INN and openssl 1.1
Julien ÉLIE
julien at trigofacile.com
Sat Jan 23 13:55:04 UTC 2016
Hi The Doctor,
> Only some minor tweeks are needed for Openssl 1.1 compatability AFAIK.
Thanks for having tested INN against the alpha version of OpenSSL 1.1.0.
> So 496 to 498 Currently read
>
> SSLeay_add_ssl_algorithms();
>
> CTX = SSL_CTX_new(SSLv23_server_method());
>
> For Openssl 1.1 they would need to read
>
> OpenSSL_add_ssl_algorithms();
>
> CTX = SSL_CTX_new(TLS_server_method());
>
> Hopefully OPenssl commiter for 1.1 branch will hear my plea for
> backwards compatability so that you have
>
> #define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
> #define SSLv23_server_method TLS_server_method
It would still need to build OpenSSL with OPENSSL_USE_DEPRECATED, which
is not always the case, so we shouldn't rely on that.
According to a previous thread on that subject on the OpenSSL
mailing-list
<https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.html> it
seems the best fix for INN would be to use something like:
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ CTX = SSL_CTX_new(TLS_client_method());
+#else
CTX = SSL_CTX_new(SSLv23_client_method());
+#endif
Regarding SSLeay_add_ssl_algorithms(), we could have used
SSL_library_init() instead since OpenSSL 0.9.6 (in 2001).
I also see that OpenSSL now has SSL_set_min_proto_version to define the
lowest permitted SSL/TLS protocol version.
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_min_proto_version.html
We should consider (for a future release) changing how the current
tlsprotocols: keyword in inn.conf work.
tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
could instead be:
tlsminprotocol: TLSv1
The advantage is that INN won't remove support for TLSv1.3 or TLSv2.0
when they have been released (in the almost certain case that the news
admin does not add TLSv1.3 or TLSv2.0 in the tlsprotocols: inn.conf
keyword!).
I think we should do that move (with innupgrade) for INN 2.6.1 and not
wait for INN 2.7.0.
--
Julien ÉLIE
« Si ça n'a pas fait boum, c'est peut-être le succès ? »
(Astérix)
More information about the inn-workers
mailing list