INN 2.3 + OpenSSL (fwd)
Kenichi Okada
okada at opaopa.org
Mon Jun 19 20:01:38 UTC 2000
Hi,
> I configured it for openssl (configure --with-openssl=/path/to/ssl)
> and compiled it. I even make a cert for news daemon but I don't know
> how to "turn on" SSL functionality. After "inndstart" daemon listens
> only on port 119.
Now inn supports the only command `starttls' in RFC 2595,
supported by sendmail-8.11.*, cyrus-imapd-2.0.* and so on.
> NNTPS port is unused. I've tried to start innd with
> -P563 option but it won't work because server "can't bind to restricted port".
If you want to use a ssl-tunneling,
try the attached patch, and the `-S' flag will be available as follows.
server# nnrpd -D -p 563 -S
client% openssl s_client -host server -port 563
equivalent to
server# nnrpd -D -p 8563
server# stunnel -p /usr/local/ssl/certs/cyrus.pem -d 563 -r kohada:8563
client% openssl s_client -host server -port 563
--
Kenichi Okada
mailto:okada at opaopa.org
*** doc/man/nnrpd.8-orig Tue Jun 20 04:15:08 2000
--- doc/man/nnrpd.8 Tue Jun 20 04:42:02 2000
***************
*** 31,36 ****
--- 31,39 ----
[
.B \-t
]
+ [
+ .B \-S
+ ]
.SH DESCRIPTION
.I Nnrpd
is an NNTP server for newsreaders.
***************
*** 157,162 ****
--- 160,173 ----
This has to be a valid Internet
address in dotted-quad format belonging to an interface of the local
host.
+ .TP
+ .B \-S
+ If specified,
+ .I nnrpd
+ start a negotiation for SSL session as soon as connected.
+ To use this option,
+ .I nnrpd
+ must be built with OpenSSL at compile time.
.SH "PROTOCOL DIFFERENCES"
.I Nnrpd
implements the NNTP commands defined in RFC 977, with the following
*** nnrpd/nnrpd.c-orig Tue Jun 20 03:38:12 2000
--- nnrpd/nnrpd.c Tue Jun 20 04:13:03 2000
***************
*** 706,712 ****
struct group *grp;
GID_T shadowgid;
#endif /* HAVE_GETSPNAM */
!
#if !defined(_HPUX_SOURCE)
/* Save start and extent of argv for TITLEset. */
TITLEstart = argv[0];
--- 706,714 ----
struct group *grp;
GID_T shadowgid;
#endif /* HAVE_GETSPNAM */
! #ifdef HAVE_SSL
! int ssl_result;
! #endif /* HAVE_SSL */
#if !defined(_HPUX_SOURCE)
/* Save start and extent of argv for TITLEset. */
TITLEstart = argv[0];
***************
*** 725,731 ****
if (ReadInnConf() < 0) exit(1);
! while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t")) != EOF)
switch (i) {
default:
Usage();
--- 727,733 ----
if (ReadInnConf() < 0) exit(1);
! while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t:S")) != EOF)
switch (i) {
default:
Usage();
***************
*** 764,769 ****
--- 766,776 ----
case 't': /* Tracing */
Tracing = TRUE;
break;
+ #ifdef HAVE_SSL
+ case 'S': /* SSL negotiation as soon as connected */
+ initialSSL = TRUE;
+ break;
+ #endif /* HAVE_SSL */
}
argc -= optind;
if (argc)
***************
*** 936,941 ****
--- 943,981 ----
exit(1);
}
STATstart = TIMEINFOasDOUBLE(Now);
+
+ #ifdef HAVE_SSL
+ if (initialSSL) {
+ sasl_config_read();
+ ssl_result=tls_init_serverengine(5, /* depth to verify */
+ 1, /* can client auth? */
+ 0, /* required client to auth? */
+ (char *)sasl_config_getstring("tls_ca_file", ""),
+ (char *)sasl_config_getstring("tls_ca_path", ""),
+ (char *)sasl_config_getstring("tls_cert_file", ""),
+ (char *)sasl_config_getstring("tls_key_file", ""));
+ if (ssl_result == -1) {
+ Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL);
+
+ syslog(L_ERROR, "error initializing TLS: "
+ "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
+ (char *) sasl_config_getstring("tls_ca_file", ""),
+ (char *) sasl_config_getstring("tls_ca_path", ""),
+ (char *) sasl_config_getstring("tls_cert_file", ""),
+ (char *) sasl_config_getstring("tls_key_file", ""));
+ ExitWithStats(1, FALSE);
+ }
+
+ ssl_result=tls_start_servertls(0, /* read */
+ 1); /* write */
+ if (ssl_result==-1) {
+ Reply("%d Starttls failed\r\n", NNTP_STARTTLS_BAD_VAL);
+ ExitWithStats(1, FALSE);
+ }
+
+ nnrpd_starttls_done=1;
+ }
+ #endif /* HAVE_SSL */
#if NNRP_LOADLIMIT > 0
if ((load = GetLoadAverage()) > NNRP_LOADLIMIT) {
*** nnrpd/nnrpd.h-orig Tue Jun 20 03:50:27 2000
--- nnrpd/nnrpd.h Tue Jun 20 03:51:00 2000
***************
*** 131,136 ****
--- 131,137 ----
EXTERN ACCESSGROUP *PERMaccessconf;
EXTERN BOOL Tracing;
EXTERN BOOL Offlinepost;
+ EXTERN BOOL initialSSL;
EXTERN char **PERMreadlist;
EXTERN char **PERMpostlist;
EXTERN char ClientHost[SMBUF];
More information about the inn-workers
mailing list