[patch] more TLS configuration options for nnrpd

Julien ÉLIE julien at trigofacile.com
Tue Nov 11 14:08:27 UTC 2014


Hi Christian,

>> Many thanks for this new patch. I will integrate it into INN and
>> tell you when it has been committed.
>
> Great!
> Yes, I'd really like to see this in the 2.5 series.

Done for both 2.6.0:
     https://inn.eyrie.org/trac/changeset/9744
and 2.5.5:
     https://inn.eyrie.org/trac/changeset/9745


I have done several tests with the patch, and it works like a charm.
SSLv3 is now disabled on my news server, as I can see with:

     openssl s_client -connect news.trigofacile.com:563 -ssl3



Feel free to have a look at the two commits.
The default value is all protocols, compression possible and client 
decides the cipher for 2.5.5; only TLS protocols, without compression 
and server decides the cipher for 2.6.0.


Note that no inn.conf parameter contains "_" so I used 
tlspreferserverciphers instead of tlsprefer_server_ciphers.
I also used booleans instead of integers for the new parameters given to 
tls_init_serverengine(), and size_t instead of int for positive variables.

Also, I wrote:

     if (!tls_compression) {
#ifdef SSL_OP_NO_COMPRESSION
         SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
#endif
     }

instead of:

#ifdef SSL_OP_NO_COMPRESSION
     if (!tls_compression) {
         SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
     }
#endif

because I otherwise had a gcc warning for an unused tls_compression 
variable.



I also wrote:

     if ((tls_protos & INN_TLS_TLSv1) == 0)

instead of:

     if (!(tls_protos & INN_TLS_TLSv1))

for more clarity (the result is not a boolean).


I hope these changes are fine for you.

-- 
Julien ÉLIE

« Confessio est regina probatio. »


More information about the inn-workers mailing list