only TLS protocols, without compression
and server decides the cipher for 2.6.0.
Note that no inn.conf parameter contains "_" so I used
tlspreferserverciphers instead of tlsprefer_server_ciphers.
I also used booleans instead of integers for the new parameters given to
tls_init_serverengine(), and size_t instead of int for positive variables.
Also, I wrote:
if (!tls_compression) {
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
#endif
}
instead of:
#ifdef SSL_OP_NO_COMPRESSION
if (!tls_compression) {
SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
}
#endif
because I otherwise had a gcc warning for an unused tls_compression
variable.
I also wrote:
if ((tls_protos & INN_TLS_TLSv1) == 0)
instead of:
if (!(tls_protos & INN_TLS_TLSv1))
for more clarity (the result is not a boolean).
I hope these changes are fine for you.
--
Julien ÉLIE
« Confessio est regina probatio. »
More information about the inn-workers
mailing list