我正在尝试设置一个本地 usenet 服务器 Inn2,并通过 SSL 进行身份验证,这样读者(客户端)就不需要以明文形式发送他们的密码。
我使用与手册页类似的说明生成了自签名证书nnrpd,http://linux.die.net/man/8/nnrpd,
openssl req -new -x509 -nodes -out /usr/local/news/lib/cert.pem \
-days 366 -keyout /usr/local/news/lib/key.pem
chown news:news /usr/local/news/lib/cert.pem
chmod 640 /usr/local/news/lib/cert.pem
chown news:news /usr/local/news/lib/key.pem
chmod 600 /usr/local/news/lib/key.pem
我正在运行 CentOS 6.2,并且 中没有news目录/usr/local,因此,我将cert.pem和key.pem放在了/usr/libexec/news/inn2 的二进制文件所在的位置。
然后我编辑/etc/news/inn2.conf并更改nnrpd为在 usenet SSL 端口 563 上运行。但是,在任何配置文件中我都看不到在哪里设置这些证书的路径。尝试在 Thunderbird 中通过端口 563 使用 SSL/TLS 进行连接不起作用;它超时并在运行 inn2 的服务器上记录错误。从/var/log/news/news.debug错误no_success_auth记录,从/var/log/news/news.notice几条消息记录,如
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #026#003#001
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized �#024
Apr 14 05:40:48 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net unrecognized #001
Apr 14 05:41:30 linode-vps nnrpd[20802]: ip70-171-32-39.ga.at.cox.net times user 0.000 system 0.005 idle 0.000 elapsed 41.803
Apr 14 16:57:00 linode-vps nnrpd[29640]: ip70-171-32-39.ga.at.cox.net (70.171.32.39) connect - port 119
从这些日志来看,Thunderbird 似乎正在使用 SSL 发送数据(但奇怪的是通过端口 119?),但是inn2/nnrpd没有使用 SSL,并且无法读取其命令。
从http://osdir.com/ml/network.inn/2003-08/msg00013.html我读过将其放入,key.pem但这cert.pem没有/news/lib任何效果。
我的问题是,如何设置inn2/nnrpd使用 SSL?如何让它使用我生成的证书?我错过了哪些步骤?
答案1
当您更改端口时,inn.conf您会告诉nnrpd它监听端口 563,但它不会自动启用 SSL。INN2 不支持在端口 563 上监听单独的 SSL 连接。您必须手动nnrpd监听该端口。
来自 nnrpd 手册页:
Most news clients currently do not use the STARTTLS command, however, and instead expect to connect to a
separate port (563) and start a TLS negotiation immediately. innd does not, however, know how to listen
for connections to that port and then spawn nnrpd the way that it does for regular reader connections.
You will therefore need to arrange for nnrpd to listen on that port through some other means. This can
be done with the -D flag along with "-p 563" and put into your init scripts:
su news -c '<pathbin>/nnrpd -D -p 563 -S'
but the easiest way is probably to add a line like:
nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
to /etc/inetd.conf or the equivalent on your system and let inetd run nnrpd. (Change the path to nnrpd
to match your installation.) You may need to replace "nntps" with 563 if "nntps" isn't defined in
/etc/services on your system.
顺便说一句。我经常遇到 nnrpd 的 SSL 实现问题,因此我使用 stunnel 作为 nnrpd 的 SSL 代理。
nnrpd 使用与 INN 相同的证书文件,它们定义在inn.conf:
You then have to set these inn.conf parameters with the right paths:
tlscapath: <pathetc>
tlscertfile: <pathetc>/cert.pem
tlskeyfile: <pathetc>/key.pem
In case you have a certificate authority root certificate, you can also set tlscafile to its path.
答案2
最好编辑 inn.conf,在选择 TLS 路径后为 nrrpd 指定“标志”,我已经编辑了这些行
nnrpdflags: "-S"
tlscapath: /etc/news
tlscertfile: /etc/news/news.cert.pem
tlskeyfile: /etc/news/news.key.pem
tlsprotocols: [ TLSv1.2 ]
然后重启服务