NNTPS pointers / NNSP

Grant Taylor gtaylor at tnetconsulting.net
Thu Oct 28 18:14:28 UTC 2021 

On 10/28/21 4:34 AM, Julien ÉLIE wrote:
> Hi Grant,

Hi Julien,

> With that setup, is it possible to run only 1 instance of innd, 
> accepting both unencrypted connections on port 119 and implicit TLS 
> connections on port 433?

Yes, I do believe so.  I alluded to doing exactly that in my recent 
reply to the NNPS / TCP port 433 thread.

> Do you disallow readers?

Much of my testing has been on HTTP/80 vs HTTPS/443 as that's what I 
spend more time speaking.  But I have every single expectation that the 
same methodology can be directly applied to NNTP/119, NNPS/433, and 
NNTPS/563.

> (I am unsure an nnrpd spawned by innd behind iproute2/stunnel will see 
> that the connection is already encrypted; it may advertise STARTTLS 
> whereas I think it should not.)

Yes, that is a legitimate concern.  Though I don't see any actual harm 
in advertising STARTTLS to a well behaved client that's communicating 
via an encrypted channel.  Admittedly this may tickle some bugs in less 
well behaved clients.  However, I'm going after least effort to allow 
implicit TLS encryption with INN(d) as it exists today.  So some 
compromises like this may sneak through.

> You could also discuss that in news.software.nntp; maybe other people 
> are willing to experiment too.

Good idea.

> Well, I'm not a network expert but I am interested in making TLS work 
> too for article feeding.

:-)

> Also, do you have a working TLS configuration for outgoing feeds 
> (innfeed, innxmit)?

One of my goals has been to make this encryption / decryption as 
transparent as possible to INN(d) et al.  Meaning that it is done 
completely outside of them.  Thus hopefully they will inherit the 
external assistance.

If you're familiar with the concept, think mid-span PoE injectors 
connected to a non-PoE switch.  ;-)

Admittedly, the motivation for this comes from knowledge of traditional 
stunnel use and AT-TLS on IBM z/OS mainframes where TLS encryption can 
be added / removed outside / independently of the actual running service 
and the desire to have similar functionality on Linux.

> Can TLS support be similarly added to programs like rnews, inews, 
> pullnews, nntpsend, etc. with iproute2/stunnel or like?

I expect so.  I'm ultimately keying off of remote IP and remote port 
pairs.  As such, I expect that INN(d) et al. will remain configured just 
like they are today and will simply have something outside of them do 
the TLS helper function, mid-span.  }:-)

> Greatly appreciated!

I appreciate the interactive feedback.  :-D



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20211028/9af6f55b/attachment.bin>

More information about the inn-workers mailing list