[patch] more TLS configuration options for nnrpd

Julien ÉLIE julien at trigofacile.com
Tue Nov 11 20:04:35 UTC 2014


Hi Russ,

>> I suggest to add the following paragraph:
>
>>    Note that the listed protocols will be enabled only if the OpenSSL
>>    library INN has been built with supports them.  In case OpenSSL
>>    supports protocols more recent than TLSv1.2, they will be
>>    automatically enabled (which anyway is fine regarding security, as
>>    newer protocols are supposed to be more secure).
>
>> Does it sound good, or would you prefer another wording?
>
> Will they be automatically enabled if one gives this option with an
> explicit list?  (This may have already been in the other thread; if so,
> apologies for missing it.)

The fact is that newer protocols aren't known by INN.  We do not know 
the name of the OpenSSL option to disable them.  Consequently, newer 
protocols are automatically enabled.

The new tlsprotocols keyword works this way:  if "TLSv1.2" is in the 
explicit list, INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine.

INN does not know the "TLSv1.3", "TLSv2" or "XYZv1" protocol (none of 
them currently exist) so these keywords are not recognized, and 
therefore no option can be given to the TLS engine for them.
So if INN 2.5.5 is built with a future OpenSSL version knowing for 
instance "TLSv1.3", this protocol will always be automatically enabled. 
  There is no possibility to disable it.


Wasn't my suggestion of paragraph clear enough about that?
Or should we change the behaviour of the new keyword?

-- 
Julien ÉLIE

« Un myope qui lit sur les lèvres entend mieux s'il porte des
   lunettes. » (Philippe Geluck)


More information about the inn-workers mailing list