Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

  1. #1
    Join Date
    Sep 2005
    Location
    Ballard, WA
    Beans
    21
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Post [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    Disclaimer:
    I didn't invent the wheel here, I am just condensing bits and pieces of information that I have learned from other people here in the forum. It took me half of a day to finally figure this out. I hope that I can save someone else the time and the effort by condensing the steps that worked for me. I used Synaptic to install "Pan" and "stunnel4". I am assuming that you already know how to do that. I am not a pro so I may not know how to troubleshoot any issues that you encounter. I am sharing what I have learned in an effort to begin to repay the community.


    Getting Stunnel4 to work:
    I am only insterested in SSL for my newsgroup reader. I dont use an email client or anything else listed in stunnel so I commented-them-out in order to avoid any potential problems related to services that I don't use. If you use any of the services, feel free to adjust them to fit your needs (remove the ";" in front of the various service level configurations).

    Edit the stunnel config file:
    Code:
    sudo gedit /etc/stunnel/stunnel.conf
    I have enclosed my stunnel.conf file. If you copy it, be sure to replace "YOUR.NEWSGROUP.HERE:PORT" with your required address and port as provided by your service provider.
    Code:
    ; Sample stunnel configuration file by Michal Trojnara 2002-2006
    ; Some options used here may not be adequate for your particular configuration
    ; Please make sure you understand them (especially the effect of chroot jail)
    
    ; Certificate/key is needed in server mode and optional in client mode
    ; cert = /etc/stunnel/mail.pem
    ;key = /etc/stunnel/mail.pem
    
    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = SSLv3
    
    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /var/lib/stunnel4/
    setuid = stunnel4
    setgid = stunnel4
    ; PID is created inside chroot jail
    pid = /stunnel4.pid
    
    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = rle
    
    ; Workaround for Eudora bug
    ;options = DONT_INSERT_EMPTY_FRAGMENTS
    
    ; Authentication stuff
    ;verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    ;CApath = /certs
    ; It's often easier to use CAfile
    ;CAfile = /etc/stunnel/certs.pem
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    ;CRLpath = /crls
    ; Alternatively you can use CRLfile
    ;CRLfile = /etc/stunnel/crls.pem
    
    ; Some debugging stuff useful for troubleshooting
    debug = 7
    output = /var/log/stunnel4/stunnel.log
    
    ; Use it for client mode
    client = yes
    
    ; Service-level configuration
    
    [nntp]
    accept = localhost:119
    connect = YOUR.NEWSGROUP.HERE:PORT
    
    ; [pop3s]
    ; accept  = 995
    ; connect = 110
    
    ; [imaps]
    ; accept  = 993
    ; connect = 143
    
    ; [ssmtp]
    ; accept  = 465
    ; connect = 25
    
    ; [https]
    ; accept  = 443
    ; connect = 80
    ; TIMEOUTclose = 0
    
    ; vim:ft=dosini
    Edit stunnel4:
    Code:
    sudo gedit /etc/default/stunnel4
    Set "Enabled=" to "1" (without quotes):
    Code:
    # /etc/default/stunnel
    # Julien LEMOINE <speedblue@debian.org>
    # September 2003
    
    # Change to one to enable stunnel
    ENABLED=1
    FILES="/etc/stunnel/*.conf"
    OPTIONS=""
    
    # Change to one to enable ppp restart scripts
    PPP_RESTART=0

    Getting Pan to work with stunnel4:
    Start Pan and enter the following settings for your secure newsgroup server:

    Set the Location Address to: "localhost" (without the quotes).
    Set the port to: 119
    Enter your Login information if required by your service provider.


    Start stunnel4:

    Code:
    /etc/init.d/stunnel4 start
    Now start Pan and you should be able to access your newsgroup server through SSL.


    Thanks to Badtothebone for this helpful post:
    http://ubuntuforums.org/showpost.php...83&postcount=7

    And thanks to chrroessner for this very enlightening post:
    http://ubuntuforums.org/showpost.php...31&postcount=1

  2. #2
    Join Date
    Sep 2007
    Location
    N. Ireland
    Beans
    5
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    ok i seem to have this working but a few things are confusing me. I am no expert on ssl stuff but what i am wondering is if the port on my news reader is 119 which is the port for my news server how is it encrypted. should it not be a different port number.

    my conf file for stunnel looks like this
    [nntp]
    accept = localhost:119
    connect = news-europe.giganews.com:563

    and my pan news reader is on localhost port 119.

    does this mean it is bypassing stunnel and ignoring the encryption.
    i got the 563 port number from giganews website would that be a special port for there ssl stuff.

    is the ssl encryption for both upload and download?

    sorry if these questions sound a bit dumb just tryin to get my head round it.

  3. #3
    Join Date
    Oct 2007
    Beans
    37

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    Basically what you are doing is setting up a server on your computer, but only applications on your network can access it. So, in Pan it connected to your own computer and in turn stunnel connects via ssl to giganews on the port specified in the file.

  4. #4
    Join Date
    Aug 2005
    Beans
    21

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    This is the de-facto standard for HOWTO's when it comes to setting up stunnel4 with pan in gutsy. Thank you so much - I'm bookmarking this for future reference!

  5. #5
    Join Date
    Nov 2006
    Beans
    13
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    I am unable to get Pan working with stunnel4.
    Here's my stunnel.conf:
    Code:
    ; Sample stunnel configuration file by Michal Trojnara 2002-2006
    ; Some options used here may not be adequate for your particular configuration
    ; Please make sure you understand them (especially the effect of chroot jail)
    
    ; Certificate/key is needed in server mode and optional in client mode
    ; cert = /etc/stunnel/mail.pem
    ;key = /etc/stunnel/mail.pem
    
    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = SSLv3
    
    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /var/lib/stunnel4/
    setuid = stunnel4
    setgid = stunnel4
    ; PID is created inside chroot jail
    pid = /stunnel4.pid
    
    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = rle
    
    ; Workaround for Eudora bug
    ;options = DONT_INSERT_EMPTY_FRAGMENTS
    
    ; Authentication stuff
    ;verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    ;CApath = /certs
    ; It's often easier to use CAfile
    ;CAfile = /etc/stunnel/certs.pem
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    ;CRLpath = /crls
    ; Alternatively you can use CRLfile
    ;CRLfile = /etc/stunnel/crls.pem
    
    ; Some debugging stuff useful for troubleshooting
    debug = 7
    output = /var/log/stunnel4/stunnel.log
    
    ; Use it for client mode
    client = yes
    
    ; Service-level configuration
    
    [nntp]
    accept = localhost:119
    connect = news.giganews.com:443
    
    ; [pop3s]
    ; accept  = 995
    ; connect = 110
    
    ; [imaps]
    ; accept  = 993
    ; connect = 143
    
    ; [ssmtp]
    ; accept  = 465
    ; connect = 25
    
    ; [https]
    ; accept  = 443
    ; connect = 80
    ; TIMEOUTclose = 0
    
    ; vim:ft=dosini
    And my stunnel4:
    Code:
    # /etc/default/stunnel
    # Julien LEMOINE <speedblue@debian.org>
    # September 2003
    
    # Change to one to enable stunnel
    ENABLED=1
    FILES="/etc/stunnel/stunnel.conf"
    OPTIONS=""
    
    # Change to one to enable ppp restart scripts
    PPP_RESTART=0
    And pan is set to localhost/119 with my correct login info.

    Also, heres my log file :
    Code:
    2008.04.06 01:07:32 LOG5[15279:3083282112]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
    2008.04.06 01:07:32 LOG5[15279:3083282112]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
    2008.04.06 01:07:32 LOG6[15279:3083282112]: file ulimit = 1024 (can be changed with 'ulimit -n')
    2008.04.06 01:07:32 LOG6[15279:3083282112]: poll() used - no FD_SETSIZE limit for file descriptors
    2008.04.06 01:07:32 LOG5[15279:3083282112]: 500 clients allowed
    2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 7 in non-blocking mode
    2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 8 in non-blocking mode
    2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 9 in non-blocking mode
    2008.04.06 01:07:32 LOG7[15279:3083282112]: SO_REUSEADDR option set on accept socket
    2008.04.06 01:07:32 LOG7[15279:3083282112]: nntp bound to 127.0.0.1:119
    2008.04.06 01:07:32 LOG7[15280:3083282112]: Created pid file /stunnel4.pid
    2008.04.06 09:45:16 LOG5[4823:3083171520]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
    2008.04.06 09:45:16 LOG5[4823:3083171520]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
    2008.04.06 09:45:16 LOG6[4823:3083171520]: file ulimit = 1024 (can be changed with 'ulimit -n')
    2008.04.06 09:45:16 LOG6[4823:3083171520]: poll() used - no FD_SETSIZE limit for file descriptors
    2008.04.06 09:45:16 LOG5[4823:3083171520]: 500 clients allowed
    2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 4 in non-blocking mode
    2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 5 in non-blocking mode
    2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 6 in non-blocking mode
    2008.04.06 09:45:16 LOG7[4823:3083171520]: SO_REUSEADDR option set on accept socket
    2008.04.06 09:45:16 LOG3[4823:3083171520]: Error binding nntp to 127.0.0.1:119
    2008.04.06 09:45:16 LOG3[4823:3083171520]: bind: Address already in use (98)
    2008.04.06 09:49:32 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:36402
    2008.04.06 09:49:32 LOG7[15280:3086601104]: nntp started
    2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 09:49:32 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 09:49:32 LOG7[15280:3086601104]: Connection from 127.0.0.1:36402 permitted by libwrap
    2008.04.06 09:49:32 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:36402
    2008.04.06 09:49:32 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 09:49:32 LOG3[15280:3086601104]: No host resolved
    2008.04.06 09:49:32 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 09:49:32 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 09:49:32 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 09:49:32 LOG6[15280:3083282112]: Child process 5027 finished with code 0
    2008.04.06 10:06:14 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:35753
    2008.04.06 10:06:14 LOG7[15280:3086601104]: nntp started
    2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 10:06:14 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 10:06:14 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 10:06:14 LOG6[15280:3083282112]: Child process 5786 finished with code 0
    2008.04.06 10:06:14 LOG7[15280:3086601104]: Connection from 127.0.0.1:35753 permitted by libwrap
    2008.04.06 10:06:14 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:35753
    2008.04.06 10:06:14 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 10:06:14 LOG3[15280:3086601104]: No host resolved
    2008.04.06 10:06:14 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 10:06:14 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 10:26:46 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:60740
    2008.04.06 10:26:46 LOG7[15280:3086601104]: nntp started
    2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 10:26:46 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 10:26:46 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 10:26:46 LOG6[15280:3083282112]: Child process 6960 finished with code 0
    2008.04.06 10:26:46 LOG7[15280:3086601104]: Connection from 127.0.0.1:60740 permitted by libwrap
    2008.04.06 10:26:46 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:60740
    2008.04.06 10:26:46 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 10:26:46 LOG3[15280:3086601104]: No host resolved
    2008.04.06 10:26:46 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 10:26:46 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:23:44 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57835
    2008.04.06 17:23:44 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:23:44 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:23:44 LOG7[15280:3086601104]: Connection from 127.0.0.1:57835 permitted by libwrap
    2008.04.06 17:23:44 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57835
    2008.04.06 17:23:44 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:23:44 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:23:44 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:23:44 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:23:44 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:23:44 LOG6[15280:3083282112]: Child process 2671 finished with code 0
    2008.04.06 17:23:58 LOG5[2678:3083245248]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
    2008.04.06 17:23:58 LOG5[2678:3083245248]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
    2008.04.06 17:23:58 LOG6[2678:3083245248]: file ulimit = 1024 (can be changed with 'ulimit -n')
    2008.04.06 17:23:58 LOG6[2678:3083245248]: poll() used - no FD_SETSIZE limit for file descriptors
    2008.04.06 17:23:58 LOG5[2678:3083245248]: 500 clients allowed
    2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 4 in non-blocking mode
    2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 5 in non-blocking mode
    2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 6 in non-blocking mode
    2008.04.06 17:23:58 LOG7[2678:3083245248]: SO_REUSEADDR option set on accept socket
    2008.04.06 17:23:58 LOG3[2678:3083245248]: Error binding nntp to 127.0.0.1:119
    2008.04.06 17:23:58 LOG3[2678:3083245248]: bind: Address already in use (98)
    2008.04.06 17:25:18 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:41058
    2008.04.06 17:25:18 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:25:18 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:25:18 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:25:18 LOG6[15280:3083282112]: Child process 2731 finished with code 0
    2008.04.06 17:25:18 LOG7[15280:3086601104]: Connection from 127.0.0.1:41058 permitted by libwrap
    2008.04.06 17:25:18 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:41058
    2008.04.06 17:25:18 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:25:18 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:25:18 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:25:18 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:43:46 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57064
    2008.04.06 17:43:46 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:43:46 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:43:46 LOG7[15280:3086601104]: Connection from 127.0.0.1:57064 permitted by libwrap
    2008.04.06 17:43:46 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57064
    2008.04.06 17:43:46 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:43:46 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:43:46 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:43:46 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:43:46 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:43:46 LOG6[15280:3083282112]: Child process 3698 finished with code 0
    2008.04.06 17:44:06 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57067
    2008.04.06 17:44:06 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:44:06 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:44:06 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:44:06 LOG6[15280:3083282112]: Child process 3716 finished with code 0
    2008.04.06 17:44:06 LOG7[15280:3086601104]: Connection from 127.0.0.1:57067 permitted by libwrap
    2008.04.06 17:44:06 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57067
    2008.04.06 17:44:06 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:44:06 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:44:06 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:44:06 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:44:33 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57069
    2008.04.06 17:44:33 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:44:33 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:44:33 LOG7[15280:3086601104]: Connection from 127.0.0.1:57069 permitted by libwrap
    2008.04.06 17:44:33 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57069
    2008.04.06 17:44:33 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:44:33 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:44:33 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:44:33 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:44:33 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:44:33 LOG6[15280:3083282112]: Child process 3738 finished with code 0
    2008.04.06 17:45:45 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51796
    2008.04.06 17:45:45 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:45:45 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:45:45 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:45:45 LOG6[15280:3083282112]: Child process 3807 finished with code 0
    2008.04.06 17:45:45 LOG7[15280:3086601104]: Connection from 127.0.0.1:51796 permitted by libwrap
    2008.04.06 17:45:45 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51796
    2008.04.06 17:45:45 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:45:45 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:45:45 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:45:45 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:46:52 LOG5[3859:3083372224]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
    2008.04.06 17:46:52 LOG5[3859:3083372224]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
    2008.04.06 17:46:52 LOG6[3859:3083372224]: file ulimit = 1024 (can be changed with 'ulimit -n')
    2008.04.06 17:46:52 LOG6[3859:3083372224]: poll() used - no FD_SETSIZE limit for file descriptors
    2008.04.06 17:46:52 LOG5[3859:3083372224]: 500 clients allowed
    2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 4 in non-blocking mode
    2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 5 in non-blocking mode
    2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 6 in non-blocking mode
    2008.04.06 17:46:52 LOG7[3859:3083372224]: SO_REUSEADDR option set on accept socket
    2008.04.06 17:46:52 LOG3[3859:3083372224]: Error binding nntp to 127.0.0.1:119
    2008.04.06 17:46:52 LOG3[3859:3083372224]: bind: Address already in use (98)
    2008.04.06 17:47:01 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51811
    2008.04.06 17:47:01 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:47:01 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:47:01 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:47:01 LOG6[15280:3083282112]: Child process 3864 finished with code 0
    2008.04.06 17:47:01 LOG7[15280:3086601104]: Connection from 127.0.0.1:51811 permitted by libwrap
    2008.04.06 17:47:01 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51811
    2008.04.06 17:47:01 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:47:01 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:47:01 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:47:01 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:47:09 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51814
    2008.04.06 17:47:09 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:47:09 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:47:09 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:47:09 LOG6[15280:3083282112]: Child process 3872 finished with code 0
    2008.04.06 17:47:09 LOG7[15280:3086601104]: Connection from 127.0.0.1:51814 permitted by libwrap
    2008.04.06 17:47:09 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51814
    2008.04.06 17:47:09 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:47:09 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:47:09 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:47:09 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:47:10 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51815
    2008.04.06 17:47:10 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:47:10 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:47:10 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:47:10 LOG6[15280:3083282112]: Child process 3874 finished with code 0
    2008.04.06 17:47:10 LOG7[15280:3086601104]: Connection from 127.0.0.1:51815 permitted by libwrap
    2008.04.06 17:47:10 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51815
    2008.04.06 17:47:10 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:47:10 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:47:10 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:47:10 LOG7[15280:3086601104]: nntp finished (0 left)
    2008.04.06 17:47:47 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51818
    2008.04.06 17:47:47 LOG7[15280:3086601104]: nntp started
    2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 10 in non-blocking mode
    2008.04.06 17:47:47 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
    2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 11 in non-blocking mode
    2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 12 in non-blocking mode
    2008.04.06 17:47:47 LOG7[15280:3083282112]: Cleaning up the signal pipe
    2008.04.06 17:47:47 LOG6[15280:3083282112]: Child process 3900 finished with code 0
    2008.04.06 17:47:47 LOG7[15280:3086601104]: Connection from 127.0.0.1:51818 permitted by libwrap
    2008.04.06 17:47:47 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51818
    2008.04.06 17:47:47 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
    2008.04.06 17:47:47 LOG3[15280:3086601104]: No host resolved
    2008.04.06 17:47:47 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2008.04.06 17:47:47 LOG7[15280:3086601104]: nntp finished (0 left)
    I then start stunnel 4 with : sudo stunnel4 /etc/stunnel/stunnel.conf
    I appreciate any help, thanks.

  6. #6
    Join Date
    Aug 2006
    Location
    Orlando, FL
    Beans
    Hidden!

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    Thanks.

  7. #7
    Join Date
    Jun 2006
    Location
    United States
    Beans
    43
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    Thanks 43moon for the howto, and meekatron for mentioning the special port.

    As meekatron said, if you use giganews, you need to set the connect to :
    news.giganews.com:563

    -darc

  8. #8
    Join Date
    Jul 2008
    Beans
    1

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    I followed your (43moon) howto and have the error below. I have included below that my config file and default file. I don't seem to have any /stunnel4.pid file in my root directory. Any help is quite appreciated.
    Thank you,
    -----------------------------------------------------------------------------
    dad@dad-desktop:~$ /etc/init.d/stunnel4 start
    Starting SSL tunnels: 2008.07.16 22:15:40 LOG7[7690:3082667696]: RAND_status claims sufficient entropy for the PRNG
    2008.07.16 22:15:40 LOG7[7690:3082667696]: PRNG seeded successfully
    2008.07.16 22:15:40 LOG7[7690:3082667696]: SSL context initialized for service nntp
    [Failed: /etc/stunnel/stunnel.conf]
    You should check that you have specified the pid= in you configuration file
    ------------------------------------------------------------------------------
    ; Sample stunnel configuration file by Michal Trojnara 2002-2006
    ; Some options used here may not be adequate for your particular configuration
    ; Please make sure you understand them (especially the effect of chroot jail)

    ; Certificate/key is needed in server mode and optional in client mode
    ;cert = /etc/stunnel/mail.pem
    ;key = /etc/stunnel/mail.pem

    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = SSLv3

    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /var/lib/stunnel4/
    setuid = stunnel4
    setgid = stunnel4
    ; PID is created inside chroot jail
    pid = /stunnel4.pid

    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = rle

    ; Workaround for Eudora bug
    ;options = DONT_INSERT_EMPTY_FRAGMENTS

    ; Authentication stuff
    ;verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    ;CApath = /certs
    ; It's often easier to use CAfile
    ;CAfile = /etc/stunnel/certs.pem
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    ;CRLpath = /crls
    ; Alternatively you can use CRLfile
    ;CRLfile = /etc/stunnel/crls.pem

    ; Some debugging stuff useful for troubleshooting
    debug = 7
    output = /var/log/stunnel4/stunnel.log

    ; Use it for client mode
    client = yes

    ; Service-level configuration

    [nntp]
    accept = localhost:119
    connect = news.newsguy.com:443

    ;[pop3s]
    ;accept = 995
    ;connect = 110

    ;[imaps]
    ;accept = 993
    ;connect = 143

    ;[ssmtp]
    ;accept = 465
    ;connect = 25

    ;[https]
    ;accept = 443
    ;connect = 80
    ;TIMEOUTclose = 0

    ; vim:ft=dosini
    ---------------------------------------------------------------------------------
    # /etc/default/stunnel
    # Julien LEMOINE <speedblue@debian.org>
    # September 2003

    # Change to one to enable stunnel
    ENABLED=1
    FILES="/etc/stunnel/*.conf"
    OPTIONS=""

    # Change to one to enable ppp restart scripts
    PPP_RESTART=0
    ================================================== ================

  9. #9
    Join Date
    Aug 2006
    Location
    Orlando, FL
    Beans
    Hidden!

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    do
    sudo stunnel4
    2008.07.16 22:45:02 LOG7[6802:3082888880]: RAND_status claims sufficient entropy for the PRNG
    2008.07.16 22:45:02 LOG7[6802:3082888880]: PRNG seeded successfully
    2008.07.16 22:45:03 LOG7[6802:3082888880]: SSL context initialized for service nntp


    you can check your connection with wireshark..

    Set a filter to tcp.port == "port number"

    in my case it would be tcp.port == 443

    "expression" is
    tcp.port == 443
    Looks like..... if working and a ton of them.... Something like this...... -
    |
    |
    |
    |
    |
    V
    165335 339.081791 xxx.xx.xxx.xx 192.168.x.xxx SSL Continuation Data
    So after "sudo stunnel4"
    start to grab some headers and then run wireshark with the expression or filter mentioned up there..


    BOL

    GS
    Last edited by Gun_Smoke; July 17th, 2008 at 04:21 AM.

  10. #10
    Join Date
    Aug 2006
    Location
    Orlando, FL
    Beans
    Hidden!

    Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

    ^^^^^^

    Edited... this is for notification emails.

    GS

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •