[patch] more TLS configuration options for nnrpd

Russ Allbery eagle at eyrie.org
Tue Nov 11 20:52:34 UTC 2014


Julien ÉLIE <julien at trigofacile.com> writes:

> The fact is that newer protocols aren't known by INN.  We do not know
> the name of the OpenSSL option to disable them.  Consequently, newer
> protocols are automatically enabled.

> The new tlsprotocols keyword works this way:  if "TLSv1.2" is in the
> explicit list, INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine.

> INN does not know the "TLSv1.3", "TLSv2" or "XYZv1" protocol (none of
> them currently exist) so these keywords are not recognized, and
> therefore no option can be given to the TLS engine for them.  So if INN
> 2.5.5 is built with a future OpenSSL version knowing for instance
> "TLSv1.3", this protocol will always be automatically enabled. There is
> no possibility to disable it.

Ah, okay.  Then yeah, that paragraph sounds fine.

> Wasn't my suggestion of paragraph clear enough about that?  Or should we
> change the behaviour of the new keyword?

The paragraph was clear -- the behavior just wasn't intuitively what I'd
expect, since I was assuming that the list was being passed to OpenSSL
under the hood as the only acceptable ciphers.  Now that you explain
what's actually happening, it all makes sense.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list