Why is log file showing starttls when connecting via port 563

Julien ÉLIE julien at trigofacile.com
Mon Mar 1 14:24:35 UTC 2021 

Hi Adam,

> We are running inn2 2.6.3 on Debian buster. We have configured our
> server to listen on port 563 using xinetd.
> 
> While everything appears to work, when I connect using Thunderbird over
> port 563 and authenticate using username and password, I see these
> messages in the file /var/log/news/news.notice:
> 
> Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu group
> leland.alerts.certificates 77
> Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu group
> leland.alerts.certificates 178
> ** Feb 27 06:58:13 usenet-dev nnrpd[13829]: starttls: TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
> ** Feb 27 06:58:13 usenet-dev nnrpd[13829]: dnab42128a.example.edu
> (191.66.18.138) connect - port 119

Note that the logs are related to 3 different NNTP sessions with nnrpd 
(PID 13246, 13262 and 13829).



> 1. Why is starttls happening? I thought that using port 563 gave you a
> direct TLS connection.

The log line stating "starttls" is probably misleading.  The same 
function is run when starting a TLS session (either implicitly at 
connection or explicitly with STARTTLS).

Here, the whole session of your nnrpd PID 13829 is properly secured as 
the starttls log line appears before the "connect - port 119" line.

FYI, when using port 563 directly (with nnrpd started as a daemon with 
"-D -p 563 -S" flags, as you can see at the very end of CHECKLIST 
<https://www.eyrie.org/~eagle/software/inn/docs/checklist.html>), logs 
look like:

Mar  1 15:08:38 news nnrpd[16492]: starttls: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) no authentication
Mar  1 15:08:38 news nnrpd[16492]: news.trigofacile.com 
(2001:41d0:a:6373::1) connect - port 563



> 2. Why is port 119 listed? I am connecting via port 563 not 119. Using
> tcpdump I am not seeing any traffic on port 119.

Shouldn't server_args in your nntps service also use "-p 563"?

 > service nntps
 > {
 >           disable         = no
 >           socket_type     = stream
 >           protocol        = tcp
 >           wait            = no
 >           user            = news
 >           group           = ssl-cert
 >           groups          = yes
 >           server          = /usr/lib/news/bin/nnrpd
 >           server_args     = -c /etc/news/readers-ssl.conf -S
 >           instances       = UNLIMITED
 > }



> 3. There are several log lines listing group access _before_ the
> starttls line. Does that mean that there is unencrypted traffic at the
> beginning?

If that's the case, yes, traffic is unencrypted, and STARTTLS is used 
explicitly during the session.  It should not happen with "nnrpd -S" 
that negotiate a TLS layer upon connection.
I believe something else is responding to these clients (innd spawning 
nnrpd, or another nnrpd daemon?).

-- 
Julien ÉLIE

« – Cet homme qui est sorti du palais, nous renseignera peut-être sur la
     façon d'y entrer. Suivons-le.
   – Mais… Il sait sortir d'accord, mais rien ne prouve qu'il sache
     entrer, et… » (Astérix)

More information about the inn-workers mailing list