[patch] more TLS configuration options for nnrpd
Russ Allbery
eagle at eyrie.org
Tue Nov 11 20:52:34 UTC 2014
Julien ÉLIE <julien at trigofacile.com> writes:
> The fact is that newer protocols aren't known by INN. We do not know
> the name of the OpenSSL option to disable them. Consequently, newer
> protocols are automatically enabled.
> The new tlsprotocols keyword works this way: if "TLSv1.2" is in the
> explicit list, INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine.
> INN does not know the "TLSv1.3", "TLSv2" or "XYZv1" protocol (none of
> them currently exist) so these keywords are not recognized, and
> therefore no option can be given to the TLS engine for them. So if INN
> 2.5.5 is built with a future OpenSSL version knowing for instance
> "TLSv1.3", this protocol will always be automatically enabled. There is
> no possibility to disable it.
Ah, okay. Then yeah, that paragraph sounds fine.
> Wasn't my suggestion of paragraph clear enough about that? Or should we
> change the behaviour of the new keyword?
The paragraph was clear -- the behavior just wasn't intuitively what I'd
expect, since I was assuming that the list was being passed to OpenSSL
under the hood as the only acceptable ciphers. Now that you explain
what's actually happening, it all makes sense.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list