0

I'm trying to set up a local usenet server, Inn2, with authentication over SSL, so that readers (clients) aren't required to send their passwords in cleartext.

I generated a self-signed certificate using instructions similar to those from the nnrpd man page, http://linux.die.net/man/8/nnrpd,

openssl req -new -x509 -nodes -out /usr/local/news/lib/cert.pem \
    -days 366 -keyout /usr/local/news/lib/key.pem
chown news:news /usr/local/news/lib/cert.pem
chmod 640 /usr/local/news/lib/cert.pem
chown news:news /usr/local/news/lib/key.pem
chmod 600 /usr/local/news/lib/key.pem

I'm running CentOS 6.2 and there's no news directory in /usr/local, so instead, I placed cert.pem and key.pem in /usr/libexec/news/, where inn2's binaries are located.

I then edited /etc/news/inn2.conf and changed nnrpd to run on port 563, the usenet SSL port. However, nowhere in any configuration file do I see where to set a path to these certificates. Attempting to connect using SSL/TLS over port 563 in Thunderbird doesn't work; it times out and errors are logged on the server running inn2. From /var/log/news/news.debug the error no_success_auth is logged, and from /var/log/news/news.notice several messages are logged like

Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #026#003#001
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized �#024
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #001
Apr 14 05:41:30 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net times user 0.000 system  0.005 idle 0.000 elapsed 41.803
Apr 14 16:57:00 linode-vps nnrpd[29640]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119

From these logs it looks like Thunderbird is sending data using SSL (but strangely over port 119?), but that inn2/nnrpd isn't using SSL, and can't read its commands.

From http://osdir.com/ml/network.inn/2003-08/msg00013.html I read to put key.pem and cert.pem in /news/lib but this didn't have any effect.

My question is, how do I set up inn2/nnrpd to use SSL? How do I get it to use the certificates I generated? What steps have I missed?

skyler
  • 465
  • 3
  • 8
  • 17

2 Answers2

2

When you change the port in inn.conf you tell nnrpd to listen on port 563 but it will not enable SSL automatically. INN2 has no support to listen for separate SSL connections on port 563. You have to get nnrpd to listen on that port manually.

From the nnrpd manpage:

   Most news clients currently do not use the STARTTLS command, however, and instead expect to connect to a
   separate port (563) and start a TLS negotiation immediately.  innd does not, however, know how to listen
   for connections to that port and then spawn nnrpd the way that it does for regular reader connections.
   You will therefore need to arrange for nnrpd to listen on that port through some other means.  This can
   be done with the -D flag along with "-p 563" and put into your init scripts:

       su news -c '<pathbin>/nnrpd -D -p 563 -S'

   but the easiest way is probably to add a line like:

       nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S

   to /etc/inetd.conf or the equivalent on your system and let inetd run nnrpd.  (Change the path to nnrpd
   to match your installation.)  You may need to replace "nntps" with 563 if "nntps" isn't defined in
   /etc/services on your system.

Btw. I often had problems with the SSL implementation of nnrpd so I use stunnel as SSL proxy for nnrpd.

nnrpd uses the same certificate files as INN, they are defined in inn.conf:

  You then have to set these inn.conf parameters with the right paths:

       tlscapath:      <pathetc>
       tlscertfile:    <pathetc>/cert.pem
       tlskeyfile:     <pathetc>/key.pem

   In case you have a certificate authority root certificate, you can also set tlscafile to its path.
Sebastian Wiesinger
  • 610
  • 5
  • 9
  • Assuming I get nnrpd listening on the new port (which I think it is already for me?) how do I tell it which certificate files to use? – skyler Apr 14 '13 at 21:05
  • Though, stunnel looks like a great option. – skyler Apr 14 '13 at 21:13
  • If you look in the man-page for nnrpd, it will use three parameters in the `inn.conf` file for that. (tlscapath, tlscertfile, tlskeyfile). The same that INN uses. (Updated my answer) – Sebastian Wiesinger Apr 14 '13 at 22:04
0

Is better to edit inn.conf and after select the paths for TLS specify the "flags" for nrrpd I've edit those lines

nnrpdflags:                  "-S"
tlscapath:                  /etc/news
tlscertfile:                /etc/news/news.cert.pem
tlskeyfile:                 /etc/news/news.key.pem
tlsprotocols:               [ TLSv1.2 ]

Then restart service

elbarna
  • 332
  • 3
  • 6
  • 15