[HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
Disclaimer:
I didn't invent the wheel here, I am just condensing bits and pieces of information that I have learned from other people here in the forum. It took me half of a day to finally figure this out. I hope that I can save someone else the time and the effort by condensing the steps that worked for me. I used Synaptic to install "Pan" and "stunnel4". I am assuming that you already know how to do that. I am not a pro so I may not know how to troubleshoot any issues that you encounter. I am sharing what I have learned in an effort to begin to repay the community.
Getting Stunnel4 to work:
I am only insterested in SSL for my newsgroup reader. I dont use an email client or anything else listed in stunnel so I commented-them-out in order to avoid any potential problems related to services that I don't use. If you use any of the services, feel free to adjust them to fit your needs (remove the ";" in front of the various service level configurations).
Edit the stunnel config file:
Code:
sudo gedit /etc/stunnel/stunnel.conf
I have enclosed my stunnel.conf file. If you copy it, be sure to replace "YOUR.NEWSGROUP.HERE:PORT" with your required address and port as provided by your service provider.
Code:
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
; cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[nntp]
accept = localhost:119
connect = YOUR.NEWSGROUP.HERE:PORT
; [pop3s]
; accept = 995
; connect = 110
; [imaps]
; accept = 993
; connect = 143
; [ssmtp]
; accept = 465
; connect = 25
; [https]
; accept = 443
; connect = 80
; TIMEOUTclose = 0
; vim:ft=dosini
Edit stunnel4:
Code:
sudo gedit /etc/default/stunnel4
Set "Enabled=" to "1" (without quotes):
Code:
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
Getting Pan to work with stunnel4:
Start Pan and enter the following settings for your secure newsgroup server:
Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your service provider.
Start stunnel4:
Code:
/etc/init.d/stunnel4 start
Now start Pan and you should be able to access your newsgroup server through SSL.
Thanks to Badtothebone for this helpful post:
http://ubuntuforums.org/showpost.php...83&postcount=7
And thanks to chrroessner for this very enlightening post:
http://ubuntuforums.org/showpost.php...31&postcount=1
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
ok i seem to have this working but a few things are confusing me. I am no expert on ssl stuff but what i am wondering is if the port on my news reader is 119 which is the port for my news server how is it encrypted. should it not be a different port number.
my conf file for stunnel looks like this
[nntp]
accept = localhost:119
connect = news-europe.giganews.com:563
and my pan news reader is on localhost port 119.
does this mean it is bypassing stunnel and ignoring the encryption.
i got the 563 port number from giganews website would that be a special port for there ssl stuff.
is the ssl encryption for both upload and download?
sorry if these questions sound a bit dumb just tryin to get my head round it.
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
Basically what you are doing is setting up a server on your computer, but only applications on your network can access it. So, in Pan it connected to your own computer and in turn stunnel connects via ssl to giganews on the port specified in the file.
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
This is the de-facto standard for HOWTO's when it comes to setting up stunnel4 with pan in gutsy. Thank you so much - I'm bookmarking this for future reference!
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
I am unable to get Pan working with stunnel4.
Here's my stunnel.conf:
Code:
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
; cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[nntp]
accept = localhost:119
connect = news.giganews.com:443
; [pop3s]
; accept = 995
; connect = 110
; [imaps]
; accept = 993
; connect = 143
; [ssmtp]
; accept = 465
; connect = 25
; [https]
; accept = 443
; connect = 80
; TIMEOUTclose = 0
; vim:ft=dosini
And my stunnel4:
Code:
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel
ENABLED=1
FILES="/etc/stunnel/stunnel.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
And pan is set to localhost/119 with my correct login info.
Also, heres my log file :
Code:
2008.04.06 01:07:32 LOG5[15279:3083282112]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 01:07:32 LOG5[15279:3083282112]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 01:07:32 LOG6[15279:3083282112]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 01:07:32 LOG6[15279:3083282112]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 01:07:32 LOG5[15279:3083282112]: 500 clients allowed
2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 7 in non-blocking mode
2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 8 in non-blocking mode
2008.04.06 01:07:32 LOG7[15279:3083282112]: FD 9 in non-blocking mode
2008.04.06 01:07:32 LOG7[15279:3083282112]: SO_REUSEADDR option set on accept socket
2008.04.06 01:07:32 LOG7[15279:3083282112]: nntp bound to 127.0.0.1:119
2008.04.06 01:07:32 LOG7[15280:3083282112]: Created pid file /stunnel4.pid
2008.04.06 09:45:16 LOG5[4823:3083171520]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 09:45:16 LOG5[4823:3083171520]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 09:45:16 LOG6[4823:3083171520]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 09:45:16 LOG6[4823:3083171520]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 09:45:16 LOG5[4823:3083171520]: 500 clients allowed
2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 4 in non-blocking mode
2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 5 in non-blocking mode
2008.04.06 09:45:16 LOG7[4823:3083171520]: FD 6 in non-blocking mode
2008.04.06 09:45:16 LOG7[4823:3083171520]: SO_REUSEADDR option set on accept socket
2008.04.06 09:45:16 LOG3[4823:3083171520]: Error binding nntp to 127.0.0.1:119
2008.04.06 09:45:16 LOG3[4823:3083171520]: bind: Address already in use (98)
2008.04.06 09:49:32 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:36402
2008.04.06 09:49:32 LOG7[15280:3086601104]: nntp started
2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 09:49:32 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 09:49:32 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 09:49:32 LOG7[15280:3086601104]: Connection from 127.0.0.1:36402 permitted by libwrap
2008.04.06 09:49:32 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:36402
2008.04.06 09:49:32 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 09:49:32 LOG3[15280:3086601104]: No host resolved
2008.04.06 09:49:32 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 09:49:32 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 09:49:32 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 09:49:32 LOG6[15280:3083282112]: Child process 5027 finished with code 0
2008.04.06 10:06:14 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:35753
2008.04.06 10:06:14 LOG7[15280:3086601104]: nntp started
2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 10:06:14 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 10:06:14 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 10:06:14 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 10:06:14 LOG6[15280:3083282112]: Child process 5786 finished with code 0
2008.04.06 10:06:14 LOG7[15280:3086601104]: Connection from 127.0.0.1:35753 permitted by libwrap
2008.04.06 10:06:14 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:35753
2008.04.06 10:06:14 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 10:06:14 LOG3[15280:3086601104]: No host resolved
2008.04.06 10:06:14 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 10:06:14 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 10:26:46 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:60740
2008.04.06 10:26:46 LOG7[15280:3086601104]: nntp started
2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 10:26:46 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 10:26:46 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 10:26:46 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 10:26:46 LOG6[15280:3083282112]: Child process 6960 finished with code 0
2008.04.06 10:26:46 LOG7[15280:3086601104]: Connection from 127.0.0.1:60740 permitted by libwrap
2008.04.06 10:26:46 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:60740
2008.04.06 10:26:46 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 10:26:46 LOG3[15280:3086601104]: No host resolved
2008.04.06 10:26:46 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 10:26:46 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:23:44 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57835
2008.04.06 17:23:44 LOG7[15280:3086601104]: nntp started
2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:23:44 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:23:44 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:23:44 LOG7[15280:3086601104]: Connection from 127.0.0.1:57835 permitted by libwrap
2008.04.06 17:23:44 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57835
2008.04.06 17:23:44 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:23:44 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:23:44 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:23:44 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:23:44 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:23:44 LOG6[15280:3083282112]: Child process 2671 finished with code 0
2008.04.06 17:23:58 LOG5[2678:3083245248]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 17:23:58 LOG5[2678:3083245248]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 17:23:58 LOG6[2678:3083245248]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 17:23:58 LOG6[2678:3083245248]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 17:23:58 LOG5[2678:3083245248]: 500 clients allowed
2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 4 in non-blocking mode
2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 5 in non-blocking mode
2008.04.06 17:23:58 LOG7[2678:3083245248]: FD 6 in non-blocking mode
2008.04.06 17:23:58 LOG7[2678:3083245248]: SO_REUSEADDR option set on accept socket
2008.04.06 17:23:58 LOG3[2678:3083245248]: Error binding nntp to 127.0.0.1:119
2008.04.06 17:23:58 LOG3[2678:3083245248]: bind: Address already in use (98)
2008.04.06 17:25:18 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:41058
2008.04.06 17:25:18 LOG7[15280:3086601104]: nntp started
2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:25:18 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:25:18 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:25:18 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:25:18 LOG6[15280:3083282112]: Child process 2731 finished with code 0
2008.04.06 17:25:18 LOG7[15280:3086601104]: Connection from 127.0.0.1:41058 permitted by libwrap
2008.04.06 17:25:18 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:41058
2008.04.06 17:25:18 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:25:18 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:25:18 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:25:18 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:43:46 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57064
2008.04.06 17:43:46 LOG7[15280:3086601104]: nntp started
2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:43:46 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:43:46 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:43:46 LOG7[15280:3086601104]: Connection from 127.0.0.1:57064 permitted by libwrap
2008.04.06 17:43:46 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57064
2008.04.06 17:43:46 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:43:46 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:43:46 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:43:46 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:43:46 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:43:46 LOG6[15280:3083282112]: Child process 3698 finished with code 0
2008.04.06 17:44:06 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57067
2008.04.06 17:44:06 LOG7[15280:3086601104]: nntp started
2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:44:06 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:44:06 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:44:06 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:44:06 LOG6[15280:3083282112]: Child process 3716 finished with code 0
2008.04.06 17:44:06 LOG7[15280:3086601104]: Connection from 127.0.0.1:57067 permitted by libwrap
2008.04.06 17:44:06 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57067
2008.04.06 17:44:06 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:44:06 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:44:06 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:44:06 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:44:33 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:57069
2008.04.06 17:44:33 LOG7[15280:3086601104]: nntp started
2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:44:33 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:44:33 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:44:33 LOG7[15280:3086601104]: Connection from 127.0.0.1:57069 permitted by libwrap
2008.04.06 17:44:33 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:57069
2008.04.06 17:44:33 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:44:33 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:44:33 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:44:33 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:44:33 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:44:33 LOG6[15280:3083282112]: Child process 3738 finished with code 0
2008.04.06 17:45:45 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51796
2008.04.06 17:45:45 LOG7[15280:3086601104]: nntp started
2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:45:45 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:45:45 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:45:45 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:45:45 LOG6[15280:3083282112]: Child process 3807 finished with code 0
2008.04.06 17:45:45 LOG7[15280:3086601104]: Connection from 127.0.0.1:51796 permitted by libwrap
2008.04.06 17:45:45 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51796
2008.04.06 17:45:45 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:45:45 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:45:45 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:45:45 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:46:52 LOG5[3859:3083372224]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2008.04.06 17:46:52 LOG5[3859:3083372224]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.04.06 17:46:52 LOG6[3859:3083372224]: file ulimit = 1024 (can be changed with 'ulimit -n')
2008.04.06 17:46:52 LOG6[3859:3083372224]: poll() used - no FD_SETSIZE limit for file descriptors
2008.04.06 17:46:52 LOG5[3859:3083372224]: 500 clients allowed
2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 4 in non-blocking mode
2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 5 in non-blocking mode
2008.04.06 17:46:52 LOG7[3859:3083372224]: FD 6 in non-blocking mode
2008.04.06 17:46:52 LOG7[3859:3083372224]: SO_REUSEADDR option set on accept socket
2008.04.06 17:46:52 LOG3[3859:3083372224]: Error binding nntp to 127.0.0.1:119
2008.04.06 17:46:52 LOG3[3859:3083372224]: bind: Address already in use (98)
2008.04.06 17:47:01 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51811
2008.04.06 17:47:01 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:01 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:01 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:01 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:01 LOG6[15280:3083282112]: Child process 3864 finished with code 0
2008.04.06 17:47:01 LOG7[15280:3086601104]: Connection from 127.0.0.1:51811 permitted by libwrap
2008.04.06 17:47:01 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51811
2008.04.06 17:47:01 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:01 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:01 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:01 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:47:09 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51814
2008.04.06 17:47:09 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:09 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:09 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:09 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:09 LOG6[15280:3083282112]: Child process 3872 finished with code 0
2008.04.06 17:47:09 LOG7[15280:3086601104]: Connection from 127.0.0.1:51814 permitted by libwrap
2008.04.06 17:47:09 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51814
2008.04.06 17:47:09 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:09 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:09 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:09 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:47:10 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51815
2008.04.06 17:47:10 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:10 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:10 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:10 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:10 LOG6[15280:3083282112]: Child process 3874 finished with code 0
2008.04.06 17:47:10 LOG7[15280:3086601104]: Connection from 127.0.0.1:51815 permitted by libwrap
2008.04.06 17:47:10 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51815
2008.04.06 17:47:10 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:10 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:10 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:10 LOG7[15280:3086601104]: nntp finished (0 left)
2008.04.06 17:47:47 LOG7[15280:3083282112]: nntp accepted FD=10 from 127.0.0.1:51818
2008.04.06 17:47:47 LOG7[15280:3086601104]: nntp started
2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 10 in non-blocking mode
2008.04.06 17:47:47 LOG7[15280:3086601104]: TCP_NODELAY option set on local socket
2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 11 in non-blocking mode
2008.04.06 17:47:47 LOG7[15280:3086601104]: FD 12 in non-blocking mode
2008.04.06 17:47:47 LOG7[15280:3083282112]: Cleaning up the signal pipe
2008.04.06 17:47:47 LOG6[15280:3083282112]: Child process 3900 finished with code 0
2008.04.06 17:47:47 LOG7[15280:3086601104]: Connection from 127.0.0.1:51818 permitted by libwrap
2008.04.06 17:47:47 LOG5[15280:3086601104]: nntp connected from 127.0.0.1:51818
2008.04.06 17:47:47 LOG3[15280:3086601104]: Error resolving 'news.giganews.com': Neither nodename nor servname known (EAI_NONAME)
2008.04.06 17:47:47 LOG3[15280:3086601104]: No host resolved
2008.04.06 17:47:47 LOG5[15280:3086601104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.04.06 17:47:47 LOG7[15280:3086601104]: nntp finished (0 left)
I then start stunnel 4 with : sudo stunnel4 /etc/stunnel/stunnel.conf
I appreciate any help, thanks.
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
Thanks 43moon for the howto, and meekatron for mentioning the special port.
As meekatron said, if you use giganews, you need to set the connect to :
news.giganews.com:563
-darc
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
I followed your (43moon) howto and have the error below. I have included below that my config file and default file. I don't seem to have any /stunnel4.pid file in my root directory. Any help is quite appreciated.
Thank you,
-----------------------------------------------------------------------------
dad@dad-desktop:~$ /etc/init.d/stunnel4 start
Starting SSL tunnels: 2008.07.16 22:15:40 LOG7[7690:3082667696]: RAND_status claims sufficient entropy for the PRNG
2008.07.16 22:15:40 LOG7[7690:3082667696]: PRNG seeded successfully
2008.07.16 22:15:40 LOG7[7690:3082667696]: SSL context initialized for service nntp
[Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file
------------------------------------------------------------------------------
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[nntp]
accept = localhost:119
connect = news.newsguy.com:443
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
---------------------------------------------------------------------------------
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
================================================== ================
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
do 2008.07.16 22:45:02 LOG7[6802:3082888880]: RAND_status claims sufficient entropy for the PRNG
2008.07.16 22:45:02 LOG7[6802:3082888880]: PRNG seeded successfully
2008.07.16 22:45:03 LOG7[6802:3082888880]: SSL context initialized for service nntp
you can check your connection with wireshark..
Set a filter to tcp.port == "port number"
in my case it would be tcp.port == 443
"expression" is Looks like..... if working and a ton of them.... Something like this...... -
|
|
|
|
|
V
Quote:
165335 339.081791 xxx.xx.xxx.xx 192.168.x.xxx SSL Continuation Data
So after "sudo stunnel4"
start to grab some headers and then run wireshark with the expression or filter mentioned up there..
BOL
GS
Re: [HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)
^^^^^^
Edited... this is for notification emails.
GS