Processed: Re: Bug#769046: inn2: Allow for better TLS configurability
Processing control commands: > retitle -1 (pre-approval) unblock: inn2 Bug #769279 [release.debian.org] inn2: Allow for better TLS configurability Changed Bug title to '(pre-approval) unblock: inn2' from 'inn2: Allow for better TLS configurability' > reassign -1 release.debian.org Bug #769279 [release.debian.org] (pre-approval) unblock: inn2 Ignoring request to reassign bug #769279 to the same package > tag -1 confirmed Bug #769279 [release.debian.org] (pre-approval) unblock: inn2 Added tag(s) confirmed. -- 769279: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769279 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b769279.14165214305020.transcr...@bugs.debian.org
Processed: Re: Bug#769046: inn2: Allow for better TLS configurability
Processing commands for cont...@bugs.debian.org: > clone 769046 -1 Bug #769046 [src:inn2] inn2: Allow for better TLS configurability Bug 769046 cloned as bug 769279 > reassign -1 release.debian.org Bug #769279 [src:inn2] inn2: Allow for better TLS configurability Bug reassigned from package 'src:inn2' to 'release.debian.org'. Ignoring request to alter found versions of bug #769279 to the same values previously set Ignoring request to alter fixed versions of bug #769279 to the same values previously set > block 769046 by -1 Bug #769046 [src:inn2] inn2: Allow for better TLS configurability 769046 was not blocked by any bugs. 769046 was not blocking any bugs. Added blocking bug(s) of 769046: 769279 > thanks Stopping processing here. Please contact me if you need assistance. -- 769046: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769046 769279: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769279 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141579499615177.transcr...@bugs.debian.org
Re: Bug#769046: inn2: Allow for better TLS configurability
clone 769046 -1
reassign -1 release.debian.org
block 769046 by -1
thanks
Can I merge this for jessie?
On Nov 11, christian mock wrote:
> This means that Wheezy's nnrpd is currently susceptible to the CRIME
> (because TLS compression is on) and POODLE (because SSLv3 is
> supported) attacks, should those be exploitable with NNTP. In
> addition, it supports weak symmetrical ciphers (40 and 56 bit key
> length).
>
> I've patched nnrpd to allow for detailed TLS configuration: protocol
> versions, cipher suites, compression and whether the client or server
> choses the cipher can now be configured. With the default
> configuration, TLS behaviour is unchanged, as to not break existing
> setups.
>
> This patch is to be integrated upstream[0], but ideally I'd like it
> to be in the next Wheezy point release because I consider the current
> TLS config to be insecure.
>
> The patch, as attached, is against a clean 2.5.4 upstream source, but
> I'd be happy to provide a patch for quilt if you tell me which package
> version I should target.
>
> regards,
>
> cm.
>
> [0] https://lists.isc.org/pipermail/inn-workers/2014-November/018339.html
> diff --git a/doc/pod/inn.conf.pod b/doc/pod/inn.conf.pod
> index f8f5f79..98ebd6e 100644
> --- a/doc/pod/inn.conf.pod
> +++ b/doc/pod/inn.conf.pod
> @@ -1054,6 +1054,28 @@ I/key.pem.
> This file must only be readable by the news user or B will refuse to
> use it.
>
> +=item I
> +
> +The list of TLS protocol versions to support. Valid protocols are
> +B, B, B, B and B. The default
> +value is B<[ SSLv3 TLSv1 TLSv1.1 TLSv1.2 ]>.
> +
> +=item I
> +
> +The string describing the cipher suites OpenSSL will support. See
> +OpenSSL's B command documentation for details. The default is
> +unset, which uses OpenSSL's default cipher suite list.
> +
> +=item I
> +
> +Whether to let the client or the server decide the preferred cipher.
> +This is a boolean and the default is false.
> +
> +=item I
> +
> +Whether to enable or disable TLS compression support (boolean). The
> +default is true.
> +
> =back
>
> =head2 Monitoring
> diff --git a/doc/pod/news.pod b/doc/pod/news.pod
> index 4315b3f..64cd93b 100644
> --- a/doc/pod/news.pod
> +++ b/doc/pod/news.pod
> @@ -1,3 +1,17 @@
> +=head1 Changes in TLS configuration
> +
> +=over 2
> +
> +=item *
> +
> +New parameters used by B to fine-tune the TLS configuration:
> +I, I, I and
> +I. If you've been using TLS with B before, be
> +aware that the defaults of those parameters may differ from the
> +previous defaults (which depended on your OpenSSL version).
> +
> +=back
> +
> =head1 Changes in 2.5.4
>
> =over 2
> diff --git a/doc/pod/nnrpd.pod b/doc/pod/nnrpd.pod
> index 9c13821..32698ae 100644
> --- a/doc/pod/nnrpd.pod
> +++ b/doc/pod/nnrpd.pod
> @@ -224,6 +224,12 @@ run B. (Change the path to B to match
> your installation.)
> You may need to replace C with C<563> if C isn't
> defined in F on your system.
>
> +Optionally, you may set the I, I,
> +I and I parameters in
> +F to fine-tune the behaviour of the TLS negotiation whenever
> +a new attack on the TLS protocol or some supported cipher suite is
> +discovered.
> +
> =head1 PROTOCOL DIFFERENCES
>
> B implements the NNTP commands defined in S (NNTP),
> diff --git a/include/inn/innconf.h b/include/inn/innconf.h
> index ee16620..669255c 100644
> --- a/include/inn/innconf.h
> +++ b/include/inn/innconf.h
> @@ -127,6 +127,10 @@ struct innconf {
> char *tlscapath;/* Path to a directory of CA certificates */
> char *tlscertfile; /* Path to the SSL certificate to use */
> char *tlskeyfile; /* Path to the key for the certificate */
> +bool tlsprefer_server_ciphers; /* Make server select the cipher */
> +bool tlscompression;/* Turn TLS compression on/off */
> +struct vector *tlsprotocols; /* List of supported TLS
> versions */
> +char *tlsciphers; /* openssl-style cipher string */
> #endif /* HAVE_SSL */
>
> /* Monitoring */
> diff --git a/lib/innconf.c b/lib/innconf.c
> index ded674c..9e6183d 100644
> --- a/lib/innconf.c
> +++ b/lib/innconf.c
> @@ -231,6 +231,10 @@ const struct config config_table[] = {
> { K(tlscapath), STRING (NULL) },
> { K(tlscertfile), STRING (NULL) },
> { K(tlskeyfile), STRING (NULL) },
> +{ K(tlsprefer_server_ciphers), BOOL (false) },
> +{ K(tlscompression), BOOL(true) },
> +{ K(tlsprotocols),LIST(NULL) },
> +{ K(tlsciphers), STRING (NULL) },
> #endif /* HAVE_SSL */
>
> /* The following settings are used by nnrpd and rnews. */
> diff --git a/nnrpd/tls.c b/nnrpd/tls.c
> index 62b1a51..22a00c7 100644
> --- a/nnrpd/tls.c
> +++ b/nnrpd/tls.c
> @@ -425,7 +425,9 @@ set_cert_stuff(SSL_CTX * ctx, char *cert_file, char
> *key_file)
> int
> tls_init_serverengine(int verifydepth, int askcert, int requirecert,
>
Re: Bug#769046: inn2: Allow for better TLS configurability
Marco d'Itri (2014-11-12): > Can I merge this for jessie? Can you open a bug report? signature.asc Description: Digital signature
Re: Bug#769046: inn2: Allow for better TLS configurability
Can I merge this for jessie?
On Nov 11, christian mock wrote:
> Source: inn2
> Severity: wishlist
> Tags: patch
>
> Dear Maintainer,
>
> INN, at the moment, supports TLS connections to nnrpd, but does not
> allow any configuration besides the certificate and key.
>
> This means that Wheezy's nnrpd is currently susceptible to the CRIME
> (because TLS compression is on) and POODLE (because SSLv3 is
> supported) attacks, should those be exploitable with NNTP. In
> addition, it supports weak symmetrical ciphers (40 and 56 bit key
> length).
>
> I've patched nnrpd to allow for detailed TLS configuration: protocol
> versions, cipher suites, compression and whether the client or server
> choses the cipher can now be configured. With the default
> configuration, TLS behaviour is unchanged, as to not break existing
> setups.
>
> This patch is to be integrated upstream[0], but ideally I'd like it
> to be in the next Wheezy point release because I consider the current
> TLS config to be insecure.
>
> The patch, as attached, is against a clean 2.5.4 upstream source, but
> I'd be happy to provide a patch for quilt if you tell me which package
> version I should target.
>
> regards,
>
> cm.
>
> [0] https://lists.isc.org/pipermail/inn-workers/2014-November/018339.html
> diff --git a/doc/pod/inn.conf.pod b/doc/pod/inn.conf.pod
> index f8f5f79..98ebd6e 100644
> --- a/doc/pod/inn.conf.pod
> +++ b/doc/pod/inn.conf.pod
> @@ -1054,6 +1054,28 @@ I/key.pem.
> This file must only be readable by the news user or B will refuse to
> use it.
>
> +=item I
> +
> +The list of TLS protocol versions to support. Valid protocols are
> +B, B, B, B and B. The default
> +value is B<[ SSLv3 TLSv1 TLSv1.1 TLSv1.2 ]>.
> +
> +=item I
> +
> +The string describing the cipher suites OpenSSL will support. See
> +OpenSSL's B command documentation for details. The default is
> +unset, which uses OpenSSL's default cipher suite list.
> +
> +=item I
> +
> +Whether to let the client or the server decide the preferred cipher.
> +This is a boolean and the default is false.
> +
> +=item I
> +
> +Whether to enable or disable TLS compression support (boolean). The
> +default is true.
> +
> =back
>
> =head2 Monitoring
> diff --git a/doc/pod/news.pod b/doc/pod/news.pod
> index 4315b3f..64cd93b 100644
> --- a/doc/pod/news.pod
> +++ b/doc/pod/news.pod
> @@ -1,3 +1,17 @@
> +=head1 Changes in TLS configuration
> +
> +=over 2
> +
> +=item *
> +
> +New parameters used by B to fine-tune the TLS configuration:
> +I, I, I and
> +I. If you've been using TLS with B before, be
> +aware that the defaults of those parameters may differ from the
> +previous defaults (which depended on your OpenSSL version).
> +
> +=back
> +
> =head1 Changes in 2.5.4
>
> =over 2
> diff --git a/doc/pod/nnrpd.pod b/doc/pod/nnrpd.pod
> index 9c13821..32698ae 100644
> --- a/doc/pod/nnrpd.pod
> +++ b/doc/pod/nnrpd.pod
> @@ -224,6 +224,12 @@ run B. (Change the path to B to match
> your installation.)
> You may need to replace C with C<563> if C isn't
> defined in F on your system.
>
> +Optionally, you may set the I, I,
> +I and I parameters in
> +F to fine-tune the behaviour of the TLS negotiation whenever
> +a new attack on the TLS protocol or some supported cipher suite is
> +discovered.
> +
> =head1 PROTOCOL DIFFERENCES
>
> B implements the NNTP commands defined in S (NNTP),
> diff --git a/include/inn/innconf.h b/include/inn/innconf.h
> index ee16620..669255c 100644
> --- a/include/inn/innconf.h
> +++ b/include/inn/innconf.h
> @@ -127,6 +127,10 @@ struct innconf {
> char *tlscapath;/* Path to a directory of CA certificates */
> char *tlscertfile; /* Path to the SSL certificate to use */
> char *tlskeyfile; /* Path to the key for the certificate */
> +bool tlsprefer_server_ciphers; /* Make server select the cipher */
> +bool tlscompression;/* Turn TLS compression on/off */
> +struct vector *tlsprotocols; /* List of supported TLS
> versions */
> +char *tlsciphers; /* openssl-style cipher string */
> #endif /* HAVE_SSL */
>
> /* Monitoring */
> diff --git a/lib/innconf.c b/lib/innconf.c
> index ded674c..9e6183d 100644
> --- a/lib/innconf.c
> +++ b/lib/innconf.c
> @@ -231,6 +231,10 @@ const struct config config_table[] = {
> { K(tlscapath), STRING (NULL) },
> { K(tlscertfile), STRING (NULL) },
> { K(tlskeyfile), STRING (NULL) },
> +{ K(tlsprefer_server_ciphers), BOOL (false) },
> +{ K(tlscompression), BOOL(true) },
> +{ K(tlsprotocols),LIST(NULL) },
> +{ K(tlsciphers), STRING (NULL) },
> #endif /* HAVE_SSL */
>
> /* The following settings are used by nnrpd and rnews. */
> diff --git a/nnrpd/tls.c b/nnrpd/tls.c
> index 62b1a51..22a00c7 100644
> --- a/nnrpd/tls.c
> +++ b/nnrpd/tls.c
> @@ -425,7 +425,9 @@ set_cert_stuff(SSL_CTX * ct
