Subj : Re: Security
To   : Oli
From : Tony Langdon
Date : Mon May 04 2020 09:22 pm

-=> On 05-04-20 11:50, Oli wrote to Tony Langdon <=-

 Ol> Works fine with SSH. Trust on first use (TOFU) works with TLS too.
 Ol> There is also DANE / TLSA-records to put the (hash of the) public key
 Ol> in DNS. You could also put it in the nodelist itself.

Yep, I can see that working.

 Ol> node 5:6/7@fidonet -pipe "gnutls-cli --logfile /dev/null
 Ol> --no-ca-verification --strict-tofu --disable-sni *H:24553"

 Ol> Incoming connections with haproxy are three lines (works for every
 Ol> mailer):

 Ol> listen binkps
 Ol>   bind :::24553 ssl crt fidonet.pem
 Ol>   server binkd 127.0.0.1:24554

Will need tweaking, because binkd doesn't listen on 127.0.0.1 (or ::1).  :) 
I'll use the LAN IP binkd listens on.  I assume all those tools support IPv6
these days too.

 Ol> Synchronet's BinkIT does support TLS already. But only jumping through
 Ol> hoops (with binkd) gives you TLS 1.3 connections.  

Fair enough.  I may look into it further.


.... It's people like you who make people like me above average.
=== MultiMail/Win v0.51
--- SBBSecho 3.10-Linux
 * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

.