Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: [patch] more TLS configuration options for nnrpd
(christian mock)
2. Re: [patch] more TLS configuration options for nnrpd (Julien ?LIE)
3. nnrp conf (Edwardo Garcia)
----------------------------------------------------------------------
Message: 1
Date: Mon, 1 Dec 2014 22:49:29 +0100
From: christian mock <[email protected]>
To: [email protected]
Subject: Re: [patch] more TLS configuration options for nnrpd
Message-ID: <[email protected]>
Content-Type: text/plain; charset=iso-8859-1
On Sun, Nov 23, 2014 at 02:10:26PM +0100, Julien ?LIE wrote:
> Reading the OBJ_nid2obj(3) doc, I see that they #include
> <openssl/objects.h> when using OBJ_nid2sn(). Shouldn't we also add
> that include in tls.h when HAVE_SSL_ECC is set?
Right, we probably should.
> > The default is unset, which means an appropriate curve is
> > auto-selected (if your OpenSSL version supports it) or the NIST
> > P-256 curve is used.
>
> I see:
> SSL_CTX_set_tmp_ecdh(CTX,
> EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
>
> Are we sure NID_X9_62_prime256v1 always exists? Maybe in OpenSSL
> versions where SSL_CTX_set_ecdh_auto does not exist, this curve
> exists; so that's fine to call it without testing its existence.
It's a macro, so compilation would fail.
Assuming the macro is defined but the curve is somehow not supported
in openssl anyways, EC_KEY_new_by_curve_name would return NULL on
errors.
Now I can't find documentation on the return values of
SSL_CTX_set_tmp_ecdh, and apps/s_server.c in the openssl sources uses
it without error checking... let's try it and set the 2nd param to
NULL and see what happens. Nothing. That is, no crash, openssl
does disable ECDH support but seems to work fine otherwise.
So the question is: should we check for this unlikely case and output
a warning, or just ignore it?
cm.
--
rotfl. Wirkli, tuat ma lad her Doktor, oba fuer mi is a a ausfoil (downtime
eines Services, Herr Doktor, falls Sie die Sprache unserer Landesleute
nicht verstehen), wann a service offline geht und net nur daun, waun sie da
probella hintn nimma draht. -- Peter Vratny in aip
------------------------------
Message: 2
Date: Mon, 01 Dec 2014 22:54:51 +0100
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: [patch] more TLS configuration options for nnrpd
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Christian,
>> Reading the OBJ_nid2obj(3) doc, I see that they #include
>> <openssl/objects.h> when using OBJ_nid2sn(). Shouldn't we also add
>> that include in tls.h when HAVE_SSL_ECC is set?
>
> Right, we probably should.
OK, now committed in the 2.5 branch.
> Now I can't find documentation on the return values of
> SSL_CTX_set_tmp_ecdh, and apps/s_server.c in the openssl sources uses
> it without error checking... let's try it and set the 2nd param to
> NULL and see what happens. Nothing. That is, no crash, openssl
> does disable ECDH support but seems to work fine otherwise.
>
> So the question is: should we check for this unlikely case and output
> a warning, or just ignore it?
Let's just ignore it.
--
Julien ?LIE
? Ils ont refus? une offre de Normand ?!? ? (Ast?rix)
------------------------------
Message: 3
Date: Tue, 2 Dec 2014 17:26:47 +1000
From: Edwardo Garcia <[email protected]>
To: inn-workers <[email protected]>
Subject: nnrp conf
Message-ID:
<canso6eecdcwzxq2xdfkjloyj2cmwnqu8_5t30t63o5+j2pm...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Halo,
Can we please have the access methods of nnrp,conf brought back!!?!
for the love of god, I find for months our server has open to world
because this readers.conf method of groups auth access foo, is such
over complicating,
example from ORielly
n the virtual brewery example, we will allow any NNTP client in the
Virtual Brewery domain to both read and post to al$
# Virtual Brewery - nnrp.access
# We will allow public reading of all newsgroups except our private one.
*:R:::*,!rec.crafts.brewing.private
# Any host with the Virtual Brewery domain may Read and Post to all
# newsgroups
*.vbrew.com:RP::*
this methods so easy a child cant get it wrong why for love of god was changed?
here a thought, maybe access can be determin by either readers.conf
and its confuzions, or nnrp.conf with its so simple access like old
was as exampled on google, if you want maybe if readers.conf exist it
override nnrp file otherwise it use both, frank i think old method so
much simple and zero hassle and my boss not threaten fire me like now
for letting competition ISP customer use our server.
------------------------------
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
End of inn-workers Digest, Vol 67, Issue 1
******************************************
