Package: inn2 Version: 2.4.5-2 Severity: normal
README.Debian.gz contains some information regarding SSL support but it turns out that whats written there is simply wrong, also the SSL support in the package is completely broken anyway. 1. It is told that one needs a CA cert in /etc/news/nnrpd-ca-cert.pem, a key in /etc/news/nnrpd-key.pem and a cert in /etc/news/nnrpd-cert.pem and that the key should be chown root:news and chmod 0640. All of this is wrong. The paths are configured /etc/news/sasl.conf and they point to a non existing directory /usr/lib/news/lib where a cert.pem containing both the key and the cert (and not a ca cert) is expected. This file must be owned by news, not by root, and it must have 0600 as permissions, not 0640. 2. After fixing path and permissions it still won't work. NNTP with SSL can be done in two flavors. The modern and better one would be the use of STARTTLS. This won't work because the shipped nnrpd binary does not contain SSL support, only nnrpd-ssl does - but this one is not the one inn calls upon reader.connect. So STARTTLS is broken by this design decision of debian. I don't see a point in having nnrpd without SSL support and a separate binary for this anyway, because both are shipped in the same package. 3. The other flavor is NNTPS on port 563, which requires to call nnrpd-ssl with option "-S". The /etc/init.d/inn2 does even contain a line to start this, but it won't work because it does su news and non-root can't bind to port 563. Please consider removing nnrpd-ssl and make nnrpd ssl-capable, so that STARTTLS is enabled. Please find a way to make NNTPS working (preferably without using inetd as suggested by INN docs). Also please fix the paths in sasl.conf and the docs. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22-xul Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages inn2 depends on: ii cron 3.0pl1-104 management of regular background p ii inn2-inews 2.4.5-2 NNTP client news injector, from In ii libc6 2.7-13 GNU C Library: Shared libraries ii libcomerr2 1.41.0-3 common error description library ii libdb4.6 4.6.21-8 Berkeley v4.6 Database Libraries [ ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries ii libpam0g 1.0.1-4+b1 Pluggable Authentication Modules l ii libperl5.10 5.10.0-13 Shared Perl library ii libssl0.9.8 0.9.8g-13 SSL shared libraries ii nullmailer [mail-tran 1:1.04-1 simple relay-only mail transport a ii perl 5.10.0-13 Larry Wall's Practical Extraction ii perl-base [perlapi-5. 5.10.0-13 minimal Perl system ii procps 1:3.2.7-8 /proc file system utilities ii time 1.7-23 The GNU time program for measuring inn2 recommends no packages. Versions of packages inn2 suggests: ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep ii wget 1.11.4-1 retrieves files from the web -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
