服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 如何configurationInn2和nnrpd使用SSL进行身份validation?
Intereting Posts
Windows启动进程资源pipe理器像日志? 什么是aptitude“升级”在apt-get成功时在这里失败? FCGI&重新编译Python代码,无需重新启动Apache 为什么我的htaccessredirect工作? 磁盘空间使用量不会与df&du相加 在UDEV中可以使用'或'逻辑来安装具有唯一UUID的驱动器吗? 使用WireShark分析自定义以太网帧 你能帮我解决我的软件许可问题吗? haproxy处理客户端证书身份validation的程度如何? 正确的方法来移动kvm vm Active,Targetset和Active targetset在dfsutil / pkiinfo的输出中意味着什么? 系统还原点 无法为EC2实例创buildSSHlogin 我怎样才能改善我的Windows XP启动时间? 使用HTTP_IF_MODIFIED_SINCE进行图像caching

如何configurationInn2和nnrpd使用SSL进行身份validation?

我试图设置一个本地的usenet服务器Inn2,通过SSL进行身份validation,这样读者(客户端)就不需要以明文方式发送密码。

我使用类似于nnrpd手册页http://linux.die.net/man/8/nnrpd的说明生成了自签名证书, 

 openssl req -new -x509 -nodes -out /usr/local/news/lib/cert.pem \ -days 366 -keyout /usr/local/news/lib/key.pem chown news:news /usr/local/news/lib/cert.pem chmod 640 /usr/local/news/lib/cert.pem chown news:news /usr/local/news/lib/key.pem chmod 600 /usr/local/news/lib/key.pem

我正在运行CentOS 6.2,并且在/usr/local没有news目录,所以我将cert.pemkey.pem放在/usr/libexec/news/ ,其中inn2的二进制文件位于。

然后,我编辑了/etc/news/inn2.conf并将/etc/news/inn2.conf更改为端口563(usenet SSL端口)上运行。 但是,在任何configuration文件中,我都看不到在哪里设置这些证书的path。 在Thunderbird的端口563尝试连接使用SSL / TLS不起作用; 它超时并且在运行inn2的服务器上logging错误。 从/var/log/news/news.debuglogging错误no_success_auth ,并从/var/log/news/news.noticelogging几条消息 

 Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119 Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #026#003#001 Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized  #024 Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #001 Apr 14 05:41:30 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net times user 0.000 system 0.005 idle 0.000 elapsed 41.803 Apr 14 16:57:00 linode-vps nnrpd[29640]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119

从这些日志看来,Thunderbird使用SSL发送数据(但奇怪的是通过119端口?),但inn2 / nnrpd没有使用SSL,并且不能读取它的命令。

从http://osdir.com/ml/network.inn/2003-08/msg00013.html我读了把key.pemcert.pem放在/news/lib但是这没有任何作用。

我的问题是,我如何设置inn2 / nnrpd使用SSL? 我如何获得它使用我生成的证书? 我错过了什么步骤?

当您更改inn.conf的端口时,您告诉nnrpd在端口563上侦听,但不会自动启用SSL。 INN2不支持在端口563上侦听单独的SSL连接。您必须获得nnrpd才能手动侦听该端口。

从nnrpd手册页: 

  Most news clients currently do not use the STARTTLS command, however, and instead expect to connect to a separate port (563) and start a TLS negotiation immediately. innd does not, however, know how to listen for connections to that port and then spawn nnrpd the way that it does for regular reader connections. You will therefore need to arrange for nnrpd to listen on that port through some other means. This can be done with the -D flag along with "-p 563" and put into your init scripts: su news -c '<pathbin>/nnrpd -D -p 563 -S' but the easiest way is probably to add a line like: nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S to /etc/inetd.conf or the equivalent on your system and let inetd run nnrpd. (Change the path to nnrpd to match your installation.) You may need to replace "nntps" with 563 if "nntps" isn't defined in /etc/services on your system.

顺便说一句。 我经常遇到nnrpd的SSL实现问题,所以我使用stunnel作为nnrpd的SSL代理。

nnrpd使用与INN相同的证书文件,它们在inn.conf中定义: 

  You then have to set these inn.conf parameters with the right paths: tlscapath: <pathetc> tlscertfile: <pathetc>/cert.pem tlskeyfile: <pathetc>/key.pem In case you have a certificate authority root certificate, you can also set tlscafile to its path.

最好是编辑inn.conf,selectTLS的path后,为nrrpd指定“标志”我已经编辑了这些行 

 nnrpdflags: "-S" tlscapath: /etc/news tlscertfile: /etc/news/news.cert.pem tlskeyfile: /etc/news/news.key.pem tlsprotocols: [ TLSv1.2 ]

然后重启服务