[patch] more TLS configuration options for nnrpd
julien at trigofacile.com
Tue Nov 11 20:04:35 UTC 2014
>> I suggest to add the following paragraph:
>> Note that the listed protocols will be enabled only if the OpenSSL
>> library INN has been built with supports them. In case OpenSSL
>> supports protocols more recent than TLSv1.2, they will be
>> automatically enabled (which anyway is fine regarding security, as
>> newer protocols are supposed to be more secure).
>> Does it sound good, or would you prefer another wording?
> Will they be automatically enabled if one gives this option with an
> explicit list? (This may have already been in the other thread; if so,
> apologies for missing it.)
The fact is that newer protocols aren't known by INN. We do not know
the name of the OpenSSL option to disable them. Consequently, newer
protocols are automatically enabled.
The new tlsprotocols keyword works this way: if "TLSv1.2" is in the
explicit list, INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine.
INN does not know the "TLSv1.3", "TLSv2" or "XYZv1" protocol (none of
them currently exist) so these keywords are not recognized, and
therefore no option can be given to the TLS engine for them.
So if INN 2.5.5 is built with a future OpenSSL version knowing for
instance "TLSv1.3", this protocol will always be automatically enabled.
There is no possibility to disable it.
Wasn't my suggestion of paragraph clear enough about that?
Or should we change the behaviour of the new keyword?
« Un myope qui lit sur les lèvres entend mieux s'il porte des
lunettes. » (Philippe Geluck)
More information about the inn-workers