Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Slow response time on BSD (The Doctor)
2. RE : Slow response time on BSD (Julien ?LIE)
3. Re: RE : Slow response time on BSD (The Doctor)
4. Re: TLS certificate permission checks (Russ Allbery)
----------------------------------------------------------------------
Message: 1
Date: Fri, 28 Oct 2016 07:59:36 -0600
From: The Doctor <[email protected]>
To: [email protected]
Subject: Slow response time on BSD
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
All right .
Julien, recall I said, my server when I had BSD/OS felt faster?
I wonder if it might spped up FreeBSD/ NetBSD/ OPENBSD / et al . ?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Time for the USA to hold a referendum on its republic and vote to dissolve!!
------------------------------
Message: 2
Date: Fri, 28 Oct 2016 16:35:31 +0200
From: Julien ?LIE <[email protected]>
To: The Doctor <[email protected]>, [email protected]
Subject: RE : Slow response time on BSD
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hi Dave,
Could you by-pass the test in nnrpd.c (just remove the #if defined line and
#endif line, so that the TCP nodelay option is taken into account on your
system) and rebuild?
See :
https://lists.isc.org/pipermail/inn-committers/2016-March/007839.html
Does it work faster?
Still not fix the failures in daily reports?
--?
Julien
-------- Message d'origine --------
De : The Doctor <[email protected]>
Date : 28/10/2016 15:59 (GMT+01:00)
? : [email protected]
Objet : Slow response time on BSD
All right .
Julien, recall I said, my server when I had BSD/OS felt faster?
I wonder if it might spped up FreeBSD/ NetBSD/ OPENBSD / et al . ?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Time for the USA to hold a referendum on its republic and vote to dissolve!!
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/inn-workers/attachments/20161028/c7b5de1d/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 28 Oct 2016 09:18:46 -0600
From: The Doctor <[email protected]>
To: Julien ?LIE <[email protected]>
Cc: [email protected]
Subject: Re: RE : Slow response time on BSD
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Fri, Oct 28, 2016 at 04:35:31PM +0200, Julien ?LIE wrote:
> Hi Dave,
>
> Could you by-pass the test in nnrpd.c (just remove the #if defined line and
> #endif line, so that the TCP nodelay option is taken into account on your
> system) and rebuild?
> See :
> https://lists.isc.org/pipermail/inn-committers/2016-March/007839.html
>
> Does it work faster?
Include netinet/tcp.h
No , I cannot understand why it is slowish?
>
> Still not fix the failures in daily reports?
>
No.
> --??
> Julien
>
>
> -------- Message d'origine --------
> De : The Doctor <[email protected]>
> Date : 28/10/2016 15:59 (GMT+01:00)
> ?? : [email protected]
> Objet : Slow response time on BSD
>
> All right .
>
> Julien, recall I said, my server when I had BSD/OS felt faster?
>
> I wonder if it might spped up FreeBSD/ NetBSD/ OPENBSD / et al . ?
> --
> Member - Liberal International This is doctor@@nl2k.ab.ca Ici
> doctor@@nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
> Time for the USA to hold a referendum on its republic and vote to dissolve!!
> _______________________________________________
> inn-workers mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/inn-workers
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Time for the USA to hold a referendum on its republic and vote to dissolve!!
------------------------------
Message: 4
Date: Fri, 28 Oct 2016 13:59:48 -0700
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: TLS certificate permission checks
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
Julien ?LIE <[email protected]> writes:
> Shouldn't we also check that the key is readable?
This gets a bit tricky, since you can't figure that out solely by checking
ownership and file modes (extended ACLs, for instance). But we could use
access(R_OK), which would correctly diagnose permission errors.
> I think it was the point of the initial commit in 2002:
> https://inn.eyrie.org/trac/changeset/6037/trunk/nnrpd/tls.c
> where the check was:
> !S_ISREG(buf.st_mode) || (buf.st_mode & 0077) != 0 || buf.st_uid !=
> getuid()
> Otherwise, maybe the error appearing in the logs is not clear enough,
> if it does not say that there is a read access issue.
I checked my past email, and this appears to have been all of the original
commentary:
| This patch checks the ownership and permissions of the server's
| private key. It is conventional for private keys to be regular
| files (not symlinks), owned by the running process, and without
| either group or world access.
> I agree that the new checks in 2011 were probably too restrictive
> for the use case you mention in your mail:
> https://inn.eyrie.org/trac/changeset/9219/trunk/nnrpd/tls.c
Yeah, we were selectively weakening the check to allow for another common
use case. But I think it may make sense to just weaken it further to
check for the obvious world-readable case and otherwise just try to open
the file.
How about this?
Index: tls.c
===================================================================
--- tls.c (revision 10088)
+++ tls.c (working copy)
@@ -391,15 +391,13 @@
return (0);
}
- /* Check that the key file is a real file, not readable by
- * everyone. If the mode is 440 or 640, make sure the group owner
- * is the news group (to prevent the failure case of having news:users
- * as the owner and group. */
- if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0137) != 0
- || ((buf.st_mode & 0040) != 0 && buf.st_gid != getegid())) {
+ /* Check that the key file is a real file, isn't world-readable, and
+ * that we can read it. */
+ if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0007) != 0
+ || access(key_file, R_OK) < 0) {
syslog(L_ERROR, "bad ownership or permissions on private key"
- " '%s': private key must be mode 640 at most, and readable"
- " by the news group only", key_file);
+ " '%s': private key must be a regular file, readable by"
+ " nnrpd, and not world-readable", key_file);
return (0);
}
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 88, Issue 8
******************************************
