Discussion:
[slrn] STARTTLS on port 119
(too old to reply)
Porcospino
2021-03-21 18:01:12 UTC
Permalink
Does slrn support encrypted connections (with STARTTLS) on port 119? As
opposed to always having plaintext on 119 and always using 563 for
SSL/TLS.
Lewis
2021-03-21 23:33:36 UTC
Permalink
Post by Porcospino
Does slrn support encrypted connections (with STARTTLS) on port 119?
Isn't that a non-standard hack?
Post by Porcospino
As opposed to always having plaintext on 119 and always using 563 for
SSL/TLS.
I am not sure that slrn supports STARTTLS at all (I've never used
STARTTLS for nntp) but most hosts provide a variety of ports that are
SSL, including some that support port 80 to get around firewalls.

<https://tools.ietf.org/html/rfc8143#section-2>
NNTP implementations and deployments SHOULD prefer implicit TLS, and
therefore use strict TLS configuration (Section 3.2 of RFC 7525
[BCP195]). That is to say, they SHOULD use a port dedicated to NNTP
over TLS and begin the TLS negotiation immediately upon connection
(contrary to a dynamic upgrade from unencrypted to TLS-protected
traffic via the use of the STARTTLS command
--
'And I suppose you know what sound is made by one hand clapping, do
you?' said the holy man nastily. YES. CL. THE OTHER HAND MAKES
THE AP.
Porcospino
2021-03-22 11:34:40 UTC
Permalink
Post by Lewis
Post by Porcospino
Does slrn support encrypted connections (with STARTTLS) on port 119?
Isn't that a non-standard hack?
It's not the preferred solution (should, not must, use a dedicated port), yes.
Post by Lewis
most hosts provide a variety of ports that are
SSL, including some that support port 80 to get around firewalls.
I wanted to access news.gmane.io, a mailing list-to-NNTP gateway, but it
seems to only support starttls on port 119. I'll have a better look,
though.
Lewis
2021-03-22 13:20:12 UTC
Permalink
Post by Porcospino
Post by Lewis
Post by Porcospino
Does slrn support encrypted connections (with STARTTLS) on port 119?
Isn't that a non-standard hack?
It's not the preferred solution (should, not must, use a dedicated port), yes.
Post by Lewis
most hosts provide a variety of ports that are
SSL, including some that support port 80 to get around firewalls.
I wanted to access news.gmane.io, a mailing list-to-NNTP gateway, but it
seems to only support starttls on port 119. I'll have a better look,
though.
Well, gmane is ... well, it's gmane. Still, it seems a bit silly to be
overly worried about using SSL to access mailing list posts that are
public and widely available.

Any REASONABLE NNTP server will use NNTPS. I am surprised that,
considering how recently they had to move their servers, they were so
incompetent... er, clueless? Ignorant? Stupid? I'm not sure of the best
word here... to not use NNTPS.
--
"Are you pondering what I'm pondering?"
"I think so, Brain! But no more eels in jelly for me, thanks—I like
my gelatin after lunch."
Porcospino
2021-03-22 19:40:29 UTC
Permalink
Post by Lewis
Post by Porcospino
I wanted to access news.gmane.io, a mailing list-to-NNTP gateway, but it
seems to only support starttls on port 119. I'll have a better look,
though.
Well, gmane is ... well, it's gmane. Still, it seems a bit silly to be
overly worried about using SSL to access mailing list posts that are
public and widely available.
I will be happy to use plaintext if the alternative is too much of a
hassle, especially if I'm not posting anything through it, but given how
easy it is to get a certificate nowadays and how widespread SSL is even
for resources that aren't particularly sensitive, I prefer encryption
when possible.
Post by Lewis
Any REASONABLE NNTP server will use NNTPS. I am surprised that,
considering how recently they had to move their servers, they were so
incompetent... er, clueless? Ignorant? Stupid? I'm not sure of the best
word here... to not use NNTPS.
Agreed. If they only had plaintext that would've been fine (even if it's
a bit of a lazy solution for a server set up in 2020), but the STARTTLS
quirk is just odd.
Lewis
2021-03-22 22:12:06 UTC
Permalink
Post by Porcospino
Post by Lewis
Post by Porcospino
I wanted to access news.gmane.io, a mailing list-to-NNTP gateway, but it
seems to only support starttls on port 119. I'll have a better look,
though.
Well, gmane is ... well, it's gmane. Still, it seems a bit silly to be
overly worried about using SSL to access mailing list posts that are
public and widely available.
I will be happy to use plaintext if the alternative is too much of a
hassle, especially if I'm not posting anything through it, but given how
easy it is to get a certificate nowadays and how widespread SSL is even
for resources that aren't particularly sensitive, I prefer encryption
when possible.
Yep, that is generally how I feel. But then again, I never understood
the appeal of gmane at all. If I want to read a mailing list I either
subscribe to it, or I read the archives or, in some cases, I request
that the list send me the last 100 posts. Why I would use a news
gateway is a question I can't answer? Bonkers.
Post by Porcospino
Post by Lewis
Any REASONABLE NNTP server will use NNTPS. I am surprised that,
considering how recently they had to move their servers, they were so
incompetent... er, clueless? Ignorant? Stupid? I'm not sure of the best
word here... to not use NNTPS.
Agreed. If they only had plaintext that would've been fine (even if it's
a bit of a lazy solution for a server set up in 2020), but the STARTTLS
quirk is just odd.
Yes, it is. Have you pointed it out to them? Setting up acme and NNTPS
is the work of ¿maybe? 10 minutes, if you are starting from scratch and
don't know anything about LetsEncrypt. And it's 10 minutes once, and
then forget it.
--
'Where's the gritsucker? And the rock?'
'Ah,' said Vimes, 'you are referring to those representative members of
our fellow sapient races who have chosen to throw in their lots with
the people of this city?'
'I mean the dwarf and the troll,' said Quirke. --Men at Arms
Grant Taylor
2021-03-22 22:37:38 UTC
Permalink
Post by Lewis
Yep, that is generally how I feel. But then again, I never understood
the appeal of gmane at all. If I want to read a mailing list I
either subscribe to it, or I read the archives or, in some cases,
I request that the list send me the last 100 posts. Why I would use
a news gateway is a question I can't answer? Bonkers.
I think that one of the appeals of Gmane is / was that it aggregated
many mailing lists into one place and could be accessed via one method
(NNTP). You didn't need to locate each individual mailing list's
archive wherever it currently happens to be on the web. There is also a
chance that Gmane's archive is deeper than the current mailing list
archive (e.g. after moving to a new mailing list host).
Post by Lewis
Yes, it is. Have you pointed it out to them? Setting up acme and NNTPS
is the work of ¿maybe? 10 minutes, if you are starting from scratch
and don't know anything about LetsEncrypt. And it's 10 minutes once,
and then forget it.
If they've got STARTTLS+NNTP then chances are extremely good that they
already have a certificate for NNTPS.
--
Grant. . . .
unix || die
Lewis
2021-03-23 09:28:58 UTC
Permalink
Post by Grant Taylor
Post by Lewis
Yes, it is. Have you pointed it out to them? Setting up acme and NNTPS
is the work of ¿maybe? 10 minutes, if you are starting from scratch
and don't know anything about LetsEncrypt. And it's 10 minutes once,
and then forget it.
If they've got STARTTLS+NNTP then chances are extremely good that they
already have a certificate for NNTPS.
I know it used to be possible to use STARTTLS for a mail server with a
self-signed cert, and I have not setup nntp in... <ponders> I think it
was 1993? Definitely before http was a thing and back when I'd never
heard of certificates, so I'd not want to assume they have a 'real'
certificate.

But yes, probably.
--
Latet anguis in herba.
Grant Taylor
2021-03-23 17:49:00 UTC
Permalink
Post by Lewis
I know it used to be possible to use STARTTLS for a mail server with
a self-signed cert, and I have not setup nntp in... <ponders> I think
it was 1993?
It's still technically possible to use a self-signed certificate.
Though doing so is ill-advised as contemporary email clients will balk
at the self-signed certificate.

You're much better off getting a certificate from a trusted CA with
Let's Encrypt probably being the quintessential example.
Post by Lewis
Definitely before http was a thing and back when I'd never heard of
certificates, so I'd not want to assume they have a 'real' certificate.
SSL -> TLS has changed a LOT since then.

Note: I wasn't meaning to imply real vs non-real. I was only implying
that they have /a/ certificate if they are offering STARTTLS. ;-)
--
Grant. . . .
unix || die
Lewis
2021-03-23 18:05:17 UTC
Permalink
Post by Grant Taylor
Post by Lewis
I know it used to be possible to use STARTTLS for a mail server with
a self-signed cert, and I have not setup nntp in... <ponders> I think
it was 1993?
It's still technically possible to use a self-signed certificate.
Though doing so is ill-advised as contemporary email clients will balk
at the self-signed certificate.
More than balk, they will not work. Well, many of them, including the
ones I use.
Post by Grant Taylor
Post by Lewis
Definitely before http was a thing and back when I'd never heard of
certificates, so I'd not want to assume they have a 'real' certificate.
SSL -> TLS has changed a LOT since then.
I don't think we even had SSL back then, that came along with web
browsers. If we did. I'd never run across it. Heck, you could do a ps
and see the logins and passwords of people's ftp sessions!
Post by Grant Taylor
Note: I wasn't meaning to imply real vs non-real. I was only implying
that they have /a/ certificate if they are offering STARTTLS. ;-)
Ah, right, good point.
--
Happy Jack wasn't tall, but he was a man
Porcospino
2021-03-23 18:34:33 UTC
Permalink
Post by Lewis
Yep, that is generally how I feel. But then again, I never understood
the appeal of gmane at all. If I want to read a mailing list I either
subscribe to it, or I read the archives or, in some cases, I request
that the list send me the last 100 posts. Why I would use a news
gateway is a question I can't answer? Bonkers.
It's neater since you can casually follow many lists without flooding
your inbox. And one place, one method is easier than going through the
various archives on the web, as mentioned. Some people also prefer their
newsreader's scoring options.
Post by Lewis
Have you pointed it out to them? Setting up acme and NNTPS
is the work of ¿maybe? 10 minutes, if you are starting from scratch and
don't know anything about LetsEncrypt. And it's 10 minutes once, and
then forget it.
I will. They are already using a Let's Encrypt certificate, for what
it's worth, so it really shouldn't take them long.

Loading...