inn-workers Digest, Vol 66, Issue 1

[inn-workers-request]

Send inn-workers mailing list submissions to
        inn-workers@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
        inn-workers-requ...@lists.isc.org

You can reach the person managing the list at
        inn-workers-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."


Today's Topics:

   1. [patch] more TLS configuration options for nnrpd (christian mock)
   2. Re: [patch] more TLS configuration options for nnrpd
      (christian mock)
   3. Re: [patch] more TLS configuration options for nnrpd
      (Johan van Selst)


----------------------------------------------------------------------

Message: 1
Date: Sun, 9 Nov 2014 03:11:38 +0100
From: christian mock <c...@tahina.priv.at>
To: inn-workers@lists.isc.org
Subject: [patch] more TLS configuration options for nnrpd
Message-ID: <20141109021138.ga9...@tahina.priv.at>
Content-Type: text/plain; charset="us-ascii"

nnrpd's TLS support is basically using OpenSSL's defaults WRT issues
such as protocol support and cipher suites. In these days of POODLEs
and other vulnerabilities, I wanted to be able to have better control
over what's offered there, so I wrote this patch.

What it does is to add a few options to inn.conf:

- tlsprotocols: allows to select the SSL/TLS versions that are
  supported

- tlsciphers: allows to give an OpenSSL cipher string to tailor the
  cipher suites that are offered to clients

- tlsprefer_server_ciphers: switches on the server-side selection of
  the cipher suite (TLS default is "client choses")

Additionally, TLS compression is turned off unconditionally (because
of the CRIME attack) if the OpenSSL version supports this.

The patch is against 2.5.4, and I hope it holds up to your coding
standards.

regards,

cm.

-- 
** christian mock in vienna, austria -- http://www.tahina.priv.at/
** http://www.vibe.at/ ** http://quintessenz.org/ ** s...@foo.woas.net
The Library has been Certified "FAMILY FRIENDLY" [by the Manson,
Addams & Homer Simpson families] -- http://www.lectlaw.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inn-2.5.4-sslconf.patch
Type: text/x-diff
Size: 5358 bytes
Desc: not available
URL: 
<https://lists.isc.org/pipermail/inn-workers/attachments/20141109/e5758540/attachment-0001.bin>

------------------------------

Message: 2
Date: Sun, 9 Nov 2014 03:37:56 +0100
From: christian mock <c...@tahina.priv.at>
To: inn-workers@lists.isc.org
Subject: Re: [patch] more TLS configuration options for nnrpd
Message-ID: <20141109023756.ga14...@tahina.priv.at>
Content-Type: text/plain; charset="us-ascii"

> over what's offered there, so I wrote this patch.

...and promptly managed to include a version which had none of the
documentation updates. Please disregard the previous version and use
this one.

regards,

cm.

-- 
** christian mock in vienna, austria -- http://www.tahina.priv.at/
> www.flamingtext.com
I'd never even heard of that site. I wonder what it'd take to convince
the owner's goverment that they're terrorists? -- Lionel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inn-2.5.4-sslconf.patch
Type: text/x-diff
Size: 8304 bytes
Desc: not available
URL: 
<https://lists.isc.org/pipermail/inn-workers/attachments/20141109/ca631dbc/attachment-0001.bin>

------------------------------

Message: 3
Date: Sun, 9 Nov 2014 10:59:31 +0100
From: Johan van Selst <joh...@stack.nl>
To: inn-workers@lists.isc.org
Subject: Re: [patch] more TLS configuration options for nnrpd
Message-ID: <20141109095931.ga39...@stack.nl>
Content-Type: text/plain; charset="us-ascii"

Hi Christian,

christian mock wrote:
> Additionally, TLS compression is turned off unconditionally (because
> of the CRIME attack) if the OpenSSL version supports this.

I like having control for TLS settings; although sensible defaults are
generally much more impportant. But I do not understand why this
specific compression setting is unconditional. To exploit CRIME requires
a huge amount of carefully triggered, very similar, but slightly
different server responses. I see no way to exploit this in the Netnews
context. And even if you somehow were able to exploit this and decipher
a couple of bytes of encrypted data sent by the server, I do not see
what an attacker would gain by this in the given context.
However, I do see the advantage of TLS compression to reduce the amount
of data transferred.

What do you hope to gain with this setting, and why is it unconditional?


Regards,
Johan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: 
<https://lists.isc.org/pipermail/inn-workers/attachments/20141109/48b377c2/attachment-0001.bin>

------------------------------

_______________________________________________
inn-workers mailing list
inn-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/inn-workers

End of inn-workers Digest, Vol 66, Issue 1
******************************************