INN and openssl 1.1

Julien ÉLIE julien at trigofacile.com
Sat Jan 23 13:55:04 UTC 2016 

Hi The Doctor,

> Only some minor tweeks are needed for Openssl 1.1 compatability AFAIK.

Thanks for having tested INN against the alpha version of OpenSSL 1.1.0.



> So 496 to 498 Currently read
>
>      SSLeay_add_ssl_algorithms();
>
>      CTX = SSL_CTX_new(SSLv23_server_method());
>
> For Openssl 1.1 they would need to read
>
>      OpenSSL_add_ssl_algorithms();
>
>      CTX = SSL_CTX_new(TLS_server_method());
>
> Hopefully  OPenssl commiter for 1.1 branch will hear my plea for
> backwards compatability so that you have
>
> #define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
> #define SSLv23_server_method TLS_server_method

It would still need to build OpenSSL with OPENSSL_USE_DEPRECATED, which 
is not always the case, so we shouldn't rely on that.

According to a previous thread on that subject on the OpenSSL 
mailing-list 
<https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.html> it 
seems the best fix for INN would be to use something like:

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       CTX = SSL_CTX_new(TLS_client_method());
+#else
         CTX = SSL_CTX_new(SSLv23_client_method());
+#endif



Regarding SSLeay_add_ssl_algorithms(), we could have used 
SSL_library_init() instead since OpenSSL 0.9.6 (in 2001).



I also see that OpenSSL now has SSL_set_min_proto_version to define the 
lowest permitted SSL/TLS protocol version.
 
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_min_proto_version.html

We should consider (for a future release) changing how the current 
tlsprotocols: keyword in inn.conf work.
   tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
could instead be:
   tlsminprotocol: TLSv1

The advantage is that INN won't remove support for TLSv1.3 or TLSv2.0 
when they have been released (in the almost certain case that the news 
admin does not add TLSv1.3 or TLSv2.0 in the tlsprotocols: inn.conf 
keyword!).
I think we should do that move (with innupgrade) for INN 2.6.1 and not 
wait for INN 2.7.0.

-- 
Julien ÉLIE

« Si ça n'a pas fait boum, c'est peut-être le succès ? »
   (Astérix)

More information about the inn-workers mailing list