Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: Why is log file showing starttls when connecting via port
563 (Julien ?LIE)
----------------------------------------------------------------------
Message: 1
Date: Mon, 1 Mar 2021 15:24:35 +0100
From: Julien ?LIE <[email protected]>
To: [email protected], [email protected]
Subject: Re: Why is log file showing starttls when connecting via port
563
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Adam,
> We are running inn2 2.6.3 on Debian buster. We have configured our
> server to listen on port 563 using xinetd.
>
> While everything appears to work, when I connect using Thunderbird over
> port 563 and authenticate using username and password, I see these
> messages in the file /var/log/news/news.notice:
>
> Feb 27 06:57:53 usenet-dev nnrpd[13246]: dnab42128a.example.edu group
> leland.alerts.certificates 77
> Feb 27 06:57:53 usenet-dev nnrpd[13262]: dnab42128a.example.edu group
> leland.alerts.certificates 178
> ** Feb 27 06:58:13 usenet-dev nnrpd[13829]: starttls: TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
> ** Feb 27 06:58:13 usenet-dev nnrpd[13829]: dnab42128a.example.edu
> (191.66.18.138) connect - port 119
Note that the logs are related to 3 different NNTP sessions with nnrpd
(PID 13246, 13262 and 13829).
> 1. Why is starttls happening? I thought that using port 563 gave you a
> direct TLS connection.
The log line stating "starttls" is probably misleading. The same
function is run when starting a TLS session (either implicitly at
connection or explicitly with STARTTLS).
Here, the whole session of your nnrpd PID 13829 is properly secured as
the starttls log line appears before the "connect - port 119" line.
FYI, when using port 563 directly (with nnrpd started as a daemon with
"-D -p 563 -S" flags, as you can see at the very end of CHECKLIST
<https://www.eyrie.org/~eagle/software/inn/docs/checklist.html>), logs
look like:
Mar 1 15:08:38 news nnrpd[16492]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) no authentication
Mar 1 15:08:38 news nnrpd[16492]: news.trigofacile.com
(2001:41d0:a:6373::1) connect - port 563
> 2. Why is port 119 listed? I am connecting via port 563 not 119. Using
> tcpdump I am not seeing any traffic on port 119.
Shouldn't server_args in your nntps service also use "-p 563"?
> service nntps
> {
> disable = no
> socket_type = stream
> protocol = tcp
> wait = no
> user = news
> group = ssl-cert
> groups = yes
> server = /usr/lib/news/bin/nnrpd
> server_args = -c /etc/news/readers-ssl.conf -S
> instances = UNLIMITED
> }
> 3. There are several log lines listing group access _before_ the
> starttls line. Does that mean that there is unencrypted traffic at the
> beginning?
If that's the case, yes, traffic is unencrypted, and STARTTLS is used
explicitly during the session. It should not happen with "nnrpd -S"
that negotiate a TLS layer upon connection.
I believe something else is responding to these clients (innd spawning
nnrpd, or another nnrpd daemon?).
--
Julien ?LIE
??? Cet homme qui est sorti du palais, nous renseignera peut-?tre sur la
fa?on d'y entrer. Suivons-le.
? Mais? Il sait sortir d'accord, mais rien ne prouve qu'il sache
entrer, et??? (Ast?rix)
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 129, Issue 1
*******************************************
