Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Chemist who falls in acid is absorbed in work.

computers / news.software.readers / [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates

SubjectAuthor
* [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed Ronald
`* Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-sigRonald
 +* Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-sigLarry Wolff
 |`- Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-sigBernd Rose
 `- Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-sigBernd Rose

1
[Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates

<unpnma$23tfn$1@paganini.bofh.team>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=1926&group=news.software.readers#1926

  copy link   Newsgroups: news.software.readers
Path: i2pn2.org!rocksolid2!news.neodome.net!news.nntp4.net!paganini.bofh.team!not-for-mail
From: ronald@nospam.me (Ronald)
Newsgroups: news.software.readers
Subject: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates
Date: Thu, 11 Jan 2024 16:47:52 -0500
Organization: To protect and to server
Message-ID: <unpnma$23tfn$1@paganini.bofh.team>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 11 Jan 2024 21:47:54 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="2225655"; posting-host="nHbVGhCU7xXaI6W4wr5j0A.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
User-Agent: 40tude_Dialog/2.0.15.41 (Beta 38)
Cancel-Lock: sha256:idEnjj0NefXt+pN63CnoJNe3oTqg2Z4IkJcW+fG4p6c=
X-Notice: Filtered by postfilter v. 0.9.3
 by: Ronald - Thu, 11 Jan 2024 21:47 UTC

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome} stunnel.conf (tested on January 10th, 2024)
; See https://groups.google.com/g/news.software.readers/c/sxkkJYuI728
; Use a different port for each identity between 49152 & 65535
; Stunnel log will always report at least these next four lines:
; Reading configuration from file (path)\stunnel.conf
; UTF-8 byte order mark detected
; FIPS mode disabled
; Configuration successful
; Like it or not, posting to news.neodome.net requires a login/password
; Like it or not, news.neodome.net requires at least a 10-char passwd
; Like it or not, the news.neodome.net certificate is self-signed
; Like it or not, the news.neodome.net certificate expired in 12/2020
; Like it or not, news.neodome.net REQUIRES encryption when posting
; Like it or not, Dialog (circa 2005) uses old encryption standards
; Like it or not, news.neodome.net won't accept Dialog port 119
; Like it or not, news.neodome.net won't accept Dialog port 119 SSL
; Like it or not, news.neodome.net won't accept Dialog port 563
; But news.neodome.net will accept Dialog port 563 with Dialog SSL
; Like it or not, Dialog port 563 SSL uses old encryption standards
; These four tests suggested by Bernd & Vanguard worked in Jan 2024
; 1. news.neodome.net accepts Dialog port 563 SSL posts
; 2. news.neodome.net accepts sTunnel port 119 STARTTLS posts
; 3. news.neodome.net accepts sTunnel port 563 posts (ignoring the cert)
; 4. news.neodome.net accepts sTunnel port 563 posts (acknowledging cert)
; Each solution below is tested workaround thanks to Bernd Rose & Vanguard
; Like it or not, Dialog obfuscates or omits some identify information
; So you may want to save that identify information here in stunnel.conf
; Neodome Identity: (archive your real email address here if you like)
; Dialog Identity: (archive your Dialog email address here if you like)
; Dialog Username = (archive your Dialog username here if you like)
; Dialog Password = (archive your Dialog password here if you like)
; System timezone: (archive your system timezone here if you like)
; Like it or not, SSL often cares about accurate time zone matching
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome1}
; This method sets Dialog to use Dialog port 563 SSL encryption
; 40Tude Dialog will NOT use the latest encryption standards.
; sTunnel is not involved so the stunnel.conf should be empty
; Dialog Host: news.neodome.net
; Dialog Port: 563
; Dialog SSL: checked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; No stunnel.conf entries are used for [Neodome1] setup
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome2}
; This method sets Dialog to use sTunnel port 119 STARTTLS.
; You'd think it wouldn't require a password, but it does
; If you are able to connect through sTunnel to a server
; that connection will always be encrypted (e.g., as STARTTLS)
; (Although, with the right setting, it is possible to use
; "null encryption" [aka a non-encrypting "encryption" method])
; Setting sTunnel to connect with protocol NNTP on port 119
; leads to a handshake with STARTTLS by default
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome2] needs authentication to prevent MITM attacks
; Dialog Host: 127.0.0.1
; Dialog Port: 49152 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; For self-signed certificates that have not expired, a good way to
; deal with them is to download them & they will be checked against
; the existing non-expired self-signed certificate (which has no chain)
; In Stunnel, if you've recently posted, you can do the following:
; Stunnel: Save Peer Certificate -> Peer-Neodome2.pem
; Up comes a box saying:
; Stunnel 5.69 on Win64
; Peer certificate change has been saved.
; Add the following lines to section [Neodome2]:
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
; to enable cryptographic authentication.
; Then reload stunnel configuration file.
; This approach will fail for neodome but only because it is expired
[Neodome2]
client = yes
accept = 127.0.0.1:49152
connect = news.neodome.net:119
protocol = nntp
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome3}
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method does not even touch the certificate
; It's probably the best option because it uses current encryption
; Dialog Host: 127.0.0.1
; Dialog Port: 49153 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome3] needs authentication to prevent MITM attacks
[Neodome3]
client = yes
accept = 127.0.0.1:49153
connect = news.neodome.net:563
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome4}
; This is a very minor variation on the method #3 tested above
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method requires but does not check the certificate
; The "verify = 0" was initially suggested by the Neodome admin
; The "verify = 0" requests a certificate but does not check it
; Dialog Host: 127.0.0.1
; Dialog Port: 49154 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome4] needs authentication to prevent MITM attacks
[Neodome4]
client = yes
accept = 127.0.0.1:49154
connect = news.neodome.net:563
verify = 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates

<unppcj$240fp$1@paganini.bofh.team>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=1927&group=news.software.readers#1927

  copy link   Newsgroups: news.software.readers
Path: i2pn2.org!rocksolid2!news.neodome.net!news.nntp4.net!paganini.bofh.team!not-for-mail
From: ronald@nospam.me (Ronald)
Newsgroups: news.software.readers
Subject: Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates
Date: Thu, 11 Jan 2024 17:16:50 -0500
Organization: To protect and to server
Message-ID: <unppcj$240fp$1@paganini.bofh.team>
References: <unpnma$23tfn$1@paganini.bofh.team>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 11 Jan 2024 22:16:52 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="2228729"; posting-host="K+XpzQIzJU02V20JuqDt+Q.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
User-Agent: 40tude_Dialog/2.0.15.41 (Beta 38)
Cancel-Lock: sha256:O+bp/iGXR3EKEq5rfBY5dwvDY2f780o90NQVrCuVX58=
X-Notice: Filtered by postfilter v. 0.9.3
 by: Ronald - Thu, 11 Jan 2024 22:16 UTC

On Thu, 11 Jan 2024 16:47:52 -0500, Ronald wrote:
Cleaned it up a bit so that it can be saved in a Dialog archive.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; stunnel.conf (tested on January 10th, 2024)
; <https://groups.google.com/g/news.software.readers/c/DTYKUX3VwLw>
; <https://groups.google.com/g/news.software.readers/c/sxkkJYuI728>
; Each solution below is a tested workaround thanks mostly to Bernd Rose
; Like it or not, Dialog obfuscates or omits some identify information
; So you may want to save that identify information here in stunnel.conf
; Neodome Identity: (archive your real email address here if you like)
; Dialog Identity: (archive your Dialog email address here if you like)
; Dialog Username = (archive your Dialog username here if you like)
; Dialog Password = (archive your Dialog password here if you like)
; Like it or not, SSL often cares about accurate time zone matching
; System timezone: (archive your system timezone here if you like)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Apparently news.neodome.net does not require authentication to read
; However, news.neodome.net requires a login/password to post
; And news.neodome.net requires at least a 10-character password
; Unfortunately, the news.neodome.net certificate is self-signed
; And worse, the news.neodome.net certificate expired in 12/2020
; Even so, news.neodome.net REQUIRES encryption when posting
; With the result that news.neodome.net won't accept Dialog port 119
; Unfortunately, Dialog (circa 2005) uses old encryption standards
; And unfortunately news.neodome.net won't accept Dialog port 119 SSL
; However news.neodome.net will accept Dialog port 563 old encryption
; And news.neodome.net will accept stunnel port 119 STARTTLS encryption
; Also news.neodome.net will accept that the certificate simply exists
; That gave us four working workarounds to the encryption problem set
; 1. news.neodome.net accepts Dialog port 563 SSL encryption
; 2. news.neodome.net accepts sTunnel port 119 protocol=nntp encryption
; 3. news.neodome.net accepts sTunnel port 563 ignoring the certificate
; 4. news.neodome.net accepts sTunnel port 563 acknowledging the cert
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome0}
; The boiler-plate section below "should" work but won't work in 2024
; because Neodome has a self-signed certificate which is also expired
; [Neodome0]
; Dialog Host: 127.0.0.1
; Dialog Port: 65534 (pick an unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; client = yes
; accept = 127.0.0.1:63534
; connect = news.neodome.net:563
; verifyChain = yes
; CAfile = ca-certs.pem
; checkHost = news.neodome.net
; OCSPaia = yes
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome1 workaround}
; This method sets Dialog to use Dialog port 563 SSL encryption
; 40Tude Dialog will NOT use the latest encryption standards.
; sTunnel is not involved so the stunnel.conf should be empty
; Dialog Host: news.neodome.net
; Dialog Port: 563
; Dialog SSL: checked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; No stunnel.conf entries are used for this [Neodome1] workaround
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome2 workaround}
; This method sets Dialog to use sTunnel port 119 STARTTLS.
; You'd think it wouldn't require a password, but it does
; If you are able to connect through sTunnel to a server
; that connection will always be encrypted (e.g., as STARTTLS)
; (Although, with the right setting, it is possible to use
; "null encryption" [aka a non-encrypting "encryption" method])
; Setting sTunnel to connect with protocol NNTP on port 119
; leads to a handshake with STARTTLS by default
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome2] needs authentication to prevent MITM attacks
; Dialog Host: 127.0.0.1
; Dialog Port: 49152 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; For self-signed certificates that have not expired, a good way to
; deal with them is to download them & they will be checked against
; the existing non-expired self-signed certificate (which has no chain)
; In Stunnel, if you've recently posted, you can do the following:
; Stunnel: Save Peer Certificate -> Peer-Neodome2.pem
; Up comes a box saying:
; Stunnel 5.69 on Win64
; Peer certificate change has been saved.
; Add the following lines to section [Neodome2]:
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
; to enable cryptographic authentication.
; Then reload stunnel configuration file.
[Neodome2]
client = yes
accept = 127.0.0.1:49152
connect = news.neodome.net:119
protocol = nntp
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome3 workaround}
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method does not even touch the certificate
; It's probably the best option because it uses current encryption
; Dialog Host: 127.0.0.1
; Dialog Port: 49153 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome3] needs authentication to prevent MITM attacks
[Neodome3]
client = yes
accept = 127.0.0.1:49153
connect = news.neodome.net:563
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome4 workaround}
; This is a very minor variation on the method #3 tested above
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method requires but does not check the certificate
; The "verify = 0" was initially suggested by the Neodome admin
; The "verify = 0" requests a certificate but does not check it
; Dialog Host: 127.0.0.1
; Dialog Port: 49154 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome4] needs authentication to prevent MITM attacks
[Neodome4]
client = yes
accept = 127.0.0.1:49154
connect = news.neodome.net:563
verify = 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates

<unqhen$10602$1@novabbs.org>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=1930&group=news.software.readers#1930

  copy link   Newsgroups: news.software.readers
Path: i2pn2.org!rocksolid2!.POSTED!not-for-mail
From: larrywolff@larrywolff.net (Larry Wolff)
Newsgroups: news.software.readers
Subject: Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates
Date: Fri, 12 Jan 2024 00:07:30 -0500
Organization: rocksolid2 (novabbs.org)
Message-ID: <unqhen$10602$1@novabbs.org>
References: <unpnma$23tfn$1@paganini.bofh.team> <unppcj$240fp$1@paganini.bofh.team>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 12 Jan 2024 05:07:36 -0000 (UTC)
Injection-Info: novabbs.org;
logging-data="1054722"; mail-complaints-to="usenet@novabbs.org";
posting-account="We4v8KLNpMNkFAjPdBjo15OoXWOMvHEYcV6PIPuJ7Pg";
User-Agent: Xnews/2006.08.24
X-Spam-Checker-Version: SpamAssassin 4.0.0
 by: Larry Wolff - Fri, 12 Jan 2024 05:07 UTC

On 1/11/2024 5:16 PM, Ronald wrote:

> On Thu, 11 Jan 2024 16:47:52 -0500, Ronald wrote:
> Cleaned it up a bit so that it can be saved in a Dialog archive.
>
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ; stunnel.conf (tested on January 10th, 2024)
> ; <https://groups.google.com/g/news.software.readers/c/DTYKUX3VwLw>
> ; <https://groups.google.com/g/news.software.readers/c/sxkkJYuI728>
> ; Each solution below is a tested workaround thanks mostly to Bernd Rose
> ; Like it or not, Dialog obfuscates or omits some identify information
> ; So you may want to save that identify information here in stunnel.conf
> ; Neodome Identity: (archive your real email address here if you like)
> ; Dialog Identity: (archive your Dialog email address here if you like)
> ; Dialog Username = (archive your Dialog username here if you like)
> ; Dialog Password = (archive your Dialog password here if you like)
> ; Like it or not, SSL often cares about accurate time zone matching
> ; System timezone: (archive your system timezone here if you like)
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ; Apparently news.neodome.net does not require authentication to read
> ; However, news.neodome.net requires a login/password to post
> ; And news.neodome.net requires at least a 10-character password
> ; Unfortunately, the news.neodome.net certificate is self-signed
> ; And worse, the news.neodome.net certificate expired in 12/2020
> ; Even so, news.neodome.net REQUIRES encryption when posting
> ; With the result that news.neodome.net won't accept Dialog port 119
> ; Unfortunately, Dialog (circa 2005) uses old encryption standards
> ; And unfortunately news.neodome.net won't accept Dialog port 119 SSL
> ; However news.neodome.net will accept Dialog port 563 old encryption
> ; And news.neodome.net will accept stunnel port 119 STARTTLS encryption
> ; Also news.neodome.net will accept that the certificate simply exists
> ; That gave us four working workarounds to the encryption problem set
> ; 1. news.neodome.net accepts Dialog port 563 SSL encryption
> ; 2. news.neodome.net accepts sTunnel port 119 protocol=nntp encryption
> ; 3. news.neodome.net accepts sTunnel port 563 ignoring the certificate
> ; 4. news.neodome.net accepts sTunnel port 563 acknowledging the cert
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;{Neodome0}
> ; The boiler-plate section below "should" work but won't work in 2024
> ; because Neodome has a self-signed certificate which is also expired
> ; [Neodome0]
> ; Dialog Host: 127.0.0.1
> ; Dialog Port: 65534 (pick an unused port between 49152 & 65535)
> ; Dialog SSL: unchecked
> ; Dialog Username: (required for posting to most text newsgroups)
> ; Dialog Password: (required for posting to most text newsgroups)
> ; Dialog Allwd. conn.: 2
> ; Dialog Use pipelining (unchecked)
> ; client = yes
> ; accept = 127.0.0.1:63534
> ; connect = news.neodome.net:563
> ; verifyChain = yes
> ; CAfile = ca-certs.pem
> ; checkHost = news.neodome.net
> ; OCSPaia = yes
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;{Neodome1 workaround}
> ; This method sets Dialog to use Dialog port 563 SSL encryption
> ; 40Tude Dialog will NOT use the latest encryption standards.
> ; sTunnel is not involved so the stunnel.conf should be empty
> ; Dialog Host: news.neodome.net
> ; Dialog Port: 563
> ; Dialog SSL: checked
> ; Dialog Username: (required for posting to most text newsgroups)
> ; Dialog Password: (required for posting to most text newsgroups)
> ; Dialog Allwd. conn.: 2
> ; Dialog Use pipelining (unchecked)
> ; No stunnel.conf entries are used for this [Neodome1] workaround
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;{Neodome2 workaround}
> ; This method sets Dialog to use sTunnel port 119 STARTTLS.
> ; You'd think it wouldn't require a password, but it does
> ; If you are able to connect through sTunnel to a server
> ; that connection will always be encrypted (e.g., as STARTTLS)
> ; (Although, with the right setting, it is possible to use
> ; "null encryption" [aka a non-encrypting "encryption" method])
> ; Setting sTunnel to connect with protocol NNTP on port 119
> ; leads to a handshake with STARTTLS by default
> ; Like it or not, you'll see these sTunnel warnings with this entry
> ; LOG3: No trusted certificates found
> ; LOG4: Service [Neodome2] needs authentication to prevent MITM attacks
> ; Dialog Host: 127.0.0.1
> ; Dialog Port: 49152 (pick any unused port between 49152 & 65535)
> ; Dialog SSL: unchecked
> ; Dialog Username: (required for posting to most text newsgroups)
> ; Dialog Password: (required for posting to most text newsgroups)
> ; Dialog Allwd. conn.: 2
> ; Dialog Use pipelining (unchecked)
> ; For self-signed certificates that have not expired, a good way to
> ; deal with them is to download them & they will be checked against
> ; the existing non-expired self-signed certificate (which has no chain)
> ; In Stunnel, if you've recently posted, you can do the following:
> ; Stunnel: Save Peer Certificate -> Peer-Neodome2.pem
> ; Up comes a box saying:
> ; Stunnel 5.69 on Win64
> ; Peer certificate change has been saved.
> ; Add the following lines to section [Neodome2]:
> ; CAfile = peer-Neodome2.pem
> ; verifyPeer = yes
> ; to enable cryptographic authentication.
> ; Then reload stunnel configuration file.
> [Neodome2]
> client = yes
> accept = 127.0.0.1:49152
> connect = news.neodome.net:119
> protocol = nntp
> ; CAfile = peer-Neodome2.pem
> ; verifyPeer = yes
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;{Neodome3 workaround}
> ; This method sets Dialog to use sTunnel port 563 encryption
> ; Where this method does not even touch the certificate
> ; It's probably the best option because it uses current encryption
> ; Dialog Host: 127.0.0.1
> ; Dialog Port: 49153 (pick any unused port between 49152 & 65535)
> ; Dialog SSL: unchecked
> ; Dialog Username: (required for posting to most text newsgroups)
> ; Dialog Password: (required for posting to most text newsgroups)
> ; Dialog Allwd. conn.: 2
> ; Dialog Use pipelining (unchecked)
> ; Like it or not, you'll see these sTunnel warnings with this entry
> ; LOG3: No trusted certificates found
> ; LOG4: Service [Neodome3] needs authentication to prevent MITM attacks
> [Neodome3]
> client = yes
> accept = 127.0.0.1:49153
> connect = news.neodome.net:563
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;{Neodome4 workaround}
> ; This is a very minor variation on the method #3 tested above
> ; This method sets Dialog to use sTunnel port 563 encryption
> ; Where this method requires but does not check the certificate
> ; The "verify = 0" was initially suggested by the Neodome admin
> ; The "verify = 0" requests a certificate but does not check it
> ; Dialog Host: 127.0.0.1
> ; Dialog Port: 49154 (pick any unused port between 49152 & 65535)
> ; Dialog SSL: unchecked
> ; Dialog Username: (required for posting to most text newsgroups)
> ; Dialog Password: (required for posting to most text newsgroups)
> ; Dialog Allwd. conn.: 2
> ; Dialog Use pipelining (unchecked)
> ; Like it or not, you'll see these sTunnel warnings with this entry
> ; LOG3: No trusted certificates found
> ; LOG4: Service [Neodome4] needs authentication to prevent MITM attacks
> [Neodome4]
> client = yes
> accept = 127.0.0.1:49154
> connect = news.neodome.net:563
> verify = 0
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Does this set the encryption to TLS or to something else?

Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates

<ompqxo9wvpo1.dlg@b.rose.tmpbox.news.arcor.de>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=1932&group=news.software.readers#1932

  copy link   Newsgroups: news.software.readers
Path: i2pn2.org!i2pn.org!news.1d4.us!usenet.goja.nl.eu.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: b.rose.tmpbox@arcor.de (Bernd Rose)
Newsgroups: news.software.readers
Subject: Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates
Date: Fri, 12 Jan 2024 17:39:12 +0100
Message-ID: <ompqxo9wvpo1.dlg@b.rose.tmpbox.news.arcor.de>
References: <unpnma$23tfn$1@paganini.bofh.team> <unppcj$240fp$1@paganini.bofh.team> <unqhen$10602$1@novabbs.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Info: solani.org;
logging-data="432842"; mail-complaints-to="abuse@news.solani.org"
User-Agent: 40tude_Dialog/2.0.15.41 (eea94ff3.430.259)
Cancel-Lock: sha1:anf9HE4IHtqDxD4un6ra1m1TllQ=
X-User-ID: eJwNwocRwCAMBLCVcHnzjOMC+4+QnAQLid4eCMf73cOjvfdt5ug2DAsiTGiJS6t7YoELF+BgxqpZT1d4s7uQabi2aEjzD7YpGVw=
 by: Bernd Rose - Fri, 12 Jan 2024 16:39 UTC

On Fri, 12th Jan 2024 00:07:30 -0500, Larry Wolff wrote:

[sTunnel configuration examples]
> Does this set the encryption to TLS or to something else?

If not explicitly set, default options apply. Current default sTunnel
securityLevel is 2. The explanation for this level hasn't been updated
in the sTunnel documentation for quite some time. Current sTunnel 5.71
is compiled against OpenSSL 3.1.3. This does permit neither SSL nor any
TLS prior to TLS 1.2 as default. Therefore, (depending on the server
capabilities) sTunnel will connect with at least TLS 1.2 with default
options. Any lesser protocol requires explicit lowering of the security
settings.

Bernd

Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates

<1a0ddv3w8axow.dlg@b.rose.tmpbox.news.arcor.de>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=1933&group=news.software.readers#1933

  copy link   Newsgroups: news.software.readers
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: b.rose.tmpbox@arcor.de (Bernd Rose)
Newsgroups: news.software.readers
Subject: Re: [Dialog] news.neodome.net stunnel.conf with workarounds for expired self-signed certificates
Date: Fri, 12 Jan 2024 18:59:11 +0100
Message-ID: <1a0ddv3w8axow.dlg@b.rose.tmpbox.news.arcor.de>
References: <unpnma$23tfn$1@paganini.bofh.team> <unppcj$240fp$1@paganini.bofh.team>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Info: solani.org;
logging-data="435623"; mail-complaints-to="abuse@news.solani.org"
User-Agent: 40tude_Dialog/2.0.15.41 (1c233c9e.505.340)
Cancel-Lock: sha1:EPgiIcujY/5x7JHJOZ1YChnLyhI=
X-User-ID: eJwFwQEBwCAMAzBLlLFy5JSO+ZfwJIOg92JyZWdbvKGTM2vjbAyNviaXLzzH/qTiUX1P0QhR7XrDkLtnSkLY9x2WGng//Vcb1g==
 by: Bernd Rose - Fri, 12 Jan 2024 17:59 UTC

On Thu, 11th Jan 2024 17:16:50 -0500, Ronald wrote:

Too much information, some misleading (or a misinterpretation of what
I wrote).

> ;{Neodome0}
> ; The boiler-plate section below "should" work but won't work in 2024
> ; because Neodome has a self-signed certificate which is also expired

Don't confuse readers with configuration variants, that will /not/ work.

> ;{Neodome1 workaround}
> ; This method sets Dialog to use Dialog port 563 SSL encryption
> ; 40Tude Dialog will NOT use the latest encryption standards.
> ; sTunnel is not involved so the stunnel.conf should be empty

Rather insecure method, which hasn't anything to do with sTunnel.

> ;{Neodome2 workaround}
> ; This method sets Dialog to use sTunnel port 119 STARTTLS.
> ; You'd think it wouldn't require a password, but it does

It _only_ requires a password when connection is established from a client,
that explicitly requests STARTTLS. It just so happens, that sTunnel can not
be configured to connect without any encryption (except NULL encryption,
which still /is/ encryption). So, to connect to Neodome port 119 without
(STARTTLS) encryption one needs to bypass sTunnel and connect directly.
(In this case from Dialog.) Without encryption, posting isn't permitted
on Neodome, though. Therefore, this would be a read-only setup.

> ; (Although, with the right setting, it is possible to use
> ; "null encryption" [aka a non-encrypting "encryption" method])

Which will lead nowhere, because no server should be configured to accept
such an "encryption" attempt. Therefore, NULL-encryption shouldn't be
mentioned in a configuration template, but only in technical explanations.
(If at all. I just wanted to avoid possible wise-assed comments against
me formulating that sTunnel had _no_ way for unencrypted connections...)

Keeping in mind, that configuring sTunnel for a port 119 STARTTLS
connection to Neodome is a bit less intuitive and requires an
additional parameter, there is no need to include this variant in
a configuration template. Connection with the dedicated port 563
does not work inferior.

> ; For self-signed certificates that have not expired, a good way to
> ; deal with them is to download them & they will be checked against
> ; the existing non-expired self-signed certificate (which has no chain)

Does not apply to the (current) Neodome setup. And because there is no
sign, that the situation may improve in the foreseeable future, there
(again) is no need to include this in configuration templates explicitly
dedicated to Neodome.

> ;{Neodome3 workaround}
> ; This method sets Dialog to use sTunnel port 563 encryption
> ; Where this method does not even touch the certificate

Oh, it /does/ touch (and use) it. sTunnel just doesn't verify the
_eligibility_ of the certificate in the described setup.

> ; It's probably the best option because it uses current encryption

Which will be any connection run through sTunnel, as long as sTunnel
is not explicitly mis-configured.

> ; Dialog Host: 127.0.0.1
> ; Dialog Port: 49153 (pick any unused port between 49152 & 65535)

I usually don't recommend using ports from this dynamic port range for
static tasks. This port range should be managed by the OS, which assigns
ports to applications temporarily requesting a (more-the less throwaway)
port. Any port you assign statically from this range /may/ already have
been assigned by the OS to another program. I usually recommend to
check the official IANA list for ports from the static port ranges and
use those, that apply (only) to applications not installed on the system.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Ports 1191, 1192, 1193, 5631, 5632, 5633 are usually available and
could be read (as aide-memoire) as 119-1 ... 119-3 (for STARTTLS
connections to an external port 119) or as 563-1 ... 563-3 for
connections to an external standard NNTP encryption port 563.

> [Neodome3]
> client = yes
> accept = 127.0.0.1:49153
> connect = news.neodome.net:563

That's what users have to look for in your lengthy document.

> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;{Neodome4 workaround}
> ; This is a very minor variation on the method #3 tested above

It is essentially the same as your Neodome method #3. It just has
an outdated sTunnel option as extra line, which is a duplicate of
the default settings of some newer options. (Which, therefore, can
be left out from the configuration.)

Hope, this clarifies some matters a bit more...
Bernd

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor