[HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

43moon

Disclaimer:
I didn't invent the wheel here, I am just condensing bits and pieces of information that I have learned from other people here in the forum. It took me half of a day to finally figure this out. I hope that I can save someone else the time and the effort by condensing the steps that worked for me. I used Synaptic to install "Pan" and "stunnel4". I am assuming that you already know how to do that. I am not a pro so I may not know how to troubleshoot any issues that you encounter. I am sharing what I have learned in an effort to begin to repay the community.

Getting Stunnel4 to work:
I am only insterested in SSL for my newsgroup reader. I dont use an email client or anything else listed in stunnel so I commented-them-out in order to avoid any potential problems related to services that I don't use. If you use any of the services, feel free to adjust them to fit your needs (remove the ";" in front of the various service level configurations).

Edit the stunnel config file:

Code:

sudo gedit /etc/stunnel/stunnel.conf

I have enclosed my stunnel.conf file. If you copy it, be sure to replace "YOUR.NEWSGROUP.HERE:PORT" with your required address and port as provided by your service provider.

Code:

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
; cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[nntp]
accept = localhost:119
connect = YOUR.NEWSGROUP.HERE:PORT

; [pop3s]
; accept  = 995
; connect = 110

; [imaps]
; accept  = 993
; connect = 143

; [ssmtp]
; accept  = 465
; connect = 25

; [https]
; accept  = 443
; connect = 80
; TIMEOUTclose = 0

; vim:ft=dosini

Edit stunnel4:

Code:

sudo gedit /etc/default/stunnel4

Set "Enabled=" to "1" (without quotes):

Code:

# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003

# Change to one to enable stunnel
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""

# Change to one to enable ppp restart scripts
PPP_RESTART=0

Getting Pan to work with stunnel4:
Start Pan and enter the following settings for your secure newsgroup server:

Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your service provider.

Start stunnel4:

Code:

/etc/init.d/stunnel4 start

Now start Pan and you should be able to access your newsgroup server through SSL.

Thanks to Badtothebone for this helpful post:
http://ubuntuforums.org/showpost.php...83&postcount=7

And thanks to chrroessner for this very enlightening post:
http://ubuntuforums.org/showpost.php...31&postcount=1

meekatron

ok i seem to have this working but a few things are confusing me. I am no expert on ssl stuff but what i am wondering is if the port on my news reader is 119 which is the port for my news server how is it encrypted. should it not be a different port number.

my conf file for stunnel looks like this
[nntp]
accept = localhost:119
connect = news-europe.giganews.com:563

and my pan news reader is on localhost port 119.

does this mean it is bypassing stunnel and ignoring the encryption.
i got the 563 port number from giganews website would that be a special port for there ssl stuff.

is the ssl encryption for both upload and download?

sorry if these questions sound a bit dumb just tryin to get my head round it.

jjb123

Basically what you are doing is setting up a server on your computer, but only applications on your network can access it. So, in Pan it connected to your own computer and in turn stunnel connects via ssl to giganews on the port specified in the file.

djcronos

This is the de-facto standard for HOWTO's when it comes to setting up stunnel4 with pan in gutsy. Thank you so much - I'm bookmarking this for future reference!

seraph47

I am unable to get Pan working with stunnel4.
Here's my stunnel.conf:

Code:

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
; cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[nntp]
accept = localhost:119
connect = news.giganews.com:443

; [pop3s]
; accept  = 995
; connect = 110

; [imaps]
; accept  = 993
; connect = 143

; [ssmtp]
; accept  = 465
; connect = 25

; [https]
; accept  = 443
; connect = 80
; TIMEOUTclose = 0

; vim:ft=dosini

And my stunnel4:

Code:

# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003

# Change to one to enable stunnel
ENABLED=1
FILES="/etc/stunnel/stunnel.conf"
OPTIONS=""

# Change to one to enable ppp restart scripts
PPP_RESTART=0

And pan is set to localhost/119 with my correct login info.

Also, heres my log file :

Code:

2008.04.06 01:07:32 LOG5[15279:3083282112]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 01:07:32 LOG5[15279:3083282112]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 01:07:32 LOG6[15279:3083282112]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 01:07:32 LOG6[15279:3083282112]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 01:07:32 LOG5[15279:3083282112]: 500 clients allowed
2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 7 in non-blocking mode
2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 8 in non-blocking mode
2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 9 in non-blocking mode
2008.04.06 01:07:32 LOG7[15279:3083282112]: SO_REUSEADDR option set on accept socket
2008.04.06 01:07:32 LOG7[15279:3083282112]: nntp bound to 127.0.0.1:119
2008.04.06 01:07:32 LOG7[15280:3083282112]: Created pid file /stunnel4.pid
2008.04.06 09:45:16 LOG5[4823:3083171520]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 09:45:16 LOG5[4823:3083171520]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 09:45:16 LOG6[4823:3083171520]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 09:45:16 LOG6[4823:3083171520]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 09:45:16 LOG5[4823:3083171520]: 500 clients allowed
2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 4 in non-blocking mode
2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 5 in non-blocking mode
2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 6 in non-blocking mode
2008.04.06 09:45:16 LOG7[4823:3083171520]: SO_REUSEADDR option set on accept socket
2008.04.06 09:45:16 LOG3[4823:3083171520]: Error binding nntp to 127.0.0.1:119
2008.04.06 09:45:16 LOG3[4823:3083171520]: bind: Address already in use (98)
2008.04.06 09:49:32 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:36402
2008.04.06 09:49:32 LOG7[15280:3086601104]: nntp started
2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 09:49:32 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 09:49:32 LOG7[15280:3086601104]: Connection from 127.0.0.1:36402 permitted by libwrap
2008.04.06 09:49:32 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:36402
2008.04.06 09:49:32 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 09:49:32 LOG3[15280:3086601104]: No host resolved
2008.04.06 09:49:32 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 09:49:32 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 09:49:32 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 09:49:32 LOG6[15280:3083282112]: Child process 5027 finished with code 0
2008.04.06 10:06:14 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:35753
2008.04.06 10:06:14 LOG7[15280:3086601104]: nntp started
2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 10:06:14 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 10:06:14 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 10:06:14 LOG6[15280:3083282112]: Child process 5786 finished with code 0
2008.04.06 10:06:14 LOG7[15280:3086601104]: Connection from 127.0.0.1:35753 permitted by libwrap
2008.04.06 10:06:14 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:35753
2008.04.06 10:06:14 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 10:06:14 LOG3[15280:3086601104]: No host resolved
2008.04.06 10:06:14 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 10:06:14 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 10:26:46 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:60740
2008.04.06 10:26:46 LOG7[15280:3086601104]: nntp started
2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 10:26:46 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 10:26:46 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 10:26:46 LOG6[15280:3083282112]: Child process 6960 finished with code 0
2008.04.06 10:26:46 LOG7[15280:3086601104]: Connection from 127.0.0.1:60740 permitted by libwrap
2008.04.06 10:26:46 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:60740
2008.04.06 10:26:46 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 10:26:46 LOG3[15280:3086601104]: No host resolved
2008.04.06 10:26:46 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 10:26:46 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:23:44 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57835
2008.04.06 17:23:44 LOG7[15280:3086601104]: nntp started
2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:23:44 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:23:44 LOG7[15280:3086601104]: Connection from 127.0.0.1:57835 permitted by libwrap
2008.04.06 17:23:44 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57835
2008.04.06 17:23:44 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:23:44 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:23:44 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:23:44 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:23:44 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:23:44 LOG6[15280:3083282112]: Child process 2671 finished with code 0
2008.04.06 17:23:58 LOG5[2678:3083245248]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 17:23:58 LOG5[2678:3083245248]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 17:23:58 LOG6[2678:3083245248]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 17:23:58 LOG6[2678:3083245248]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 17:23:58 LOG5[2678:3083245248]: 500 clients allowed
2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 4 in non-blocking mode
2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 5 in non-blocking mode
2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 6 in non-blocking mode
2008.04.06 17:23:58 LOG7[2678:3083245248]: SO_REUSEADDR option set on accept socket
2008.04.06 17:23:58 LOG3[2678:3083245248]: Error binding nntp to 127.0.0.1:119
2008.04.06 17:23:58 LOG3[2678:3083245248]: bind: Address already in use (98)
2008.04.06 17:25:18 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:41058
2008.04.06 17:25:18 LOG7[15280:3086601104]: nntp started
2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:25:18 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:25:18 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:25:18 LOG6[15280:3083282112]: Child process 2731 finished with code 0
2008.04.06 17:25:18 LOG7[15280:3086601104]: Connection from 127.0.0.1:41058 permitted by libwrap
2008.04.06 17:25:18 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:41058
2008.04.06 17:25:18 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:25:18 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:25:18 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:25:18 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:43:46 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57064
2008.04.06 17:43:46 LOG7[15280:3086601104]: nntp started
2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:43:46 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:43:46 LOG7[15280:3086601104]: Connection from 127.0.0.1:57064 permitted by libwrap
2008.04.06 17:43:46 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57064
2008.04.06 17:43:46 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:43:46 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:43:46 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:43:46 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:43:46 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:43:46 LOG6[15280:3083282112]: Child process 3698 finished with code 0
2008.04.06 17:44:06 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57067
2008.04.06 17:44:06 LOG7[15280:3086601104]: nntp started
2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:44:06 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:44:06 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:44:06 LOG6[15280:3083282112]: Child process 3716 finished with code 0
2008.04.06 17:44:06 LOG7[15280:3086601104]: Connection from 127.0.0.1:57067 permitted by libwrap
2008.04.06 17:44:06 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57067
2008.04.06 17:44:06 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:44:06 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:44:06 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:44:06 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:44:33 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57069
2008.04.06 17:44:33 LOG7[15280:3086601104]: nntp started
2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:44:33 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:44:33 LOG7[15280:3086601104]: Connection from 127.0.0.1:57069 permitted by libwrap
2008.04.06 17:44:33 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57069
2008.04.06 17:44:33 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:44:33 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:44:33 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:44:33 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:44:33 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:44:33 LOG6[15280:3083282112]: Child process 3738 finished with code 0
2008.04.06 17:45:45 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51796
2008.04.06 17:45:45 LOG7[15280:3086601104]: nntp started
2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:45:45 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:45:45 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:45:45 LOG6[15280:3083282112]: Child process 3807 finished with code 0
2008.04.06 17:45:45 LOG7[15280:3086601104]: Connection from 127.0.0.1:51796 permitted by libwrap
2008.04.06 17:45:45 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51796
2008.04.06 17:45:45 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:45:45 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:45:45 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:45:45 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:46:52 LOG5[3859:3083372224]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 17:46:52 LOG5[3859:3083372224]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 17:46:52 LOG6[3859:3083372224]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 17:46:52 LOG6[3859:3083372224]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 17:46:52 LOG5[3859:3083372224]: 500 clients allowed
2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 4 in non-blocking mode
2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 5 in non-blocking mode
2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 6 in non-blocking mode
2008.04.06 17:46:52 LOG7[3859:3083372224]: SO_REUSEADDR option set on accept socket
2008.04.06 17:46:52 LOG3[3859:3083372224]: Error binding nntp to 127.0.0.1:119
2008.04.06 17:46:52 LOG3[3859:3083372224]: bind: Address already in use (98)
2008.04.06 17:47:01 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51811
2008.04.06 17:47:01 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:01 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:01 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:01 LOG6[15280:3083282112]: Child process 3864 finished with code 0
2008.04.06 17:47:01 LOG7[15280:3086601104]: Connection from 127.0.0.1:51811 permitted by libwrap
2008.04.06 17:47:01 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51811
2008.04.06 17:47:01 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:01 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:01 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:01 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:47:09 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51814
2008.04.06 17:47:09 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:09 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:09 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:09 LOG6[15280:3083282112]: Child process 3872 finished with code 0
2008.04.06 17:47:09 LOG7[15280:3086601104]: Connection from 127.0.0.1:51814 permitted by libwrap
2008.04.06 17:47:09 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51814
2008.04.06 17:47:09 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:09 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:09 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:09 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:47:10 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51815
2008.04.06 17:47:10 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:10 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:10 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:10 LOG6[15280:3083282112]: Child process 3874 finished with code 0
2008.04.06 17:47:10 LOG7[15280:3086601104]: Connection from 127.0.0.1:51815 permitted by libwrap
2008.04.06 17:47:10 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51815
2008.04.06 17:47:10 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:10 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:10 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:10 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:47:47 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51818
2008.04.06 17:47:47 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:47 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:47 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:47 LOG6[15280:3083282112]: Child process 3900 finished with code 0
2008.04.06 17:47:47 LOG7[15280:3086601104]: Connection from 127.0.0.1:51818 permitted by libwrap
2008.04.06 17:47:47 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51818
2008.04.06 17:47:47 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:47 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:47 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:47 LOG7[15280:3086601104]: nntp finished (0 left)

I then start stunnel 4 with : sudo stunnel4 /etc/stunnel/stunnel.conf
I appreciate any help, thanks.

Gun_Smoke

Thanks.

darc

Thanks 43moon for the howto, and meekatron for mentioning the special port.

As meekatron said, if you use giganews, you need to set the connect to :
news.giganews.com:563

-darc

leswgnr

I followed your (43moon) howto and have the error below. I have included below that my config file and default file. I don't seem to have any /stunnel4.pid file in my root directory. Any help is quite appreciated.
Thank you,
-----------------------------------------------------------------------------
dad@dad-desktop:~$ /etc/init.d/stunnel4 start
Starting SSL tunnels: 2008.07.16 22:15:40 LOG7[7690:3082667696]: RAND_status claims sufficient entropy for the PRNG
2008.07.16 22:15:40 LOG7[7690:3082667696]: PRNG seeded successfully
2008.07.16 22:15:40 LOG7[7690:3082667696]: SSL context initialized for service nntp
[Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file
------------------------------------------------------------------------------
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[nntp]
accept = localhost:119
connect = news.newsguy.com:443

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini
---------------------------------------------------------------------------------
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003

# Change to one to enable stunnel
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""

# Change to one to enable ppp restart scripts
PPP_RESTART=0
================================================== ================

Gun_Smoke · 11:21 PM

do

Quote:

sudo stunnel4

2008.07.16 22:45:02 LOG7[6802:3082888880]: RAND_status claims sufficient entropy for the PRNG
2008.07.16 22:45:02 LOG7[6802:3082888880]: PRNG seeded successfully
2008.07.16 22:45:03 LOG7[6802:3082888880]: SSL context initialized for service nntp

you can check your connection with wireshark..

Set a filter to tcp.port == "port number"

in my case it would be tcp.port == 443

"expression" is

Quote:

tcp.port == 443

Looks like..... if working and a ton of them.... Something like this...... -
|
|
|
|
|
V

Quote:

165335 339.081791 xxx.xx.xxx.xx 192.168.x.xxx SSL Continuation Data

So after "sudo stunnel4"
start to grab some headers and then run wireshark with the expression or filter mentioned up there..

BOL

GS

Gun_Smoke

^^^^^^

Edited... this is for notification emails.

GS

December 29th, 2007	#1
43moon 5 Cups of Ubuntu Join Date: Sep 2005 Location: Ballard, WA Beans: 22 Ubuntu 7.10 Gutsy Gibbon	[HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) Disclaimer: I didn't invent the wheel here, I am just condensing bits and pieces of information that I have learned from other people here in the forum. It took me half of a day to finally figure this out. I hope that I can save someone else the time and the effort by condensing the steps that worked for me. I used Synaptic to install "Pan" and "stunnel4". I am assuming that you already know how to do that. I am not a pro so I may not know how to troubleshoot any issues that you encounter. I am sharing what I have learned in an effort to begin to repay the community. Getting Stunnel4 to work: I am only insterested in SSL for my newsgroup reader. I dont use an email client or anything else listed in stunnel so I commented-them-out in order to avoid any potential problems related to services that I don't use. If you use any of the services, feel free to adjust them to fit your needs (remove the ";" in front of the various service level configurations). Edit the stunnel config file: Code: sudo gedit /etc/stunnel/stunnel.conf I have enclosed my stunnel.conf file. If you copy it, be sure to replace "YOUR.NEWSGROUP.HERE:PORT" with your required address and port as provided by your service provider. Code: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode ; cert = /etc/stunnel/mail.pem ;key = /etc/stunnel/mail.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log ; Use it for client mode client = yes ; Service-level configuration [nntp] accept = localhost:119 connect = YOUR.NEWSGROUP.HERE:PORT ; [pop3s] ; accept = 995 ; connect = 110 ; [imaps] ; accept = 993 ; connect = 143 ; [ssmtp] ; accept = 465 ; connect = 25 ; [https] ; accept = 443 ; connect = 80 ; TIMEOUTclose = 0 ; vim:ft=dosini Edit stunnel4: Code: sudo gedit /etc/default/stunnel4 Set "Enabled=" to "1" (without quotes): Code: # /etc/default/stunnel # Julien LEMOINE <speedblue@debian.org> # September 2003 # Change to one to enable stunnel ENABLED=1 FILES="/etc/stunnel/.conf" OPTIONS="" # Change to one to enable ppp restart scripts PPP_RESTART=0 Getting Pan to work with stunnel4:* Start Pan and enter the following settings for your secure newsgroup server: Set the Location Address to: "localhost" (without the quotes). Set the port to: 119 Enter your Login information if required by your service provider. Start stunnel4: Code: /etc/init.d/stunnel4 start Now start Pan and you should be able to access your newsgroup server through SSL. Thanks to Badtothebone for this helpful post: http://ubuntuforums.org/showpost.php...83&postcount=7 And thanks to chrroessner for this very enlightening post: http://ubuntuforums.org/showpost.php...31&postcount=1

February 3rd, 2008	#2
meekatron First Cup of Ubuntu Join Date: Sep 2007 Location: N. Ireland Beans: 5 Ubuntu 7.10 Gutsy Gibbon	Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) ok i seem to have this working but a few things are confusing me. I am no expert on ssl stuff but what i am wondering is if the port on my news reader is 119 which is the port for my news server how is it encrypted. should it not be a different port number. my conf file for stunnel looks like this [nntp] accept = localhost:119 connect = news-europe.giganews.com:563 and my pan news reader is on localhost port 119. does this mean it is bypassing stunnel and ignoring the encryption. i got the 563 port number from giganews website would that be a special port for there ssl stuff. is the ssl encryption for both upload and download? sorry if these questions sound a bit dumb just tryin to get my head round it.

February 8th, 2008	#3
jjb123 5 Cups of Ubuntu Join Date: Oct 2007 Beans: 36	Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) Basically what you are doing is setting up a server on your computer, but only applications on your network can access it. So, in Pan it connected to your own computer and in turn stunnel connects via ssl to giganews on the port specified in the file.

March 13th, 2008	#4
djcronos 5 Cups of Ubuntu Join Date: Aug 2005 Beans: 22	Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) This is the de-facto standard for HOWTO's when it comes to setting up stunnel4 with pan in gutsy. Thank you so much - I'm bookmarking this for future reference!

June 22nd, 2008	#6
Gun_Smoke Just Give Me the Beans! Join Date: Aug 2006 Location: Orlando, FL My beans are hidden!	Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) Thanks.

July 16th, 2008	#7
darc 5 Cups of Ubuntu Join Date: Jun 2006 Location: United States Beans: 43 Ubuntu 7.04 Feisty Fawn	Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) Thanks 43moon for the howto, and meekatron for mentioning the special port. As meekatron said, if you use giganews, you need to set the connect to : news.giganews.com:563 -darc

July 16th, 2008	#8
leswgnr First Cup of Ubuntu Join Date: Jul 2008 Beans: 1	Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL) I followed your (43moon) howto and have the error below. I have included below that my config file and default file. I don't seem to have any /stunnel4.pid file in my root directory. Any help is quite appreciated. Thank you, ----------------------------------------------------------------------------- dad@dad-desktop:~$ /etc/init.d/stunnel4 start Starting SSL tunnels: 2008.07.16 22:15:40 LOG7[7690:3082667696]: RAND_status claims sufficient entropy for the PRNG 2008.07.16 22:15:40 LOG7[7690:3082667696]: PRNG seeded successfully 2008.07.16 22:15:40 LOG7[7690:3082667696]: SSL context initialized for service nntp [Failed: /etc/stunnel/stunnel.conf] You should check that you have specified the pid= in you configuration file ------------------------------------------------------------------------------ ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/stunnel/mail.pem ;key = /etc/stunnel/mail.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log ; Use it for client mode client = yes ; Service-level configuration [nntp] accept = localhost:119 connect = news.newsguy.com:443 ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini --------------------------------------------------------------------------------- # /etc/default/stunnel # Julien LEMOINE <speedblue@debian.org> # September 2003 # Change to one to enable stunnel ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS="" # Change to one to enable ppp restart scripts PPP_RESTART=0 ================================================== ================

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode