forced 128Bit Encryption over INN-2.3.1-SSL

Jeffrey M. Vinocur jeff at
Thu Jun 14 14:46:13 UTC 2001

On Thu, 14 Jun 2001, Russell Virgilio wrote:
> I have modified my version of INN 2.3.1 and ckpasswd to use kerberos hooks
> for user/pass verification.  The point of this exercise is to allow
> off-campus users access to campus hiearchies using their campus
> user/pass.  I would like to go even futher and demand at least 128 Bit
> encryption, and present the user with this information/deny them access if
> their browser does not support high grade encryption.

Hmm.  If I understand what you say about kerberos, their passwords are
never being sent over the network unencrypted.  So you want to use SSL
just to encrypt the actual articles going over the network?  It doesn't
seem worth it -- are your internal hierarchies so private that it's worth
restricting the users to only a small number of newsreaders (most don't
support SSL)?

I don't know how to force nnrpd to only negotiate 128-bit SSL connections,
but let us set that aside for the moment.  You can require SSL to be used
easily enough with the -S flag to nnrpd, but if you want to give error
messages back (not that the clients are guaranteed to display them to the
user, but some do) you might want a couple of my patches (in particular,
"nnrpd-ssl" for being able to check if SSL is being used from
readers.conf, and "nnrpd-rejectwith", which allows arbitrary error
messages to be sent to users based on readers.conf configuration) from (descriptions of the patches are
at the bottom of the page).

Jeffrey M. Vinocur
jeff at

More information about the inn-workers mailing list