Why is log file showing starttls when connecting via port 563
Julien ÉLIE
julien at trigofacile.com
Mon Mar 1 14:24:35 UTC 2021
Hi Adam,
> We are running inn2 2.6.3 on Debian buster. We have configured our
> server to listen on port 563 using xinetd.
>
> While everything appears to work, when I connect using Thunderbird over
> port 563 and authenticate using username and password, I see these
> messages in the file /var/log/news/news.notice:
>
> Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu group
> leland.alerts.certificates 77
> Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu group
> leland.alerts.certificates 178
> ** Feb 27 06:58:13 usenet-dev nnrpd[13829]: starttls: TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
> ** Feb 27 06:58:13 usenet-dev nnrpd[13829]: dnab42128a.example.edu
> (191.66.18.138) connect - port 119
Note that the logs are related to 3 different NNTP sessions with nnrpd
(PID 13246, 13262 and 13829).
> 1. Why is starttls happening? I thought that using port 563 gave you a
> direct TLS connection.
The log line stating "starttls" is probably misleading. The same
function is run when starting a TLS session (either implicitly at
connection or explicitly with STARTTLS).
Here, the whole session of your nnrpd PID 13829 is properly secured as
the starttls log line appears before the "connect - port 119" line.
FYI, when using port 563 directly (with nnrpd started as a daemon with
"-D -p 563 -S" flags, as you can see at the very end of CHECKLIST
<https://www.eyrie.org/~eagle/software/inn/docs/checklist.html>), logs
look like:
Mar 1 15:08:38 news nnrpd[16492]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) no authentication
Mar 1 15:08:38 news nnrpd[16492]: news.trigofacile.com
(2001:41d0:a:6373::1) connect - port 563
> 2. Why is port 119 listed? I am connecting via port 563 not 119. Using
> tcpdump I am not seeing any traffic on port 119.
Shouldn't server_args in your nntps service also use "-p 563"?
> service nntps
> {
> disable = no
> socket_type = stream
> protocol = tcp
> wait = no
> user = news
> group = ssl-cert
> groups = yes
> server = /usr/lib/news/bin/nnrpd
> server_args = -c /etc/news/readers-ssl.conf -S
> instances = UNLIMITED
> }
> 3. There are several log lines listing group access _before_ the
> starttls line. Does that mean that there is unencrypted traffic at the
> beginning?
If that's the case, yes, traffic is unencrypted, and STARTTLS is used
explicitly during the session. It should not happen with "nnrpd -S"
that negotiate a TLS layer upon connection.
I believe something else is responding to these clients (innd spawning
nnrpd, or another nnrpd daemon?).
--
Julien ÉLIE
« – Cet homme qui est sorti du palais, nous renseignera peut-être sur la
façon d'y entrer. Suivons-le.
– Mais… Il sait sortir d'accord, mais rien ne prouve qu'il sache
entrer, et… » (Astérix)
More information about the inn-workers
mailing list