INN and SSL

Jeffrey M. Vinocur jeff at litech.org
Wed Oct 17 22:46:35 UTC 2007


On Wed, 17 Oct 2007, Todd Olson wrote:

> For a couple years now we have been running a small INN server using
> 
>    inn-2.4.2-STABLE-20050315
> 
> We would now like to deploy reader SSL support.

Heh, is this in response to a request from a user in the past week?


>     a) recompile this code with SSL support
>     b) get and compile the latest code (either release, or stable)

I think you may as well take the opportunity to update.  Julien was kind
enough to note for you the only SSL-specific change lately, but of course
there have been a variety of other bugfixes and small improvements in the
interim.  So there should be some benefit, and very minimal harm, to
updating to either 2.4.3 or a STABLE snapshot.


I'm not sure about the complaints Gabi has about the INN SSL support.  I
wouldn't be surprised to learn there's some difficulty (since a lot of the
deployed client code out in the world predates the release of RFC 4642),
but we'd be happy to look into it if provided specifics.


And as for your request for hints, I will say there are a couple 
interesting things you can do with readers.conf and SSL, namely:

  - if you are having connections start off plaintext and then gain
    security when clients issue the STARTTLS command, then you may find 
    the require_ssl parameter (of readers.conf) useful

  - if you are having connections start off secure (i.e. using port
    563 with either `nnrpd -D` or xinetd), you may want to consider
    using the -c flag to nnrpd so that you can specify a different
    readers.conf entirely

Of course, we're supposed to try to get away from using port 563 (as the 
RFC says), but I think you may find some clients that are still looking 
for it.


-- 
Jeffrey M. Vinocur
jeff at litech.org


More information about the inn-workers mailing list