1. Forum
  2. Usenet
  3. NEWS.SOFTWARE.NNTP

  • INN nnrpd-ssl error: "can't read: Permission denied"

    From Thomas Hochstein@21:1/5 to All on Sun May 29 11:22:46 2022
    Hi,

    sometimes nnrpd, using TLS, will log an error message I don't understand:
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied

    (nnrpd-ssl is a symlink to nnrpd)

    It's always the same user, AFAIS, and it's logged together with a
    "timeout" message, before the connection terminates, like that
    (identifying information removed):
    | May 28 xx:06:10 nnrpd-ssl[25759]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
    | May 28 xx:06:10 nnrpd-ssl[25759]: ? reverse lookup for 2a02:8108:8dc0:[...] failed: Name or service not known -- using IP address for access
    | May 28 xx:06:10 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] (2a02:8108:8dc0:[...]) connect - port 119
    | May 28 xx:06:11 nnrpd-ssl[25759]: SERVER perl filtering enabled
    | May 28 xx:06:11 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] user [...]
    | May 28 xx:06:11 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] user [...]
    | May 28 xx:06:11 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
    | [...]
    | May 28 xx:06:15 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] timeout
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] times user 0.096 system 0.016 idle 0.000 elapsed 2787.580
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] overstats count 4 hit 10 miss 0 time 0 size 3742 dbz 0 seek 0 get 0 artcheck 0
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] time 2787581 nntpwrite 3(66)

    This does not happen on every connect from that user, and it's not always
    the same group before or after the timeout.

    Where does that message come from, and what may be the reason?

    -thh

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Julien_=c3=89LIE?=@21:1/5 to All on Sun May 29 11:57:46 2022
    Hi Thomas,

    sometimes nnrpd, using TLS, will log an error message I don't understand:
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied

    It's always the same user, AFAIS

    Do you happen to know which news reader he is using?



    and it's logged together with a
    "timeout" message, before the connection terminates, like that
    (identifying information removed):
    | May 28 xx:06:10 nnrpd-ssl[25759]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
    | May 28 xx:06:10 nnrpd-ssl[25759]: ? reverse lookup for 2a02:8108:8dc0:[...] failed: Name or service not known -- using IP address for access
    | May 28 xx:06:10 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] (2a02:8108:8dc0:[...]) connect - port 119

    Is nnrpd-ssl listening to port 119 with implicit TLS (session directly encrypted)?
    Or is this client using explicit TLS (connecting to port 119 and then
    sending a STARTTLS command)?



    | May 28 xx:06:15 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied
    | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] timeout

    This does not happen on every connect from that user, and it's not always
    the same group before or after the timeout.

    Where does that message come from, and what may be the reason?

    Thanks to tests with Michael, I've recently improved how nnrpd handles
    timeouts during TLS sessions.
    The following change will be in INN 2.7.0:

    https://github.com/InterNetNews/inn/commit/e078fd53a4839593d79402e1ca6c672298ef577b

    I hope it will fix the error you see.
    Especially when the change consists of no longer SSL_read'ing incoming
    data after the close_notify shutdown alert.
    nnrpd now does the right logic, described in the (complex) OpenSSL documentation.

    --
    Julien ÉLIE

    « Il n'y a que le premier pas qui coûte. » (Mme du Deffand)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Julien_=c3=89LIE?=@21:1/5 to All on Sun May 29 12:54:11 2022
    Just adding:
    The following change will be in INN 2.7.0:

    https://github.com/InterNetNews/inn/commit/e078fd53a4839593d79402e1ca6c672298ef577b

    Already in INN 2.6.5 by the way.
    In case you have the opportunity to test how INN 2.6.5 (or 2.7.0rc1)
    behaves, I would be glad to hear.

    --
    Julien ÉLIE

    « – Dis, je crois avoir entendu parler gothique par là !
    – Tu as des visions, Pamplemus ! » (Astérix)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jesse Rehmer@21:1/5 to All on Tue May 31 21:30:39 2022
    On 5/29/22 5:54 AM, Julien ÉLIE wrote:
    Just adding:
    The following change will be in INN 2.7.0:

    https://github.com/InterNetNews/inn/commit/e078fd53a4839593d79402e1ca6c672298ef577b


    Already in INN 2.6.5 by the way.
    In case you have the opportunity to test how INN 2.6.5 (or 2.7.0rc1)
    behaves, I would be glad to hear.


    It may be worth mentioning either in INSTALL or pgpverify that GnuPG
    2.1.0 will not import or verify most existing (PGP-2) keys. The --allow-weak-digest-algos option was removed in 2.1 (https://www.gnupg.org/faq/whats-new-in-2.1.html#nopgp2). So one would
    most likely want 1.4.x or 2.0.x for the foreseeable future.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)