I'm trying to set up a local usenet server, Inn2, with authentication over SSL, so that readers (clients) aren't required to send their passwords in cleartext.
I generated a self-signed certificate using instructions similar to those from the nnrpd
man page, http://linux.die.net/man/8/nnrpd,
openssl req -new -x509 -nodes -out /usr/local/news/lib/cert.pem \
-days 366 -keyout /usr/local/news/lib/key.pem
chown news:news /usr/local/news/lib/cert.pem
chmod 640 /usr/local/news/lib/cert.pem
chown news:news /usr/local/news/lib/key.pem
chmod 600 /usr/local/news/lib/key.pem
I'm running CentOS 6.2 and there's no news
directory in /usr/local
, so instead, I placed cert.pem
and key.pem
in /usr/libexec/news/
, where inn2's binaries are located.
I then edited /etc/news/inn2.conf
and changed nnrpd
to run on port 563, the usenet SSL port. However, nowhere in any configuration file do I see where to set a path to these certificates. Attempting to connect using SSL/TLS over port 563 in Thunderbird doesn't work; it times out and errors are logged on the server running inn2. From /var/log/news/news.debug
the error no_success_auth
is logged, and from /var/log/news/news.notice
several messages are logged like
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #026#003#001
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized �#024
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #001
Apr 14 05:41:30 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net times user 0.000 system 0.005 idle 0.000 elapsed 41.803
Apr 14 16:57:00 linode-vps nnrpd[29640]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119
From these logs it looks like Thunderbird is sending data using SSL (but strangely over port 119?), but that inn2
/nnrpd
isn't using SSL, and can't read its commands.
From http://osdir.com/ml/network.inn/2003-08/msg00013.html I read to put key.pem
and cert.pem
in /news/lib
but this didn't have any effect.
My question is, how do I set up inn2
/nnrpd
to use SSL? How do I get it to use the certificates I generated? What steps have I missed?
Best Answer
When you change the port in
inn.conf
you tellnnrpd
to listen on port 563 but it will not enable SSL automatically. INN2 has no support to listen for separate SSL connections on port 563. You have to getnnrpd
to listen on that port manually.From the nnrpd manpage:
Btw. I often had problems with the SSL implementation of nnrpd so I use stunnel as SSL proxy for nnrpd.
nnrpd uses the same certificate files as INN, they are defined in
inn.conf
: