[patch] more TLS configuration options for nnrpd
Julien ÉLIE
julien at trigofacile.com
Tue Nov 11 21:36:31 UTC 2014
Hi Russ,
>> The fact is that newer protocols aren't known by INN. We do not know
>> the name of the OpenSSL option to disable them. Consequently, newer
>> protocols are automatically enabled.
>>
>> The new tlsprotocols keyword works this way: if "TLSv1.2" is in the
>> explicit list, INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine.
I wish to correct what I wrote in my previous mail (I believe you
corrected it when reading): if "TLSv1.2" is *not* in the explicit list,
INN sets the SSL_OP_NO_TLSv1_2 option for the TLS engine, to disable the
use of TLSv1.2.
>> INN does not know the "TLSv1.3", "TLSv2" or "XYZv1" protocol (none of
>> them currently exist) so these keywords are not recognized, and
>> therefore no option can be given to the TLS engine for them. So if INN
>> 2.5.5 is built with a future OpenSSL version knowing for instance
>> "TLSv1.3", this protocol will always be automatically enabled. There is
>> no possibility to disable it.
>
> Ah, okay. Then yeah, that paragraph sounds fine.
OK.
>> Wasn't my suggestion of paragraph clear enough about that? Or should we
>> change the behaviour of the new keyword?
>
> The paragraph was clear -- the behavior just wasn't intuitively what I'd
> expect, since I was assuming that the list was being passed to OpenSSL
> under the hood as the only acceptable ciphers. Now that you explain
> what's actually happening, it all makes sense.
This tlsprotocols keyword indeed differs from tlsciphers (a list of
ciphers given as-is to OpenSSL) and also tlseccurve (the name of a curve
to use, also given as-is to OpenSSL). I bet that's why you had the
assumption of a similar list for the protocols as well!
--
Julien ÉLIE
« Un myope qui lit sur les lèvres entend mieux s'il porte des
lunettes. » (Philippe Geluck)
More information about the inn-workers
mailing list