nnrpd with SSL - questions

Boryan Yotov yotov at prosyst.com
Mon Aug 4 12:51:38 UTC 2003


I'm trying to get nnrpd working with SSL and in the
time of this post I've found few issues which are
unclear for me:

Note: I'm using inn-2.4.0

1. Should be nnrpd started as root (in order to bind
to port 563) or need to be setuid root and started
from the news user. This in case nnrpd is started
standalone or invoked using tcpwrapers.

2. In the nnrpd man page it written that:

> It is normally invoked by innd(8) with those
> descriptors attached to a remote client connection.

I didn't find a way to order innd to listen to port
563. So my question here is: is there a way to select
innd to listen to port 563 as well as to 119 in order
readers conections to be forwarded then to nnrpd.

3. I've started nnrpd in daemon mode using the following
line as root:

#/news/bin/nnrpd -D -b xxx.xxx.xxx.xxx -p 563 -S

with SSL certificate and RSA private key located in
"/news/lib/cert.pem" owned by "news:news" and with
permission set to 0640 as proposed in the "sasl" man
page an as performed when "make cert" is issued from

from sasl.conf man page:
> To use SSL, a certificate and private key are needed that
>        you can create using the openssl binary.  Make certain
>        that each keys are owned by your news user, news group,
>        and are mode 0640 or 0660.

from inn-2.4.0/Makefile:
> ##  Install a certificate for TLS/SSL support.
> cert:
>         $(SSLBIN)/openssl req -new -x509 -nodes \
>             -out $(PATHLIB)/cert.pem -days 366 \
>             -keyout $(PATHLIB)/cert.pem
>         chown $(NEWSUSER) $(PATHLIB)/cert.pem
>         chgrp $(NEWSGROUP) $(PATHLIB)/cert.pem
>         chmod 640 $(PATHLIB)/cert.pem

Once I try to connect with news reader (setup for SSL) I receive
the following error in "news.debug":

> Aug  4 11:06:47 news nnrpd[12599]: bad ownership or permissions on private key '/news/lib/cert.pem'
> Aug  4 11:06:47 news nnrpd[12599]: error initializing TLS: [CA_file: ] [CA_path: /news/lib] [cert_file: /news/lib/cert.pem] [key_file: /news/lib/cert.pem]

Looking through the code of "nnrpd/tls.c" I hit the following
code entry (function set_cert_stuff line 421):

> if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) != 0 ||
>             buf.st_uid != getuid()) {
>             syslog(L_ERROR, "bad ownership or permissions on private key '%s'",
>                   cert_file);
>             return (0);
>         }

Obviouslly if the "cert.pem" file owner UID is not the same
like the nnrpd proccess real user UID or the "cert.pem" file
permissions are not set "xx00" this error should be returned.
Isn't this is controverse to what is written in the man page
and done when "make cert" is issued?

While I'm starting nnrpd standalone as root I changed the
/news/lib/cert.perm permissions and owner as follows:

#chown root:root /news/lib/cert.pem
#chmod 0700 /news/lib/cert.pem

This time no "bad ownership or permissions on private key"
error was logged but instead:

> Aug  4 11:40:15 news nnrpd[22970]: unable to get certificate from '/usr/local/bobi/news/lib/cert.pem'
> Aug  4 11:40:15 news nnrpd[22970]: error initializing TLS: [CA_file: ] [CA_path: /usr/local/bobi/news/lib] [cert_file: /usr/local/bobi/news/lib/cert.pem] [key_file: /usr/local/bobi/news/lib/cert.pem]

Which means it could not open the "cert.pem" file as defined
in "etc/sasl.conf" probably because of unproper file
permissions e.g. no read permission.
This error is issued again from nnrpd/tls.c in the same
set_cert_stuff function but this time on line 408 e.g.
few lines before the ownership test.

> if (SSL_CTX_use_certificate_file(ctx, cert_file,
>                                          SSL_FILETYPE_PEM) <= 0) {
>             syslog(L_ERROR, "unable to get certificate from '%s'", cert_file);
>             return (0);
>         }

For me it looks that the reason for my problem is that
I've started nnrpd with root UID. Do I need to start it
setuid root with the news UID? Or is there a defined way
how this need to be performed? 10x in advance :)

Best regards,
Boryan Yotov

More information about the inn-workers mailing list