 
            Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My nntp server definitely uses port 119. I followed the set up for this from these instructions almost to the letter: http://ubuntuforums.org/showthread.php?t=653246 and i can't get this to work with ssl at all. -Mike On 12-06-26 12:05 AM, Leandro Avila wrote:
Mike,
Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563 Instead of Port 119.
Hope this helps
----------------- Leandro Avila
----- Original Message ----- From: mike <[email protected]> To: [email protected] Cc: Sent: Monday, June 25, 2012 12:15 PM Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peer
Checking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini _______________________________________________ stunnel-users mailing list [email protected] http://stunnel.mirt.net/mailman/listinfo/stunnel-users