INN commit: trunk/doc/pod (checklist.pod install.pod nnrpd.pod)

INN Commit rra at isc.org
Wed Sep 2 12:35:17 UTC 2015


    Date: Wednesday, September 2, 2015 @ 05:35:17
  Author: iulius
Revision: 9936

Improve documentation about the use of port 119 with TLS

Modified:
  trunk/doc/pod/checklist.pod
  trunk/doc/pod/install.pod
  trunk/doc/pod/nnrpd.pod

---------------+
 checklist.pod |    6 ++++--
 install.pod   |    6 ++++--
 nnrpd.pod     |   19 ++++++++++++-------
 3 files changed, 20 insertions(+), 11 deletions(-)

Modified: checklist.pod
===================================================================
--- checklist.pod	2015-09-02 12:23:29 UTC (rev 9935)
+++ checklist.pod	2015-09-02 12:35:17 UTC (rev 9936)
@@ -334,8 +334,10 @@
     su news -s /bin/sh -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S'
 
 Note that a news client which supports the STARTTLS command can also
-use the conventional NNTP port 119 to initiate a TLS connection.  However,
-such clients are not widespread yet.
+use the conventional NNTP port 119 to initiate a TLS connection.
+However, as such clients are not widespread yet, using the separate
+port 563 is still common practice (though discouraged).  See nnrpd(8)
+for more information about TLS support.
 
 =back
 

Modified: install.pod
===================================================================
--- install.pod	2015-09-02 12:23:29 UTC (rev 9935)
+++ install.pod	2015-09-02 12:35:17 UTC (rev 9936)
@@ -1614,8 +1614,10 @@
 connection is allowed to read and post news (you can also use the
 previously created F<readers.conf> file to handle TLS/SSL connections).
 Note that a news client which supports the STARTTLS command can also
-use the conventional NNTP port 119 to initiate a TLS connection.  However,
-such clients are not widespread yet.
+use the conventional NNTP port 119 to initiate a TLS connection.
+However, as such clients are not widespread yet, using the separate
+port 563 is still common practice (though discouraged).  See nnrpd(8)
+for more information about TLS support.
 
 In the shutdown section of the init script, you can put:
 

Modified: nnrpd.pod
===================================================================
--- nnrpd.pod	2015-09-02 12:23:29 UTC (rev 9935)
+++ nnrpd.pod	2015-09-02 12:35:17 UTC (rev 9936)
@@ -207,13 +207,18 @@
 In case you have a certificate authority root certificate, you can also
 set I<tlscafile> to its path.
 
-Most news clients currently do not use the STARTTLS command, however, and
-instead expect to connect to a separate port (563) and start a TLS
-negotiation immediately.  B<innd> does not, however, know how to listen
-for connections to that port and then spawn B<nnrpd> the way that it does
-for regular reader connections.  You will therefore need to arrange for
-B<nnrpd> to listen on that port through some other means.  This can be
-done with the B<-D> flag along with C<-p 563> and put into your init scripts:
+There are two common ways for a news client to negotiate a TLS
+connection:  either via the use of the STARTTLS command on the usual NNTP
+port (119) or via the now discouraged way (per RFC 4642) to immediately
+negotiate an encrypted session upon connection on a dedicated port
+(usually 563).  As most news clients currently do not use the STARTTLS
+command, and instead expect to connect to a separate port (563) and start
+a TLS negotiation immediately, it is still useful to provide a legacy
+way for these news clients to encrypt the NNTP session.  B<innd> does
+not, however, know how to listen for connections to that separate port.
+You will therefore need to arrange for B<nnrpd> to listen on that port
+through some other means.  This can be done with the B<-D> flag along
+with C<-p 563> and put into your init scripts:
 
     su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
 



More information about the inn-committers mailing list