INN and openssl 1.1
Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem
root at doctor.nl2k.ab.ca
Sat Jan 23 14:09:33 UTC 2016
On Sat, Jan 23, 2016 at 02:55:04PM +0100, Julien ÉLIE wrote:
> Hi The Doctor,
> >Only some minor tweeks are needed for Openssl 1.1 compatability AFAIK.
> Thanks for having tested INN against the alpha version of OpenSSL 1.1.0.
> >So 496 to 498 Currently read
> > SSLeay_add_ssl_algorithms();
> > CTX = SSL_CTX_new(SSLv23_server_method());
> >For Openssl 1.1 they would need to read
> > OpenSSL_add_ssl_algorithms();
> > CTX = SSL_CTX_new(TLS_server_method());
> >Hopefully OPenssl commiter for 1.1 branch will hear my plea for
> >backwards compatability so that you have
> >#define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
> >#define SSLv23_server_method TLS_server_method
> It would still need to build OpenSSL with OPENSSL_USE_DEPRECATED, which is
> not always the case, so we shouldn't rely on that.
> According to a previous thread on that subject on the OpenSSL mailing-list
> <https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.html> it
> seems the best fix for INN would be to use something like:
> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> + CTX = SSL_CTX_new(TLS_client_method());
> CTX = SSL_CTX_new(SSLv23_client_method());
> Regarding SSLeay_add_ssl_algorithms(), we could have used SSL_library_init()
> instead since OpenSSL 0.9.6 (in 2001).
> I also see that OpenSSL now has SSL_set_min_proto_version to define the
> lowest permitted SSL/TLS protocol version.
> We should consider (for a future release) changing how the current
> tlsprotocols: keyword in inn.conf work.
> tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
> could instead be:
> tlsminprotocol: TLSv1
> The advantage is that INN won't remove support for TLSv1.3 or TLSv2.0 when
> they have been released (in the almost certain case that the news admin does
> not add TLSv1.3 or TLSv2.0 in the tlsprotocols: inn.conf keyword!).
> I think we should do that move (with innupgrade) for INN 2.6.1 and not wait
> for INN 2.7.0.
> Julien ÉLIE
> « Si ça n'a pas fait boum, c'est peut-être le succès ? »
> inn-workers mailing list
> inn-workers at lists.isc.org
I fully concur / Je suis d'accord.
This makes things easier.
INN so far is the only package against Openssl 1.1 that is easy to migrate.
For effective Internet Etiquette and communications read
More information about the inn-workers