INN and openssl 1.1

Julien ÉLIE julien at
Sat Jan 23 13:55:04 UTC 2016

Hi The Doctor,

> Only some minor tweeks are needed for Openssl 1.1 compatability AFAIK.

Thanks for having tested INN against the alpha version of OpenSSL 1.1.0.

> So 496 to 498 Currently read
>      SSLeay_add_ssl_algorithms();
>      CTX = SSL_CTX_new(SSLv23_server_method());
> For Openssl 1.1 they would need to read
>      OpenSSL_add_ssl_algorithms();
>      CTX = SSL_CTX_new(TLS_server_method());
> Hopefully  OPenssl commiter for 1.1 branch will hear my plea for
> backwards compatability so that you have
> #define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
> #define SSLv23_server_method TLS_server_method

It would still need to build OpenSSL with OPENSSL_USE_DEPRECATED, which 
is not always the case, so we shouldn't rely on that.

According to a previous thread on that subject on the OpenSSL 
<> it 
seems the best fix for INN would be to use something like:

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       CTX = SSL_CTX_new(TLS_client_method());
         CTX = SSL_CTX_new(SSLv23_client_method());

Regarding SSLeay_add_ssl_algorithms(), we could have used 
SSL_library_init() instead since OpenSSL 0.9.6 (in 2001).

I also see that OpenSSL now has SSL_set_min_proto_version to define the 
lowest permitted SSL/TLS protocol version.

We should consider (for a future release) changing how the current 
tlsprotocols: keyword in inn.conf work.
   tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
could instead be:
   tlsminprotocol: TLSv1

The advantage is that INN won't remove support for TLSv1.3 or TLSv2.0 
when they have been released (in the almost certain case that the news 
admin does not add TLSv1.3 or TLSv2.0 in the tlsprotocols: inn.conf 
I think we should do that move (with innupgrade) for INN 2.6.1 and not 
wait for INN 2.7.0.

Julien ÉLIE

« Si ça n'a pas fait boum, c'est peut-être le succès ? »

More information about the inn-workers mailing list