nnrpd with SSL - questions - small error correction in the post

Boryan Yotov yotov at prosyst.com
Mon Aug 4 13:50:06 UTC 2003


Boryan Yotov wrote:
> Hello,
> 
> I'm trying to get nnrpd working with SSL and in the
> time of this post I've found few issues which are
> unclear for me:
> 
> Note: I'm using inn-2.4.0
> 
> 1. Should be nnrpd started as root (in order to bind
> to port 563) or need to be setuid root and started
> from the news user. This in case nnrpd is started
> standalone or invoked using tcpwrapers.
> 
> 2. In the nnrpd man page it written that:
> 
> 
>>It is normally invoked by innd(8) with those
>>descriptors attached to a remote client connection.
> 
> 
> I didn't find a way to order innd to listen to port
> 563. So my question here is: is there a way to select
> innd to listen to port 563 as well as to 119 in order
> readers conections to be forwarded then to nnrpd.
> 
> 3. I've started nnrpd in daemon mode using the following
> line as root:
> 
> #/news/bin/nnrpd -D -b xxx.xxx.xxx.xxx -p 563 -S
> 
> with SSL certificate and RSA private key located in
> "/news/lib/cert.pem" owned by "news:news" and with
> permission set to 0640 as proposed in the "sasl" man
> page an as performed when "make cert" is issued from
> root.
> 
> from sasl.conf man page:
> 
>>To use SSL, a certificate and private key are needed that
>>       you can create using the openssl binary.  Make certain
>>       that each keys are owned by your news user, news group,
>>       and are mode 0640 or 0660.
> 
> 
> from inn-2.4.0/Makefile:
> 
>>##  Install a certificate for TLS/SSL support.
>>cert:
>>        $(SSLBIN)/openssl req -new -x509 -nodes \
>>            -out $(PATHLIB)/cert.pem -days 366 \
>>            -keyout $(PATHLIB)/cert.pem
>>        chown $(NEWSUSER) $(PATHLIB)/cert.pem
>>        chgrp $(NEWSGROUP) $(PATHLIB)/cert.pem
>>        chmod 640 $(PATHLIB)/cert.pem
> 
> 
> Once I try to connect with news reader (setup for SSL) I receive
> the following error in "news.debug":
> 
> 
>>Aug  4 11:06:47 news nnrpd[12599]: bad ownership or permissions on private key '/news/lib/cert.pem'
>>Aug  4 11:06:47 news nnrpd[12599]: error initializing TLS: [CA_file: ] [CA_path: /news/lib] [cert_file: /news/lib/cert.pem] [key_file: /news/lib/cert.pem]
> 
> 
> Looking through the code of "nnrpd/tls.c" I hit the following
> code entry (function set_cert_stuff line 421):
> 
> 
>>if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) != 0 ||
>>            buf.st_uid != getuid()) {
>>            syslog(L_ERROR, "bad ownership or permissions on private key '%s'",
>>                  cert_file);
>>            return (0);
>>        }
> 
> 
> Obviouslly if the "cert.pem" file owner UID is not the same
> like the nnrpd proccess real user UID or the "cert.pem" file
> permissions are not set "xx00" this error should be returned.
> Isn't this is controverse to what is written in the man page
> and done when "make cert" is issued?
> 
> While I'm starting nnrpd standalone as root I changed the
> /news/lib/cert.perm permissions and owner as follows:
> 
> #chown root:root /news/lib/cert.pem
> #chmod 0700 /news/lib/cert.pem
> 
> This time no "bad ownership or permissions on private key"
> error was logged but instead:
> 
> 
>>Aug  4 11:40:15 news nnrpd[22970]: unable to get certificate from '/usr/local/bobi/news/lib/cert.pem'
>>Aug  4 11:40:15 news nnrpd[22970]: error initializing TLS: [CA_file: ] [CA_path: /usr/local/bobi/news/lib] [cert_file: /usr/local/bobi/news/lib/cert.pem] [key_file: /usr/local/bobi/news/lib/cert.pem]

This is the correct log ... sorry for the mistake

Aug  4 11:40:15 news nnrpd[22970]: unable to get certificate from 
/news/lib/cert.pem'
Aug  4 11:40:15 news nnrpd[22970]: error initializing TLS: [CA_file: ] 
[CA_path: /usr/local/bobi/news/lib] [cert_file: /news/lib/cert.pem] 
[key_file: /news/lib/cert.pem]



> 
> 
> Which means it could not open the "cert.pem" file as defined
> in "etc/sasl.conf" probably because of unproper file
> permissions e.g. no read permission.
> This error is issued again from nnrpd/tls.c in the same
> set_cert_stuff function but this time on line 408 e.g.
> few lines before the ownership test.
> 
> 
>>if (SSL_CTX_use_certificate_file(ctx, cert_file,
>>                                         SSL_FILETYPE_PEM) <= 0) {
>>            syslog(L_ERROR, "unable to get certificate from '%s'", cert_file);
>>            return (0);
>>        }
> 
> 
> For me it looks that the reason for my problem is that
> I've started nnrpd with root UID. Do I need to start it
> setuid root with the news UID? Or is there a defined way
> how this need to be performed? 10x in advance :)
> 
> Best regards,
> Boryan Yotov
> 
> 
> 
> 
> 




More information about the inn-workers mailing list