Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My nntp server definitely uses port 119. I followed the set up for this from these instructions almost to the letter: http://ubuntuforums.org/showthread.php?t=653246
and i can't get this to work with ssl at all.
-Mike
On 12-06-26 12:05 AM, Leandro Avila wrote:
Mike,
Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563 Instead of Port 119.
Hope this helps
Leandro Avila
----- Original Message ----- From: mike mgbutler@nbnet.nb.ca To: stunnel-users@stunnel.org Cc: Sent: Monday, June 25, 2012 12:15 PM Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peerChecking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users