*** doc/man/nnrpd.8-orig Tue Jun 20 04:15:08 2000 --- doc/man/nnrpd.8 Tue Jun 20 04:42:02 2000 *************** *** 31,36 **** --- 31,39 ---- [ .B \-t ] + [ + .B \-S + ] .SH DESCRIPTION .I Nnrpd is an NNTP server for newsreaders. *************** *** 157,162 **** --- 160,173 ---- This has to be a valid Internet address in dotted-quad format belonging to an interface of the local host. + .TP + .B \-S + If specified, + .I nnrpd + start a negotiation for SSL session as soon as connected. + To use this option, + .I nnrpd + must be built with OpenSSL at compile time. .SH "PROTOCOL DIFFERENCES" .I Nnrpd implements the NNTP commands defined in RFC 977, with the following *** nnrpd/nnrpd.c-orig Tue Jun 20 03:38:12 2000 --- nnrpd/nnrpd.c Tue Jun 20 04:13:03 2000 *************** *** 706,712 **** struct group *grp; GID_T shadowgid; #endif /* HAVE_GETSPNAM */ ! #if !defined(_HPUX_SOURCE) /* Save start and extent of argv for TITLEset. */ TITLEstart = argv[0]; --- 706,714 ---- struct group *grp; GID_T shadowgid; #endif /* HAVE_GETSPNAM */ ! #ifdef HAVE_SSL ! int ssl_result; ! #endif /* HAVE_SSL */ #if !defined(_HPUX_SOURCE) /* Save start and extent of argv for TITLEset. */ TITLEstart = argv[0]; *************** *** 725,731 **** if (ReadInnConf() < 0) exit(1); ! while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t")) != EOF) switch (i) { default: Usage(); --- 727,733 ---- if (ReadInnConf() < 0) exit(1); ! while ((i = getopt(argc, argv, "b:Di:g:op:Rr:s:t:S")) != EOF) switch (i) { default: Usage(); *************** *** 764,769 **** --- 766,776 ---- case 't': /* Tracing */ Tracing = TRUE; break; + #ifdef HAVE_SSL + case 'S': /* SSL negotiation as soon as connected */ + initialSSL = TRUE; + break; + #endif /* HAVE_SSL */ } argc -= optind; if (argc) *************** *** 936,941 **** --- 943,981 ---- exit(1); } STATstart = TIMEINFOasDOUBLE(Now); + + #ifdef HAVE_SSL + if (initialSSL) { + sasl_config_read(); + ssl_result=tls_init_serverengine(5, /* depth to verify */ + 1, /* can client auth? */ + 0, /* required client to auth? */ + (char *)sasl_config_getstring("tls_ca_file", ""), + (char *)sasl_config_getstring("tls_ca_path", ""), + (char *)sasl_config_getstring("tls_cert_file", ""), + (char *)sasl_config_getstring("tls_key_file", "")); + if (ssl_result == -1) { + Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL); + + syslog(L_ERROR, "error initializing TLS: " + "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]", + (char *) sasl_config_getstring("tls_ca_file", ""), + (char *) sasl_config_getstring("tls_ca_path", ""), + (char *) sasl_config_getstring("tls_cert_file", ""), + (char *) sasl_config_getstring("tls_key_file", "")); + ExitWithStats(1, FALSE); + } + + ssl_result=tls_start_servertls(0, /* read */ + 1); /* write */ + if (ssl_result==-1) { + Reply("%d Starttls failed\r\n", NNTP_STARTTLS_BAD_VAL); + ExitWithStats(1, FALSE); + } + + nnrpd_starttls_done=1; + } + #endif /* HAVE_SSL */ #if NNRP_LOADLIMIT > 0 if ((load = GetLoadAverage()) > NNRP_LOADLIMIT) { *** nnrpd/nnrpd.h-orig Tue Jun 20 03:50:27 2000 --- nnrpd/nnrpd.h Tue Jun 20 03:51:00 2000 *************** *** 131,136 **** --- 131,137 ---- EXTERN ACCESSGROUP *PERMaccessconf; EXTERN BOOL Tracing; EXTERN BOOL Offlinepost; + EXTERN BOOL initialSSL; EXTERN char **PERMreadlist; EXTERN char **PERMpostlist; EXTERN char ClientHost[SMBUF];