(START)TLS between servers?
Julien ÉLIE
julien at trigofacile.com
Sat Apr 2 18:53:09 UTC 2011
Hi Adam,
>> Unfortunately, I do not believe that a news server currently supports
>> the STARTTLS command for its transit mode.
>> It is commonly used as a feature for the reader mode.
>
> Since INN does support STARTTLS when clients connect, it might not
> be a big change to support it when servers do?
Well, that is not straight-forward to implement.
When you say that INN supports STARTTLS, it is in fact nnrpd that
supports it (and acting as a "TLS server").
At least two other programs need being modified: innd (acting as a TLS
server, like nnrpd) and innfeed (acting as a TLS client). When I say
"at least", it is because one may want to also use TLS with tinyleaf,
pullnews, actsync, innxmit, inews, etc.
Maybe a way to use compression between two servers would have more
priority (though TLS could also compress data).
> I admit I haven't looked at the code, I was just asking to learn if I
> had overlooked something and it was already there.
No, it is not currently here.
I believe it is of low priority because of the fact that stunnel can be
easily implemented (though it logs everything as coming from "localhost"
as far as I know — never tested myself).
>> The best and usual way, if you need encryption, is to set up a
>> *stunnel* between the two peers.
>
> Why is that the best?
Because I think it is what people usually do when implementing an
encrypted connection between news server.
Note to other readers of this mailing-list: if you have better
suggestions for encryption, do not hesitate to mention it.
You're right that I cannot say it is the best. Please read "the best
and usual way" as "the common way" :-)
--
Julien ÉLIE
« J'ai le pied gauche qui est jaloux du pied droit. Quand j'avance le
pied droit, le pied gauche, qui ne veut pas rester en arrière…
passe devant… le pied droit en fait autant… et moi… comme un
imbécile… je marche. » (Raymond Devos)
More information about the inn-workers
mailing list