[patch] more TLS configuration options for nnrpd

christian mock cm at tahina.priv.at
Wed Nov 12 15:41:08 UTC 2014

On Wed, Nov 12, 2014 at 10:08:10AM +0100, Julien ÉLIE wrote:

> >>Or should we change the behaviour of the new keyword?
> >
> >We could change the keyword to work like the code, that is,
> >to "tlsdisableprotocols". But to me that feels the wrong way 'round.
> I do not understand your remark.
> With the current code, if we parameter
> tlsprotocols: [ TLSv1.2 ]
> and we use an OpenSSL version that supports TLSv1, TLSv1.1, TLSv1.2
> and TLSv1.3,
> the protocols that will be available are TLSv1.2 and TLSv1.3 even though
> the tlsprotocols parameter only mentions TLSv1.2.
> The code will not disable TLSv1.3 as it does not know how to disable it.

What I meant: the code selectively disables known protocols. So if we
changed the keywork to work in reverse from what it is now, we could

  tlsdisableprotocols: Allows to disable certain known TLS protocol
  versions. Known versions: SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2

so in your example I'd configure

  tlsdisableprotocols: [ SSLv2 SSLv3 TLSv1 TLSv1.1 ]

and it would result in TLSv1.2 and TLSv1.3 being enabled in your
example. Adding "TLSv1.3" to the config line would result in an error

But, again, to me that feels "backwards".

> The parameter does not exactly enable the list.  Newer protocols are
> out of scope
> of the parameter.


Es ist jedenfalls VIEL besser als "Sie haben keinen Virus versandt und
hätten auch keinen erhalten, aber irgendwo in den Weiten des Internet
wurde eine mail gekillt, die zufällig ihre Adresse im From hatte."
-- Matthias Kahlert in aip

More information about the inn-workers mailing list