(START)TLS between servers?

[Julien ÉLIE]

Hi Adam,

>> Unfortunately, I do not believe that a news server currently supports
>> the STARTTLS command for its transit mode.
>> It is commonly used as a feature for the reader mode.
>
> Since INN does support STARTTLS when clients connect, it might not
> be a big change to support it when servers do?

Well, that is not straight-forward to implement.
When you say that INN supports STARTTLS, it is in fact nnrpd that 
supports it (and acting as a "TLS server").
At least two other programs need being modified:  innd (acting as a TLS 
server, like nnrpd) and innfeed (acting as a TLS client).  When I say 
"at least", it is because one may want to also use TLS with tinyleaf, 
pullnews, actsync, innxmit, inews, etc.

Maybe a way to use compression between two servers would have more 
priority (though TLS could also compress data).



> I admit I haven't looked at the code, I was just asking to learn if I
> had overlooked something and it was already there.

No, it is not currently here.
I believe it is of low priority because of the fact that stunnel can be 
easily implemented (though it logs everything as coming from "localhost" 
as far as I know — never tested myself).



>> The best and usual way, if you need encryption, is to set up a
>> *stunnel* between the two peers.
>
> Why is that the best?

Because I think it is what people usually do when implementing an 
encrypted connection between news server.

Note to other readers of this mailing-list:  if you have better 
suggestions for encryption, do not hesitate to mention it.

You're right that I cannot say it is the best.  Please read "the best 
and usual way" as "the common way" :-)

-- 
Julien ÉLIE

« J'ai le pied gauche qui est jaloux du pied droit. Quand j'avance le
   pied droit, le pied gauche, qui ne veut pas rester en arrière…
   passe devant… le pied droit en fait autant… et moi… comme un
   imbécile… je marche. » (Raymond Devos)