INN 2.3 + OpenSSL (fwd)
Kenichi Okada
okada at opaopa.org
Fri Jun 23 19:36:29 UTC 2000
I update the patch I sent to inn-workers.
This patch is for the BETA and CURRENT trees.
--
Kenichi Okada
mailto:okada at opaopa.org
In the message "Re: INN 2.3 + OpenSSL (fwd)"
<sgem5tsan1.wl at opaopa.org>
Kenichi Okada <okada at opaopa.org> wrote:
> If you want to use a ssl-tunneling,
> try the attached patch, and the `-S' flag will be available as follows.
>
> server# nnrpd -D -p 563 -S
> client% openssl s_client -host server -port 563
diff -r -c inn-BETA-20000622-orig/doc/man/nnrpd.8 inn-BETA-20000622/doc/man/nnrpd.8
*** inn-BETA-20000622-orig/doc/man/nnrpd.8 Fri Oct 1 07:37:52 1999
--- inn-BETA-20000622/doc/man/nnrpd.8 Sat Jun 24 04:25:35 2000
***************
*** 31,36 ****
--- 31,39 ----
[
.B \-t
]
+ [
+ .B \-S
+ ]
.SH DESCRIPTION
.I Nnrpd
is an NNTP server for newsreaders.
***************
*** 157,162 ****
--- 160,173 ----
This has to be a valid Internet
address in dotted-quad format belonging to an interface of the local
host.
+ .TP
+ .B \-S
+ If specified,
+ .I nnrpd
+ start a negotiation for SSL session as soon as connected.
+ To use this option,
+ .I nnrpd
+ must be built with OpenSSL at compile time.
.SH "PROTOCOL DIFFERENCES"
.I Nnrpd
implements the NNTP commands defined in RFC 977, with the following
diff -r -c inn-BETA-20000622-orig/nnrpd/nnrpd.c inn-BETA-20000622/nnrpd/nnrpd.c
*** inn-BETA-20000622-orig/nnrpd/nnrpd.c Thu Jun 22 18:04:56 2000
--- inn-BETA-20000622/nnrpd/nnrpd.c Sat Jun 24 04:25:36 2000
***************
*** 761,766 ****
--- 761,770 ----
GID_T shadowgid;
#endif /* HAVE_GETSPNAM */
+ #ifdef HAVE_SSL
+ int ssl_result;
+ #endif /* HAVE_SSL */
+
#if !defined(_HPUX_SOURCE)
/* Save start and extent of argv for TITLEset. */
TITLEstart = argv[0];
***************
*** 779,785 ****
--- 783,793 ----
if (ReadInnConf() < 0) exit(1);
+ #ifdef HAVE_SSL
+ while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t:S")) != EOF)
+ #else
while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t")) != EOF)
+ #endif /* HAVE_SSL */
switch (i) {
default:
Usage();
***************
*** 818,823 ****
--- 826,836 ----
case 't': /* Tracing */
Tracing = TRUE;
break;
+ #ifdef HAVE_SSL
+ case 'S': /* SSL negotiation as soon as connected */
+ initialSSL = TRUE;
+ break;
+ #endif /* HAVE_SSL */
}
argc -= optind;
if (argc)
***************
*** 990,995 ****
--- 1003,1041 ----
exit(1);
}
STATstart = TIMEINFOasDOUBLE(Now);
+
+ #ifdef HAVE_SSL
+ if (initialSSL) {
+ sasl_config_read();
+ ssl_result=tls_init_serverengine(5, /* depth to verify */
+ 1, /* can client auth? */
+ 0, /* required client to auth? */
+ (char *)sasl_config_getstring("tls_ca_file", ""),
+ (char *)sasl_config_getstring("tls_ca_path", ""),
+ (char *)sasl_config_getstring("tls_cert_file", ""),
+ (char *)sasl_config_getstring("tls_key_file", ""));
+ if (ssl_result == -1) {
+ Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL);
+
+ syslog(L_ERROR, "error initializing TLS: "
+ "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
+ (char *) sasl_config_getstring("tls_ca_file", ""),
+ (char *) sasl_config_getstring("tls_ca_path", ""),
+ (char *) sasl_config_getstring("tls_cert_file", ""),
+ (char *) sasl_config_getstring("tls_key_file", ""));
+ ExitWithStats(1, FALSE);
+ }
+
+ ssl_result=tls_start_servertls(0, /* read */
+ 1); /* write */
+ if (ssl_result==-1) {
+ Reply("%d Starttls failed\r\n", NNTP_STARTTLS_BAD_VAL);
+ ExitWithStats(1, FALSE);
+ }
+
+ nnrpd_starttls_done=1;
+ }
+ #endif /* HAVE_SSL */
#if NNRP_LOADLIMIT > 0
if ((load = GetLoadAverage()) > NNRP_LOADLIMIT) {
diff -r -c inn-BETA-20000622-orig/nnrpd/nnrpd.h inn-BETA-20000622/nnrpd/nnrpd.h
*** inn-BETA-20000622-orig/nnrpd/nnrpd.h Thu Jun 22 18:04:56 2000
--- inn-BETA-20000622/nnrpd/nnrpd.h Sat Jun 24 04:25:36 2000
***************
*** 132,137 ****
--- 132,138 ----
EXTERN ACCESSGROUP *PERMaccessconf;
EXTERN BOOL Tracing;
EXTERN BOOL Offlinepost;
+ EXTERN BOOL initialSSL;
EXTERN char **PERMreadlist;
EXTERN char **PERMpostlist;
EXTERN char ClientHost[SMBUF];
More information about the inn-patches
mailing list