Hi Michael,

   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503495

I don't think debian should make it harder than needed to enable encryption.
NNTPS is a way to do it, but putting protocols inside SSL on another port is
nowadays deprecated in favor of TLS upgrade through STARTTLS. We really
should support that.

Is there any news about the package which will be shipped with Lenny?
Will documentation and support for TLS be fixed, as you suggested?


Regarding TLS, I also wish to add that a compliant news server MUST support it
in case authentication with AUTHINFO USER/PASS is provided.  The NNTP protocol
strongly highlights that.  According to RFC 4643:

  The AUTHINFO PASS command permits the client to use a clear-text
  password to authenticate.  A compliant implementation MUST NOT
  implement this command without also implementing support for TLS
  [NNTP-TLS].  Use of this command without an active strong encryption
  layer is deprecated, as it exposes the user's password to all parties
  on the network between the client and the server.  Any implementation
  of this command SHOULD be configurable to disable it whenever a
  strong encryption layer (such as that provided by [NNTP-TLS]) is not
  active, and this configuration SHOULD be the default.  The server
  will use the 483 response code to indicate that the datastream is
  insufficiently secure for the command being attempted (see Section
  3.2.1 of [NNTP]).


Incidentally, we also have in INN 2.5.0 support for AUTHINFO SASL so I hope
it will be supported by the Debian package and directly into "nnrpd".
Not for Lenny, though.  I think INN 2.5.0 will be ready for Squeeze!

--
Julien ÉLIE

« Non qui parum habet, sed qui plus cupit, pauper est. » (Senèque)



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to