[patch] more TLS configuration options for nnrpd

Russ Allbery eagle at eyrie.org
Tue Nov 11 20:52:34 UTC 2014

Julien ÉLIE <julien at trigofacile.com> writes:

> The fact is that newer protocols aren't known by INN.  We do not know
> the name of the OpenSSL option to disable them.  Consequently, newer
> protocols are automatically enabled.

> The new tlsprotocols keyword works this way:  if "TLSv1.2" is in the
> explicit list, INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine.

> INN does not know the "TLSv1.3", "TLSv2" or "XYZv1" protocol (none of
> them currently exist) so these keywords are not recognized, and
> therefore no option can be given to the TLS engine for them.  So if INN
> 2.5.5 is built with a future OpenSSL version knowing for instance
> "TLSv1.3", this protocol will always be automatically enabled. There is
> no possibility to disable it.

Ah, okay.  Then yeah, that paragraph sounds fine.

> Wasn't my suggestion of paragraph clear enough about that?  Or should we
> change the behaviour of the new keyword?

The paragraph was clear -- the behavior just wasn't intuitively what I'd
expect, since I was assuming that the list was being passed to OpenSSL
under the hood as the only acceptable ciphers.  Now that you explain
what's actually happening, it all makes sense.

Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list