INN commit: trunk (7 files)

INN Commit rra at isc.org
Wed Apr 5 19:44:25 UTC 2017


    Date: Wednesday, April 5, 2017 @ 12:44:24
  Author: iulius
Revision: 10136

Update documentation to latest TLS best current practices

- Using implicit TLS (port 563) is recommended per RFC 8143.

- The TLS_RSA_WITH_RC4_128_MD5 and TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
cipher suites are no longer mandatory.

Modified:
  trunk/contrib/sample.init.script
  trunk/doc/FAQ
  trunk/doc/pod/checklist.pod
  trunk/doc/pod/inn.conf.pod
  trunk/doc/pod/install.pod
  trunk/doc/pod/nnrpd.pod
  trunk/doc/pod/readme.pod

----------------------------+
 contrib/sample.init.script |    2 --
 doc/FAQ                    |    8 ++++----
 doc/pod/checklist.pod      |    8 ++++----
 doc/pod/inn.conf.pod       |    7 +------
 doc/pod/install.pod        |    6 +++---
 doc/pod/nnrpd.pod          |   20 +++++++++-----------
 doc/pod/readme.pod         |    8 ++++----
 7 files changed, 25 insertions(+), 34 deletions(-)

Modified: contrib/sample.init.script
===================================================================
--- contrib/sample.init.script	2017-01-12 21:09:58 UTC (rev 10135)
+++ contrib/sample.init.script	2017-04-05 19:44:24 UTC (rev 10136)
@@ -13,8 +13,6 @@
     # Start INN.
     su news -s /bin/sh -c '<pathbin>/rc.news' >> <pathlog>/rc.news 2>&1
     # Start another nnrpd daemon, handling initial TLS connections, on port 563.
-    # (The preferred way would be to use port 119 and STARTTLS but not all news
-    # readers support it yet.)
     #su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S' >> <pathlog>/rc.news 2>&1
 }
 

Modified: doc/FAQ
===================================================================
--- doc/FAQ	2017-01-12 21:09:58 UTC (rev 10135)
+++ doc/FAQ	2017-04-05 19:44:24 UTC (rev 10136)
@@ -112,10 +112,10 @@
     INN (InterNetNews), originally written by Rich Salz, is an extremely
     flexible and configurable Usenet / Netnews news server.  For a complete
     description of the protocols behind Usenet and Netnews, see RFC 3977
-    (NNTP), RFC 4642 (TLS/NNTP), RFC 4643 (NNTP authentication), RFC 4644
-    (streaming NNTP feeds), RFC 5536 (USEFOR), RFC 5537 (USEPRO),
-    RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) or their
-    replacements.
+    (NNTP), RFC 4642 updated by RFC 8143 (TLS/NNTP), RFC 4643 (NNTP
+    authentication), RFC 4644 (streaming NNTP feeds), RFC 5536 (USEFOR),
+    RFC 5537 (USEPRO), RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP
+    compression) or their replacements.
 
     In brief, Netnews is a set of protocols for exchanging messages between
     a decentralized network of news servers.  News articles are organized

Modified: doc/pod/checklist.pod
===================================================================
--- doc/pod/checklist.pod	2017-01-12 21:09:58 UTC (rev 10135)
+++ doc/pod/checklist.pod	2017-04-05 19:44:24 UTC (rev 10136)
@@ -336,10 +336,10 @@
 
     su news -s /bin/sh -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S'
 
-Note that a news client which supports the STARTTLS command can also
-use the conventional NNTP port 119 to initiate a TLS connection.
-However, as such clients are not widespread yet, using the separate
-port 563 is still common practice (though discouraged).  See nnrpd(8)
+Note that a news client which supports the STARTTLS command can also use
+the conventional NNTP port 119 to dynamically upgrade from unencrypted
+to TLS-protected traffic during an NNTP session.  However, this practice
+is discouraged in favour of using the separate port 563.  See nnrpd(8)
 for more information about TLS support.
 
 =back

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2017-01-12 21:09:58 UTC (rev 10135)
+++ doc/pod/inn.conf.pod	2017-04-05 19:44:24 UTC (rev 10136)
@@ -1089,17 +1089,12 @@
 OpenSSL's ciphers(1) command documentation for details.  The default
 is unset, which uses OpenSSL's default cipher suite list.
 
-Formally, keeping the TLS_RSA_WITH_RC4_128_MD5 and
-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA cipher suites is important, as it
-assures that any two compliant implementations can be configured to
-interoperate (see RFC 4642 for more details).
-
 =item I<tlscompression>
 
 Whether to enable or disable TLS/SSL-level compression support.
 This is a boolean and the default is false, that is to say compression
 is disabled, so as to follow the best current practices for a secure
-use of TLS in application protocols like NNTP.
+use of TLS in application protocols (see S<RFC 8143> for NNTP).
 
 Note that enabling TLS/SSL-level compression will be possible only if
 the OpenSSL library INN has been built with, supports that feature.

Modified: doc/pod/install.pod
===================================================================
--- doc/pod/install.pod	2017-01-12 21:09:58 UTC (rev 10135)
+++ doc/pod/install.pod	2017-04-05 19:44:24 UTC (rev 10136)
@@ -1623,9 +1623,9 @@
 connection is allowed to read and post news (you can also use the
 previously created F<readers.conf> file to handle TLS/SSL connections).
 Note that a news client which supports the STARTTLS command can also
-use the conventional NNTP port 119 to initiate a TLS connection.
-However, as such clients are not widespread yet, using the separate
-port 563 is still common practice (though discouraged).  See nnrpd(8)
+use the conventional NNTP port 119 to dynamically upgrade from unencrypted
+to TLS-protected traffic during an NNTP session.  However, this practice 
+is discouraged in favour of using the separate port 563.  See nnrpd(8)
 for more information about TLS support.
 
 In the shutdown section of the init script, you can put:

Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod	2017-01-12 21:09:58 UTC (rev 10135)
+++ doc/pod/nnrpd.pod	2017-04-05 19:44:24 UTC (rev 10136)
@@ -208,14 +208,12 @@
 set I<tlscafile> to its path.
 
 There are two common ways for a news client to negotiate a TLS
-connection:  either via the use of the STARTTLS command on the usual NNTP
-port (119) or via the now discouraged way (per RFC 4642) to immediately
-negotiate an encrypted session upon connection on a dedicated port
-(usually 563).  As most news clients currently do not use the STARTTLS
-command, and instead expect to connect to a separate port (563) and start
-a TLS negotiation immediately, it is still useful to provide a legacy
-way for these news clients to encrypt the NNTP session.  B<innd> does
-not, however, know how to listen for connections to that separate port.
+connection:  either via the use of a dedicated port (usually 563)
+on which TLS is immediately negotiated upon connection, or via the
+now discouraged way (per S<RFC 8143>) to use the STARTTLS command on
+the usual NNTP port (119) to dynamically upgrade from unencrypted
+to TLS-protected traffic during an NNTP session.  B<innd> does not,
+however, know how to listen for connections to that separate port (563).
 You will therefore need to arrange for B<nnrpd> to listen on that port
 through some other means.  This can be done with the B<-D> flag along
 with C<-p 563> and put into your init scripts:
@@ -240,9 +238,9 @@
 =head1 PROTOCOL DIFFERENCES
 
 B<nnrpd> implements the NNTP commands defined in S<RFC 3977> (NNTP),
-S<RFC 4642> (TLS/NNTP), S<RFC 4643> (NNTP authentication), S<RFC 6048>
-(NNTP LIST additions) and S<RFC 8054> (NNTP compression) with the
-following differences:
+S<RFC 4642> updated by S<RFC 8143> (TLS/NNTP), S<RFC 4643> (NNTP
+authentication), S<RFC 6048> (NNTP LIST additions) and S<RFC 8054>
+(NNTP compression) with the following differences:
 
 =over 4
 

Modified: doc/pod/readme.pod
===================================================================
--- doc/pod/readme.pod	2017-01-12 21:09:58 UTC (rev 10135)
+++ doc/pod/readme.pod	2017-04-05 19:44:24 UTC (rev 10136)
@@ -15,10 +15,10 @@
 INN (InterNetNews), originally written by Rich Salz, is an extremely
 flexible and configurable Usenet / Netnews news server.  For a complete
 description of the protocols behind Usenet and Netnews, see S<RFC 3977>
-(NNTP), S<RFC 4642> (TLS/NNTP), S<RFC 4643> (NNTP authentication),
-S<RFC 4644> (streaming NNTP feeds), S<RFC 5536> (USEFOR), S<RFC 5537>
-(USEPRO), S<RFC 6048> (NNTP LIST additions) and S<RFC 8054> (NNTP
-compression) or their replacements.
+(NNTP), S<RFC 4642> updated by S<RFC 8143> (TLS/NNTP), S<RFC 4643>
+(NNTP authentication), S<RFC 4644> (streaming NNTP feeds), S<RFC 5536>
+(USEFOR), S<RFC 5537> (USEPRO), S<RFC 6048> (NNTP LIST additions)
+and S<RFC 8054> (NNTP compression) or their replacements.
 
 In brief, Netnews is a set of protocols for exchanging messages between
 a decentralized network of news servers.  News articles are organized



More information about the inn-committers mailing list