INN and openssl 1.1

Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem root at doctor.nl2k.ab.ca
Sat Jan 23 14:09:33 UTC 2016 

On Sat, Jan 23, 2016 at 02:55:04PM +0100, Julien ÉLIE wrote:
> Hi The Doctor,
> 
> >Only some minor tweeks are needed for Openssl 1.1 compatability AFAIK.
> 
> Thanks for having tested INN against the alpha version of OpenSSL 1.1.0.
> 
> 
> 
> >So 496 to 498 Currently read
> >
> >     SSLeay_add_ssl_algorithms();
> >
> >     CTX = SSL_CTX_new(SSLv23_server_method());
> >
> >For Openssl 1.1 they would need to read
> >
> >     OpenSSL_add_ssl_algorithms();
> >
> >     CTX = SSL_CTX_new(TLS_server_method());
> >
> >Hopefully  OPenssl commiter for 1.1 branch will hear my plea for
> >backwards compatability so that you have
> >
> >#define SSLeay_add_ssl_algorithms OpenSSL_add_ssl_algorithms
> >#define SSLv23_server_method TLS_server_method
> 
> It would still need to build OpenSSL with OPENSSL_USE_DEPRECATED, which is
> not always the case, so we shouldn't rely on that.
> 
> According to a previous thread on that subject on the OpenSSL mailing-list
> <https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.html> it
> seems the best fix for INN would be to use something like:
> 
> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> +       CTX = SSL_CTX_new(TLS_client_method());
> +#else
>         CTX = SSL_CTX_new(SSLv23_client_method());
> +#endif
> 
> 
> 
> Regarding SSLeay_add_ssl_algorithms(), we could have used SSL_library_init()
> instead since OpenSSL 0.9.6 (in 2001).
> 
> 
> 
> I also see that OpenSSL now has SSL_set_min_proto_version to define the
> lowest permitted SSL/TLS protocol version.
> 
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_min_proto_version.html
> 
> We should consider (for a future release) changing how the current
> tlsprotocols: keyword in inn.conf work.
>   tlsprotocols: [ TLSv1 TLSv1.1 TLSv1.2 ]
> could instead be:
>   tlsminprotocol: TLSv1
> 
> The advantage is that INN won't remove support for TLSv1.3 or TLSv2.0 when
> they have been released (in the almost certain case that the news admin does
> not add TLSv1.3 or TLSv2.0 in the tlsprotocols: inn.conf keyword!).
> I think we should do that move (with innupgrade) for INN 2.6.1 and not wait
> for INN 2.7.0.
> 
> -- 
> Julien ÉLIE
> 
> « Si ça n'a pas fait boum, c'est peut-être le succès ? »
>   (Astérix)
> _______________________________________________
> inn-workers mailing list
> inn-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/inn-workers

I fully concur / Je suis d'accord.

This makes things easier.

INN so far is the only package against Openssl 1.1 that is easy to migrate.


-- 
For effective Internet Etiquette and communications read 
http://catb.org/jargon/html/T/top-post.html, http://idallen.com/topposting.html
& http://www.caliburn.nl/topposting.html

More information about the inn-workers mailing list