Subj : Re: Security
To   : Oli
From : Tony Langdon
Date : Mon May 04 2020 09:22 pm

-=> On 05-04-20 11:50, Oli wrote to Tony Langdon <=-

Ol> Works fine with SSH. Trust on first use (TOFU) works with TLS too.
Ol> There is also DANE / TLSA-records to put the (hash of the) public key
Ol> in DNS. You could also put it in the nodelist itself.

Yep, I can see that working.

Ol> node 5:6/7@fidonet -pipe "gnutls-cli --logfile /dev/null
Ol> --no-ca-verification --strict-tofu --disable-sni *H:24553"

Ol> Incoming connections with haproxy are three lines (works for every
Ol> mailer):

Ol> listen binkps
Ol>   bind :::24553 ssl crt fidonet.pem
Ol>   server binkd 127.0.0.1:24554

Will need tweaking, because binkd doesn't listen on 127.0.0.1 (or ::1).  :)
I'll use the LAN IP binkd listens on.  I assume all those tools support IPv6
these days too.

Ol> Synchronet's BinkIT does support TLS already. But only jumping through
Ol> hoops (with binkd) gives you TLS 1.3 connections.

Fair enough.  I may look into it further.


... It's people like you who make people like me above average.
=== MultiMail/Win v0.51
--- SBBSecho 3.10-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.