INN and SSL
Jeffrey M. Vinocur
jeff at litech.org
Wed Oct 17 22:46:35 UTC 2007
On Wed, 17 Oct 2007, Todd Olson wrote:
> For a couple years now we have been running a small INN server using
>
> inn-2.4.2-STABLE-20050315
>
> We would now like to deploy reader SSL support.
Heh, is this in response to a request from a user in the past week?
> a) recompile this code with SSL support
> b) get and compile the latest code (either release, or stable)
I think you may as well take the opportunity to update. Julien was kind
enough to note for you the only SSL-specific change lately, but of course
there have been a variety of other bugfixes and small improvements in the
interim. So there should be some benefit, and very minimal harm, to
updating to either 2.4.3 or a STABLE snapshot.
I'm not sure about the complaints Gabi has about the INN SSL support. I
wouldn't be surprised to learn there's some difficulty (since a lot of the
deployed client code out in the world predates the release of RFC 4642),
but we'd be happy to look into it if provided specifics.
And as for your request for hints, I will say there are a couple
interesting things you can do with readers.conf and SSL, namely:
- if you are having connections start off plaintext and then gain
security when clients issue the STARTTLS command, then you may find
the require_ssl parameter (of readers.conf) useful
- if you are having connections start off secure (i.e. using port
563 with either `nnrpd -D` or xinetd), you may want to consider
using the -c flag to nnrpd so that you can specify a different
readers.conf entirely
Of course, we're supposed to try to get away from using port 563 (as the
RFC says), but I think you may find some clients that are still looking
for it.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list