TLS certificate permission checks

Thomas Hochstein inn-workers at ml.th-h.de
Sat Oct 29 13:50:07 UTC 2016


Russ Allbery schrieb:

> In another group I read, someone was setting up a TLS certificate for use
> with nnrpd using Let's Encrypt, and they ran into a ton of trouble because
> of the very tight permission checks in nnrpd before it's willing to use
> the certificate.  

Yes. Currently, you have to copy certificate and key (for INN and
Exim) and change owner and permissions (for INN only), AFAIS.

> I think we may be a bit too aggressive about this.  We're trying to
> protect people against mistakes that could leak the key to other users on
> the same host, but it's increasingly uncommon for a news server to run on
> the same box as untrusted people, so I'm not sure how much this matters.
> And it causes some friction when people are setting up automatic
> certificate renewal.

Ack.

-thh


More information about the inn-workers mailing list