inn-workers Digest, Vol 88, Issue 9

[inn-workers-request]

Send inn-workers mailing list submissions to
        inn-workers@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
        inn-workers-requ...@lists.isc.org

You can reach the person managing the list at
        inn-workers-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."


Today's Topics:

   1. Re: TLS certificate permission checks (Thomas Hochstein)
   2. Re: TLS certificate permission checks (Julien ?LIE)


----------------------------------------------------------------------

Message: 1
Date: Sat, 29 Oct 2016 15:50:07 +0200
From: Thomas Hochstein <inn-work...@ml.th-h.de>
To: inn-workers@lists.isc.org
Subject: Re: TLS certificate permission checks
Message-ID: <ali.1610291550....@meneldor.ancalagon.de>
Content-Type: text/plain; charset=us-ascii

Russ Allbery schrieb:

> In another group I read, someone was setting up a TLS certificate for use
> with nnrpd using Let's Encrypt, and they ran into a ton of trouble because
> of the very tight permission checks in nnrpd before it's willing to use
> the certificate.  

Yes. Currently, you have to copy certificate and key (for INN and
Exim) and change owner and permissions (for INN only), AFAIS.

> I think we may be a bit too aggressive about this.  We're trying to
> protect people against mistakes that could leak the key to other users on
> the same host, but it's increasingly uncommon for a news server to run on
> the same box as untrusted people, so I'm not sure how much this matters.
> And it causes some friction when people are setting up automatic
> certificate renewal.

Ack.

-thh


------------------------------

Message: 2
Date: Sat, 29 Oct 2016 21:59:37 +0200
From: Julien ?LIE <jul...@trigofacile.com>
To: inn-work...@isc.org
Subject: Re: TLS certificate permission checks
Message-ID: <wcnjridxykh3161nle4kqfaj.1477770634...@email.android.com>
Content-Type: text/plain; charset="utf-8"

Hi Russ,

I think your suggested patch with access(R_OK) is fine, and the right thing to 
do for our users. ?It takes into account how permissions are set in current 
usages, and gives a useful log message in case there is a problem with the 
private key.
Thanks for it,

--?
Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.isc.org/pipermail/inn-workers/attachments/20161029/93a45b31/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
inn-workers mailing list
inn-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/inn-workers

------------------------------

End of inn-workers Digest, Vol 88, Issue 9
******************************************