[patch] more TLS configuration options for nnrpd

Russ Allbery eagle at eyrie.org
Tue Nov 11 19:42:27 UTC 2014


Julien ÉLIE <julien at trigofacile.com> writes:

> Just an addition to my previous message:  I believe we should reword the
> documentation for tlsprotocols.  It currently states:

>   The list of SSL/TLS protocol versions to support.  Valid protocols are
>   B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>.  The default
>   value is to only allow TLS protocols:

>       tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]

> If TLSv1.3, TLSv2 or any other new protocol is provided by OpenSSL in the
> future, and a version of INN that does not know such a protocol is built
> with that new OpenSSL version, the documentation will be wrong because the
> new protocol will be supported (as it cannot be disabled).

> I suggest to add the following paragraph:

>   Note that the listed protocols will be enabled only if the OpenSSL
>   library INN has been built with supports them.  In case OpenSSL
>   supports protocols more recent than TLSv1.2, they will be
>   automatically enabled (which anyway is fine regarding security, as
>   newer protocols are supposed to be more secure).

> Does it sound good, or would you prefer another wording?

Will they be automatically enabled if one gives this option with an
explicit list?  (This may have already been in the other thread; if so,
apologies for missing it.)

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list