INN commit: trunk (7 files)
INN Commit
Russ_Allbery at isc.org
Mon May 18 20:01:38 UTC 2009
Date: Monday, May 18, 2009 @ 13:01:37
Author: iulius
Revision: 8479
Also mention TLS when SSL is used in our documentation
and public files.
Modified:
trunk/doc/pod/auth_krb5.pod
trunk/doc/pod/checklist.pod
trunk/doc/pod/inn.conf.pod
trunk/doc/pod/install.pod
trunk/doc/pod/readers.conf.pod
trunk/m4/openssl.m4
trunk/samples/inn.conf.in
--------------------------+
doc/pod/auth_krb5.pod | 2 +-
doc/pod/checklist.pod | 2 +-
doc/pod/inn.conf.pod | 18 +++++++++---------
doc/pod/install.pod | 16 ++++++++--------
doc/pod/readers.conf.pod | 16 ++++++++--------
m4/openssl.m4 | 2 +-
samples/inn.conf.in | 2 +-
7 files changed, 29 insertions(+), 29 deletions(-)
Modified: doc/pod/auth_krb5.pod
===================================================================
--- doc/pod/auth_krb5.pod 2009-05-18 19:59:31 UTC (rev 8478)
+++ doc/pod/auth_krb5.pod 2009-05-18 20:01:37 UTC (rev 8479)
@@ -14,7 +14,7 @@
confirm that they are valid. As such, this authenticator assumes that
B<nnrpd> has been given the user's username and password, and therefore is
not as secure as real Kerberos authentication. It generally should only
-be used with NNTP over SSL to protect the password from sniffing.
+be used with NNTP over TLS to protect the password from sniffing.
=head1 OPTIONS
Modified: doc/pod/checklist.pod
===================================================================
--- doc/pod/checklist.pod 2009-05-18 19:59:31 UTC (rev 8478)
+++ doc/pod/checklist.pod 2009-05-18 20:01:37 UTC (rev 8479)
@@ -92,7 +92,7 @@
You probably want B<--with-perl>. If you're not using NetBSD with
cycbuffs or OpenBSD, perhaps B<--with-tagged-hash>. You might want to
-compile in SSL and S<Berkeley DB>, if your system supports them. You
+compile in TLS/SSL and S<Berkeley DB>, if your system supports them. You
will need to have the relevant external libraries to compile (depending
on whether you use OpenSSL for TLS/SSL access to your news server, GnuPG
to verify the authenticity of Usenet control messages, Perl, Python, etc.).
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2009-05-18 19:59:31 UTC (rev 8478)
+++ doc/pod/inn.conf.pod 2009-05-18 20:01:37 UTC (rev 8479)
@@ -985,7 +985,7 @@
=back
-Finally, here are the parameters used by nnrpd(8) to provide SSL and TLS
+Finally, here are the parameters used by nnrpd(8) to provide TLS/SSL
support:
=over 4
@@ -993,8 +993,8 @@
=item I<tlscafile>
The path to a file containing certificate authority root certificates,
-used to present a trust chain to an SSL or TLS client. This parameter is
-only used if nnrpd is built with TLS support. There is no default value.
+used to present a trust chain to a TLS client. This parameter is only
+used if B<nnrpd> is built with TLS/SSL support. There is no default value.
=item I<tlscapath>
@@ -1002,13 +1002,13 @@
certificates. Each file in the directory should contain one CA
certificate, and the name of the file should be the CA subject name hash
value. See the OpenSSL documentation for more information. This
-parameter is only used if nnrpd is built with TLS support. There is no
-default value.
+parameter is only used if B<nnrpd> is built with TLS/SSL support. There
+is no default value.
=item I<tlscertfile>
-The path to a file containing the server certificate to present to SSL or
-TLS clients. This parameter is only used if nnrpd is built with TLS
+The path to a file containing the server certificate to present to
+TLS clients. This parameter is only used if B<nnrpd> is built with TLS/SSL
support. The default value is I<pathnews>/lib/cert.pem.
=item I<tlskeyfile>
@@ -1018,10 +1018,10 @@
I<tlscertfile> if, when you created the certificate, you put the key in
the same file (if, for example, you gave the same file name to both the
B<-out> and B<-keyout> options to C<openssl req>). This parameter is only
-used if nnrpd is built with TLS support. The default value is
+used if B<nnrpd> is built with TLS/SSL support. The default value is
I<pathnews>/lib/key.pem.
-This file must only be readable by the news user or nnrpd will refuse to
+This file must only be readable by the news user or B<nnrpd> will refuse to
use it.
=back
Modified: doc/pod/install.pod
===================================================================
--- doc/pod/install.pod 2009-05-18 19:59:31 UTC (rev 8478)
+++ doc/pod/install.pod 2009-05-18 20:01:37 UTC (rev 8479)
@@ -435,13 +435,13 @@
=item B<--with-openssl>=PATH
-Enables support for SSL for news reading, which means it will be possible
-to have SSL or TLS encrypted NNTP connections between your server and
-newsreaders. This option requires OpenSSL be installed on your system
-(including the header files, not just the runtime libraries). If a path
-is given, it sets the installed directory of OpenSSL. After compiling and
-installing INN with this option, you'll still need to make a certificate
-and private key to use SSL. See below for details on how to do that.
+Enables support for TLS/SSL for news reading, which means it will be possible
+to have TLS encrypted NNTP connections between your server and newsreaders.
+This option requires OpenSSL be installed on your system (including the header
+files, not just the runtime libraries). If a path is given, it sets the
+installed directory of OpenSSL. After compiling and installing INN with
+this option, you'll still need to make a certificate and private key to use TLS.
+See below for details on how to do that.
=item B<--enable-ipv6>
@@ -489,7 +489,7 @@
(including the default NNTP port of 119) unless you then run C<make
install-root> as root, which will install only the setuid helper program.
-If you are configuring SSL support for newsreaders, you must make a
+If you are configuring TLS/SSL support for newsreaders, you must make a
certificate and private key at least once. Type:
make cert
Modified: doc/pod/readers.conf.pod
===================================================================
--- doc/pod/readers.conf.pod 2009-05-18 19:59:31 UTC (rev 8478)
+++ doc/pod/readers.conf.pod 2009-05-18 20:01:37 UTC (rev 8479)
@@ -88,9 +88,9 @@
address in a netblock; for example, "10.10.10.0/24" will match any IP
address between 10.10.10.0 and 10.10.10.255 inclusive.
-If compiled against the SSL libraries, an auth group with the I<require_ssl>
+If compiled against the TLS/SSL libraries, an auth group with the I<require_ssl>
parameter set to true only applies if the incoming connection is using
-SSL, either from the beginning if the B<-S> flag was passed to B<nnrpd> or
+TLS, either from the beginning if the B<-S> flag was passed to B<nnrpd> or
after a successful use of STARTTLS.
For any connection from a host that matches that wildmat expression or
@@ -307,9 +307,9 @@
=item B<require_ssl:>
If set to true, an incoming connection only matches this auth group if
-it is encrypted using SSL, either from the beginning if the B<-S> flag
+it is encrypted using TLS/SSL, either from the beginning if the B<-S> flag
was passed to B<nnrpd> or after a successful use of STARTTLS. This
-parameter is only valid if INN is compiled with SSL support
+parameter is only valid if INN is compiled with TLS/SSL support
(B<--with-openssl> passed to configure).
=item B<perl_access:>
@@ -459,7 +459,7 @@
If this parameter is present (and nonzero), it is used for B<nnrpd>'s
rate-limiting code. The client will only be able to download at this
-speed (in bytes/second). Note that if SSL is being used, limiting
+speed (in bytes/second). Note that if TLS/SSL is being used, limiting
is applied to the pre-encryption datastream.
=item B<localtime:>
@@ -807,7 +807,7 @@
Authentication using the AUTHINFO USER/PASS commands passes unencrypted
over the network. Extreme caution should therefore be used especially
with system passwords (e.g. C<auth: ckpasswd -s>). Passwords can be
-protected by using NNTP over SSL or through ssh tunnels, and this usage
+protected by using NNTP over TLS/SSL or through ssh tunnels, and this usage
can be enforced by a well-considered server configuration that only
permits certain auth groups to be applied in certain cases. Here are
some ideas:
@@ -816,7 +816,7 @@
=item *
-To restrict connections on the standard NNTP port (119) to use SSL for
+To restrict connections on the standard NNTP port (119) to use TLS for
some (or all) of the auth groups to match, use the I<require_ssl>
parameter. Note that a client can use STARTTLS to negotiate an
encrypted connection.
@@ -831,7 +831,7 @@
Consider running B<nnrpd> with the B<-S> flag (either also with B<-D>,
or out of "super-server" like B<inetd>) on the NNTPS port (563) for
-clients that support SSL. See nnrpd(8) for more details about how
+clients that support TLS/SSL. See nnrpd(8) for more details about how
to configure that. You can use the I<require_ssl> parameter or the
B<-c> flag to specify an alternate F<readers.conf> file if you want
a substantially different configuration for this case.
Modified: m4/openssl.m4
===================================================================
--- m4/openssl.m4 2009-05-18 19:59:31 UTC (rev 8478)
+++ m4/openssl.m4 2009-05-18 20:01:37 UTC (rev 8479)
@@ -18,7 +18,7 @@
SSL_LIBS=
AC_ARG_WITH([openssl],
[AC_HELP_STRING([--with-openssl@<:@=PATH@:>@],
- [Enable OpenSSL (for NNTP over SSL support)])],
+ [Enable OpenSSL (for NNTP over TLS/SSL support)])],
SSL_DIR=$with_openssl,
SSL_DIR=no)
AC_MSG_CHECKING([if OpenSSL is desired])
Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in 2009-05-18 19:59:31 UTC (rev 8478)
+++ samples/inn.conf.in 2009-05-18 20:01:37 UTC (rev 8479)
@@ -128,7 +128,7 @@
backoffpostslow: 1
backofftrigger: 10000
-# Reading and posting -- SSL and TLS support
+# Reading and posting -- TLS/SSL support
#tlscafile:
#tlscapath:
More information about the inn-committers
mailing list