Why is log file showing starttls when connecting via port 563

ahl456 at gmail.com ahl456 at gmail.com
Sat Feb 27 15:10:27 UTC 2021 

We are running inn2 2.6.3 on Debian buster. We have configured our 
server to listen on port 563 using xinetd.

While everything appears to work, when I connect using Thunderbird over 
port 563 and authenticate using username and password, I see these 
messages in the file /var/log/news/news.notice:

Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu group 
leland.alerts.certificates 77
Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu exit 
articles 177 groups 3
Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu times 
user 0.053 system 0.033 idle 0.115 elapsed 1394.103
Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu artstats 
get 177 time 0 size 622115
Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu 
overstats count 1 hit 355 miss 4 time 0 size 95566 dbz 0 seek 0 get\
  0 artcheck 3
Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu group 
leland.alerts.certificates 178
Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu exit 
articles 178 groups 1
Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu times 
user 0.026 system 0.026 idle 0.074 elapsed 1321.088
Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu artstats 
get 178 time 0 size 627953
Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu time 
1321089 readart 287(178) nntpwrite 14(728)
Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu time 
1394108 readart 272(177) nntpwrite 52(10013)
** Feb 27 06:58:13 usenet-dev nnrpd[13829]: starttls: TLSv1.3 with 
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
** Feb 27 06:58:13 usenet-dev nnrpd[13829]: dnab42128a.example.edu 
(191.66.18.138) connect - port 119
Feb 27 06:58:23 usenet-dev nnrpd[13829]: dnab42128a.example.edu user 
adamhl at example.edu
Feb 27 06:58:23 usenet-dev nnrpd[13829]: tradindexed: index inode 
mismatch for leland.alerts.certificates

1. Why is starttls happening? I thought that using port 563 gave you a 
direct TLS connection.

2. Why is port 119 listed? I am connecting via port 563 not 119. Using 
tcpdump I am not seeing any traffic on port 119.

3. There are several log lines listing group access _before_ the 
starttls line. Does that mean that there is unencrypted traffic at the 
beginning?

---

Here is our xinetd configuration file for nntps:

service nntps
{
         disable         = no
         socket_type     = stream
         protocol        = tcp
         wait            = no
         user            = news
         group           = ssl-cert
         groups          = yes
         server          = /usr/lib/news/bin/nnrpd
         server_args     = -c /etc/news/readers-ssl.conf -S
         instances       = UNLIMITED
}

---

A. Lewenberg

More information about the inn-workers mailing list