inn 2.4.0 and SSL certificates

Sergio Rodriguez de Guzman Martinez srodriguez at corenetworks.org
Thu Jul 31 09:25:08 UTC 2003


Hi,

I think I have found a bug with INN and SSL:

When making the certificate from the make cert command (on Makefile):

##  Install a certificate for TLS/SSL support.
cert:
         $(SSLBIN)/openssl req -new -x509 -nodes \
             -out $(PATHLIB)/cert.pem -days 366 \
             -keyout $(PATHLIB)/cert.pem
         chown $(NEWSUSER) $(PATHLIB)/cert.pem
         chgrp $(NEWSGROUP) $(PATHLIB)/cert.pem
         chmod 640 $(PATHLIB)/cert.pem

The permissions are 640 for cert.pem, but in nnrpd/tls.c (line 421)
if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) != 0 ||
             buf.st_uid != getuid()) {
             syslog(L_ERROR, "bad ownership or permissions on private 
key '%s'",
                   cert_file);
             return (0);
         }

you are checking the permissions with & 0077 so: 0640 & 0077 gives TRUE 
and you get that annoying error.

Just changing the permissions of the cert file to 600 solves the problem.

Anyway, thanks for such a great job.

Note for the debian maintainer:
Please, change the README.Debian:
chmod 600 /etc/news/nnrpd-key.pem
chown news:news /etc/news/nnrpd-key.pem

and the line 1 is wrong:
"To enable SSL you need to start /etc/news/bin/nnrpd-ssl with the -S"
you need to start /usr/lib/news/nnrpd-ssl with -S


Sergio.



More information about the inn-bugs mailing list