INN 2.3 + OpenSSL (fwd)

Mon Jun 19 20:01:38 UTC 2000

Hi,

> I configured it for openssl (configure --with-openssl=/path/to/ssl)
> and compiled it. I even make a cert for news daemon but I don't know 
> how to "turn on" SSL functionality. After "inndstart" daemon listens
> only on port 119. 

Now inn supports the only command `starttls' in RFC 2595,
supported by sendmail-8.11.*, cyrus-imapd-2.0.* and so on.

> NNTPS port is unused. I've tried to start innd with
> -P563 option but it won't work because server "can't bind to restricted port".

If you want to use a ssl-tunneling,
try the attached patch, and the `-S' flag will be available as follows.

server# nnrpd -D -p 563 -S
client% openssl s_client -host server -port 563

equivalent to

server# nnrpd -D -p 8563
server# stunnel -p /usr/local/ssl/certs/cyrus.pem -d 563 -r kohada:8563
client% openssl s_client -host server -port 563

-- 
Kenichi Okada
mailto:okada at opaopa.org

*** doc/man/nnrpd.8-orig	Tue Jun 20 04:15:08 2000
--- doc/man/nnrpd.8	Tue Jun 20 04:42:02 2000
***************
*** 31,36 ****
--- 31,39 ----
  [
  .B \-t
  ]
+ [
+ .B \-S
+ ]
  .SH DESCRIPTION
  .I Nnrpd
  is an NNTP server for newsreaders.
***************
*** 157,162 ****
--- 160,173 ----
  This has to be a valid Internet
  address in dotted-quad format belonging to an interface of the local
  host.
+ .TP
+ .B \-S
+ If specified, 
+ .I nnrpd
+ start a negotiation for SSL session as soon as connected.
+ To use this option,
+ .I nnrpd
+ must be built with OpenSSL at compile time.
  .SH "PROTOCOL DIFFERENCES"
  .I Nnrpd
  implements the NNTP commands defined in RFC 977, with the following
*** nnrpd/nnrpd.c-orig	Tue Jun 20 03:38:12 2000
--- nnrpd/nnrpd.c	Tue Jun 20 04:13:03 2000
***************
*** 706,712 ****
      struct group	*grp;
      GID_T		shadowgid;
  #endif /* HAVE_GETSPNAM */
! 
  #if	!defined(_HPUX_SOURCE)
      /* Save start and extent of argv for TITLEset. */
      TITLEstart = argv[0];
--- 706,714 ----
      struct group	*grp;
      GID_T		shadowgid;
  #endif /* HAVE_GETSPNAM */
! #ifdef HAVE_SSL
!     int ssl_result;
! #endif /* HAVE_SSL */
  #if	!defined(_HPUX_SOURCE)
      /* Save start and extent of argv for TITLEset. */
      TITLEstart = argv[0];
***************
*** 725,731 ****

      if (ReadInnConf() < 0) exit(1);

!     while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t")) != EOF)
  	switch (i) {
  	default:
  	    Usage();
--- 727,733 ----

      if (ReadInnConf() < 0) exit(1);

!     while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t:S")) != EOF)
  	switch (i) {
  	default:
  	    Usage();
***************
*** 764,769 ****
--- 766,776 ----
  	case 't':			/* Tracing */
  	    Tracing = TRUE;
  	    break;
+ #ifdef HAVE_SSL
+ 	case 'S':			/* SSL negotiation as soon as connected */
+ 	    initialSSL = TRUE;
+ 	    break;
+ #endif /* HAVE_SSL */
  	}
      argc -= optind;
      if (argc)
***************
*** 936,941 ****
--- 943,981 ----
  	exit(1);
      }
      STATstart = TIMEINFOasDOUBLE(Now);
+ 
+ #ifdef HAVE_SSL
+     if (initialSSL) {
+       sasl_config_read();
+       ssl_result=tls_init_serverengine(5,        /* depth to verify */
+ 				       1,        /* can client auth? */
+ 				       0,        /* required client to auth? */
+ 				       (char *)sasl_config_getstring("tls_ca_file", ""),
+ 				       (char *)sasl_config_getstring("tls_ca_path", ""),
+ 				       (char *)sasl_config_getstring("tls_cert_file", ""),
+ 				       (char *)sasl_config_getstring("tls_key_file", ""));
+       if (ssl_result == -1) {
+ 	Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL);
+ 	
+ 	syslog(L_ERROR, "error initializing TLS: "
+ 	       "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
+ 	       (char *) sasl_config_getstring("tls_ca_file", ""),
+ 	       (char *) sasl_config_getstring("tls_ca_path", ""),
+ 	       (char *) sasl_config_getstring("tls_cert_file", ""),
+ 	       (char *) sasl_config_getstring("tls_key_file", ""));
+ 	ExitWithStats(1, FALSE);
+       }
+ 
+       ssl_result=tls_start_servertls(0, /* read */
+ 				     1); /* write */
+       if (ssl_result==-1) {
+ 	Reply("%d Starttls failed\r\n", NNTP_STARTTLS_BAD_VAL);
+ 	ExitWithStats(1, FALSE);
+       }
+ 
+       nnrpd_starttls_done=1;
+     }
+ #endif /* HAVE_SSL */

  #if	NNRP_LOADLIMIT > 0
      if ((load = GetLoadAverage()) > NNRP_LOADLIMIT) {
*** nnrpd/nnrpd.h-orig	Tue Jun 20 03:50:27 2000
--- nnrpd/nnrpd.h	Tue Jun 20 03:51:00 2000
***************
*** 131,136 ****
--- 131,137 ----
  EXTERN ACCESSGROUP	*PERMaccessconf;
  EXTERN BOOL	Tracing;
  EXTERN BOOL 	Offlinepost;
+ EXTERN BOOL 	initialSSL;
  EXTERN char	**PERMreadlist;
  EXTERN char	**PERMpostlist;
  EXTERN char	ClientHost[SMBUF];