Re: Issues with nnrpd and tls

Liste des GroupesRevenir à ns nntp 
Sujet : Re: Issues with nnrpd and tls
De : info (at) *nospam* tcpreset.invalid (Gabx)
Groupes : news.admin.peering news.software.nntp
Date : 08. Jun 2025, 21:46:05
Autres entêtes
Organisation : Victor Hostile Communication Center
Message-ID : <1024sqi$3fkc5$1@news.tcpreset.net>
References : 1 2
User-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 SeaMonkey/2.53.21
Adam W. wrote:

I have inn running normally, on port 119, and it drops non-peers to
nnrpd, which accepts STARTTLS to switch to TLS.
 I also have the following entry in my inetd.conf:
 nntps   stream  tcp     nowait  news    /usr/local/news/bin/nnrpd nnrpd -S
 So connections to port nntps (563) are guarded by TLS from the beginning
(without STARTTLS).
Hi !
I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
I have a systemd script:

[Unit]
Description=NNRP Daemon (standalone TLS on port 563)
After=network-online.target
Wants=network-online.target
Requires=inn2.service
 [Service]
Type=simple
User=news
Group=news
ExecStart=/usr/lib/news/bin/nnrpd -p 563 -b 0.0.0.0 -S
Restart=on-abort
ConfigurationDirectory=news
LogsDirectory=news
LogsDirectoryMode=775
RuntimeDirectory=news
StateDirectory=news
StateDirectoryMode=775
ReadWritePaths=/var/spool/news/
ProtectSystem=full
ProtectControlGroups=yes
ProtectHome=yes
LimitNOFILE=infinity
 [Install]
WantedBy=multi-user.target
I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
The server is in production, stopping the service would not be nice, you will understand me.
I hope to find a nnrpd ssl configuration that definitely works with my environment.
Certificates are ready with letsencrypt.
This the desired configuration in etc/news/inn.conf:

#tlscafile: /etc/news/ssl/chain.pem
#tlscapath: /etc/news/ssl
#tlscertfile: /etc/news/ssl/cert.pem
#tlskeyfile: /etc/news/ssl/privkey.pem
#tlsciphers: "ECDHE+AESGCM"
#tlsciphers13: "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
#tlscompression: false
#tlseccurve: "X25519:P-256:P-384:P-521"
#tlspreferserverciphers: true
#tlsprotocols: [ TLSv1.2 TLSv1.3 ]
These are the errors in the logs for nnrpd launche by systemd:

Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'
Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: error initializing TLS: [CA_file: ] [CA_path: /etc/news] [cert_file: /etc/news/cert.pem] [key_
Uncommenting the settings in etc/news/inn.conf would probably solve this.
There would also be *nnrpdflags* parameter where I wouldn't know whether to use -S when already used in the systemd script,
too many doubts.
Gabx
--
0745074DFEAA9CB762E9D89D3E54F490F2CC5A82

Date Sujet#  Auteur
1 Apr 25 * Issues with nnrpd and tls6Gabx
2 Apr 25 +* Re: Issues with nnrpd and tls2Roberto CORRADO
2 Apr 25 i`- Re: Issues with nnrpd and tls1Gabx
29 May 25 `* Re: Issues with nnrpd and tls3Adam W.
8 Jun 25  `* Re: Issues with nnrpd and tls2Gabx
9 Jun 25   `- Re: Issues with nnrpd and tls1Adam W.

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal