INN commit: trunk (4 files)

INN Commit rra at isc.org
Sun Dec 6 18:31:27 UTC 2015 

    Date: Sunday, December 6, 2015 @ 10:31:27
  Author: iulius
Revision: 9963

Improve wording around encryption layers

Keep in mind that two kinds of security layers can be negotiated (TLS
and SASL).

Modified:
  trunk/doc/pod/news.pod
  trunk/doc/pod/readers.conf.pod
  trunk/include/inn/innconf.h
  trunk/nnrpd/misc.c

--------------------------+
 doc/pod/news.pod         |    4 ++--
 doc/pod/readers.conf.pod |    6 +++---
 include/inn/innconf.h    |    2 +-
 nnrpd/misc.c             |    7 ++++---
 4 files changed, 10 insertions(+), 9 deletions(-)

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2015-12-06 18:27:17 UTC (rev 9962)
+++ doc/pod/news.pod	2015-12-06 18:31:27 UTC (rev 9963)
@@ -13,9 +13,9 @@
 
 =item *
 
-When an encryption layer is negotiated after a successful use of the
+When an encryption layer is negotiated during a successful use of the
 STARTTLS command, or after a successful authentication using a SASL
-mechanism which negotiates an encrypted layer, B<nnrpd> now updates
+mechanism which negotiates an encryption layer, B<nnrpd> now updates
 the permissions of the news client according to the new secure state
 of his connection (that is to say auth blocks in F<readers.conf> using
 the I<require_ssl> parameter are taken into account).  Previously,

Modified: doc/pod/readers.conf.pod
===================================================================
--- doc/pod/readers.conf.pod	2015-12-06 18:27:17 UTC (rev 9962)
+++ doc/pod/readers.conf.pod	2015-12-06 18:31:27 UTC (rev 9963)
@@ -93,7 +93,7 @@
 connection is using an encryption layer, either from the beginning if
 the B<-S> flag was passed to B<nnrpd>, or after a successful use of
 STARTTLS, or after a successful authentication using a SASL mechanism
-which negotiates an encrypted layer.
+which negotiates an encryption layer.
 
 For any connection from a host that matches that wildmat expression or
 netblock, each <res-program> (multiple res: lines may be present in a
@@ -505,8 +505,8 @@
 
 If this parameter is present (and nonzero), it is used for B<nnrpd>'s
 rate-limiting code.  The client will only be able to download at this
-speed (in bytes/second).  Note that if TLS/SSL is being used, limiting
-is applied to the pre-encryption datastream.
+speed (in bytes/second).  Note that if an encryption layer is being used,
+limiting is applied to the pre-encryption datastream.
 
 =item B<localtime:>
 

Modified: include/inn/innconf.h
===================================================================
--- include/inn/innconf.h	2015-12-06 18:27:17 UTC (rev 9962)
+++ include/inn/innconf.h	2015-12-06 18:31:27 UTC (rev 9963)
@@ -129,7 +129,7 @@
      */
     char *tlscafile;            /* Path to a certificate authority file */
     char *tlscapath;            /* Path to a directory of CA certificates */
-    char *tlscertfile;          /* Path to the SSL certificate to use */
+    char *tlscertfile;          /* Path to the TLS/SSL certificate to use */
     char *tlskeyfile;           /* Path to the key for the certificate */
     char *tlsciphers;           /* OpenSSL-style cipher string */
     bool tlscompression;        /* Turn TLS compression on/off */

Modified: nnrpd/misc.c
===================================================================
--- nnrpd/misc.c	2015-12-06 18:27:17 UTC (rev 9962)
+++ nnrpd/misc.c	2015-12-06 18:31:27 UTC (rev 9963)
@@ -460,7 +460,7 @@
     bool boolval;
 
     if (encryption_layer_on) {
-        Reply("%d Already using a TLS layer\r\n", NNTP_ERR_ACCESS);
+        Reply("%d Already using a security layer\r\n", NNTP_ERR_ACCESS);
         return;
     }
 
@@ -497,8 +497,9 @@
     /* We can now assume a secure connection will be negotiated because
      * nnrpd will exit if STARTTLS fails.
      * Check the permissions the client will have after having successfully
-     * negotiated a TLS layer.  (There may be TLS-only auth blocks in
-     * readers.conf that match the connection).
+     * negotiated a TLS layer.  (There may be auth blocks requiring the
+     * negotiation of a security layer in readers.conf that match the
+     * connection.)
      * In case the client would no longer have access to the server, or an
      * authentication error happens, the connection aborts after a fatal 400
      * response code sent by PERMgetpermissions(). */

More information about the inn-committers mailing list