Check certificate for news server (testing neodome)

[Ronald]

On Windows, I ran this command just now.
echo q | openssl s_client -connect news.neodome.net:563 | openssl x509 -noout -enddate | findstr "notAfter"

It reported this result:
depth=0 O = Neodome, CN = neodome.net, emailAddress = ad...@neodome.net
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Neodome, CN = neodome.net, emailAddress = ad...@neodome.net
verify error:num=10:certificate has expired
notAfter=Dec 31 21:59:46 2020 GMT
verify return:1
depth=0 O = Neodome, CN = neodome.net, emailAddress = ad...@neodome.net
notAfter=Dec 31 21:59:46 2020 GMT
verify return:1
notAfter=Dec 31 21:59:46 2020 GMT
DONE

Then I ran this command.
openssl s_client -ign_eof -connect news.neodome.net:563

Which reported a long output but I cut out the non errors to result in this.
verify error:num=10:certificate has expired
Verification error: certificate has expired
Verify return code: 10 (certificate has expired)

But Neodome uses a self-signed certificate.
So it's never supposed to expire, right?

I don't know what the output is SUPPOSED to be for a self-signed certificate.
I don't even know what a self-signed certificate even means.

Can you help me make better sense of the output and how to fix it?

[Tony]

I couldn't get it to work on port 563 but it works on port 119 but I
couldn't post replies just read only. On Seamonkey.

[Marco Moock]

Am 07.01.2024 um 04:21:34 Uhr schrieb Ronald:

> Which reported a long output but I cut out the non errors to result
> in this. verify error:num=10:certificate has expired
> Verification error: certificate has expired
> Verify return code: 10 (certificate has expired)
>
> But Neodome uses a self-signed certificate.
> So it's never supposed to expire, right?

That is not related to self-signed.

> I don't know what the output is SUPPOSED to be for a self-signed
> certificate. I don't even know what a self-signed certificate even
> means.

It means that the certificate isn't signed by an authority upper in the
hierarchy.
The default for most software is to reject those certificates because
they can't be checked against the authorized CAs.

> Can you help me make better sense of the output and how to fix it?

It is a fault at their side.
The cert is invalid for 3 years - they don't seem to care. Contact them
by email and tell them about that, so they can fix it.

ad...@neodome.net

[Marco Moock]

Am 07.01.2024 um 13:41:25 Uhr schrieb Tony:

> I couldn't get it to work on port 563 but it works on port 119 but I
> couldn't post replies just read only. On Seamonkey.

Works for me on 563 (I haven't tested posting or reading, only
connecting).

openssl s_client -ign_eof -connect news.neodome.net:563

119 is usable and offers STARTTLS:
openssl s_client -starttls nntp -ign_eof -connect news.neodome.net:119

Although, posting is not allowed there.

[Carlos E.R.]

On 2024-01-07 10:21, Ronald wrote:
> On Windows, I ran this command just now.
> echo q | openssl s_client -connect news.neodome.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
>
> It reported this result:
> depth=0 O = Neodome, CN = neodome.net, emailAddress = ad...@neodome.net
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress = ad...@neodome.net
> verify error:num=10:certificate has expired
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress = ad...@neodome.net
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> notAfter=Dec 31 21:59:46 2020 GMT
> DONE
>
> Then I ran this command.
> openssl s_client -ign_eof -connect news.neodome.net:563
>
> Which reported a long output but I cut out the non errors to result in this.
> verify error:num=10:certificate has expired
> Verification error: certificate has expired
> Verify return code: 10 (certificate has expired)
>
> But Neodome uses a self-signed certificate.
> So it's never supposed to expire, right?

No. They are different and independent properties. A self signed
certificate can certainly expire. Depending on your client software, you
can ignore that and make an exception.

>
> I don't know what the output is SUPPOSED to be for a self-signed certificate.
> I don't even know what a self-signed certificate even means.

That it is not signed by a certificate authority, and thus will not be
accepted automatically by your client software.

>
> Can you help me make better sense of the output and how to fix it?

You can not _fix_ it. Not in your power.

--
Cheers, Carlos.

[Ronald]

On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:

>> I don't know what the output is SUPPOSED to be for a self-signed certificate.
>> I don't even know what a self-signed certificate even means.
>
> That it is not signed by a certificate authority, and thus will not be
> accepted automatically by your client software.

The strange thing is the self-signed certificate apparently expired 3 years
ago yet I've been posting to 563 using the same setup for years on end.
;40tude Dialog newsreader setup
Dialog Host: 127.0.0.1
Dialog Port: 123456
Dialog SSL: unchecked
Dialog Username: mylogin
Dialog Password: mypasswd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; sTunnel.conf setup
[Neodome]
client = yes
accept = 127.0.0.1:123456
connect = news.neodome.net:563
verify = 0
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.neodome.net
OCSPaia = yes

How could that be that this setup worked until only about three weeks ago?

What suddenly happened a few weeks ago was a "socket error" in 40Tude
Dialog, which I didn't debug fully until yesterday as an expired cert.

I know what I just said makes no sense.

How could I have been posting all along with the same setup which all of a
sudden errors out - but when I debug - the certificate expired years ago?

[Paul]

Is the node actually up ?

Maybe the reason you can't post to it, is it's half-up
or not-up-at-all.

Fire up Wireshark and see if the server is sending "RST"
packets indicating a "buzz off please" state. You would
be checking, on whatever machine of yours is doing the
stunnel (making the direct connection to Neodome).

Wireshark is available for multiple platforms, Win/Mac/Linux.
On Mac, you have to guess at which version runs on your machine,
and no one will help you. They don't like to label their releases
in a useful way. I have probably, at one time or another,
used it on all three platforms. On my Mac, I downloaded multiple
copies until I found one that ran.

https://en.wikipedia.org/wiki/Wireshark

Unless Wireshark has a Dissector for SSL/TLS, there's not much to see.
In this case though, we're just checking for RST, to see if the
node is in trouble, or has run out of some resource and has
functionally croaked.

Paul

[Marco Moock]

Am 07.01.2024 um 22:11:36 Uhr schrieb Ronald:

> ; sTunnel.conf setup
> [Neodome]
> client = yes
> accept = 127.0.0.1:123456
> connect = news.neodome.net:563
> verify = 0

Does that maybe disable cert checking at all?

[Marco Moock]

Yesterday it was.

> Maybe the reason you can't post to it, is it's half-up
> or not-up-at-all.

It is prohibited, with or without encryption.

m@ryz:~$ telnet news.neodome.net 119
Trying 95.216.243.224...
Connected to news.neodome.net.
Escape character is '^]'.
200 news.neodome.net InterNetNews NNRP server INN 2.6.3 ready (posting
ok)

POST
340 Ok, recommended message-ID <ung4tm$25ia$1...@neodome.net>
Newsgroups: de.test
Subject: test
From: <m...@example.org>

test
.
441 You are not allowed to post to de.test

> Fire up Wireshark and see if the server is sending "RST"
> packets indicating a "buzz off please" state. You would
> be checking, on whatever machine of yours is doing the
> stunnel (making the direct connection to Neodome).

I can confirm that it works on 119 with and without STARTTLS and on 563
using TLS.
It simply denies posting, but that is not related to TLS.

> Unless Wireshark has a Dissector for SSL/TLS, there's not much to see.
> In this case though, we're just checking for RST, to see if the
> node is in trouble, or has run out of some resource and has
> functionally croaked.

Wireshark shows the TLS negotiation. To show inside of it, you need to
do a mitm attack or run your own TLS proxy.

[Ronald]

On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:

>> But Neodome uses a self-signed certificate.
>> So it's never supposed to expire, right?
>
> That is not related to self-signed.

Thanks. It's crazy that I was able to post for years with nothing changing
on my side, but then a few weeks ago I got the certificate expiry error.

But when I debugged as suggested, the certificate expired three years ago.
That sounds crazy. Even to me. And I've been posting to Neodome for years.

>> I don't know what the output is SUPPOSED to be for a self-signed
>> certificate. I don't even know what a self-signed certificate even
>> means.
>
> It means that the certificate isn't signed by an authority upper in the
> hierarchy.
> The default for most software is to reject those certificates because
> they can't be checked against the authorized CAs.

It seems there's still a way to post to Neodome without needing login
credentials (which they no longer give out to anyone I'm told) if you use
something called an "anonymous remailer" but I don't know what that is.

I found info for another free news server which may work for neodome.
http://news.mixmin.net/banana/m2n.html

Since I have valid posting credentials, do you think any anonymous remailer
like that documented one will accept my login/password to news.neodome.net?

>> Can you help me make better sense of the output and how to fix it?
>
> It is a fault at their side.
> The cert is invalid for 3 years - they don't seem to care. Contact them
> by email and tell them about that, so they can fix it.
> ad...@neodome.net

I have to admit it sounds crazy but I've been posting using that same
sTunnel setup for Neodome for a long time but it only stopped recently.

; 40-tude Dialog newsreader setup on Windows
Dialog Host: 127.0.0.1 [You can use "localhost" if you like]
Dialog Port: 60563 [You can choose any unused port you like]
Dialog SSL: unchecked
Dialog Username: your_uname
Dialog Password: your_passwd

Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; Windows sTunnel setup (for old clients with old TLS or SSL)
[Neodome]
client = yes
accept = 127.0.0.1:60563 [Use the same internal port as in Dialog]
connect = news.neodome.net:563
; Use these next 5 lines to check the certificate for validity

verify = 0
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.neodome.net
OCSPaia = yes

It makes no sense to me that the certificate has been expired for 3 years
and yet I was posting using that exact setup above until a few weeks ago.

[Ronald]

On Mon, 8 Jan 2024 07:30:30 +0100, Marco Moock wrote:

>> ; sTunnel.conf setup
>> [Neodome]
>> client = yes
>> accept = 127.0.0.1:123456
>> connect = news.neodome.net:563
>> verify = 0
>
> Does that maybe disable cert checking at all?
>
>> verifyChain = yes
>> CAfile = ca-certs.pem
>> checkHost = news.neodome.net
>> OCSPaia = yes

I do NOT know what you're asking but I do very much respect your help.
Can you clarify for me what you're asking?

Please bear in mind I don't even know what a certificate is.
I didn't come up with that sTunnel.conf on my own.
It was given to me many years ago when I signed up for Neodome.
And it had been working for a long time until just a few weeks ago.

I only set up my newsreader (40tude Dialog) to use sTunnel because the
circa-2005 newsreader is no longer supported by the developer so the
encryption it uses is outdated and yet, it's my opinion it's the best
newsreader on Windows, bar none (because of its scripting abilities).

[Marco Moock]

Am 08.01.2024 um 01:46:56 Uhr schrieb Ronald:

> On Mon, 8 Jan 2024 07:30:30 +0100, Marco Moock wrote:
>
> >> ; sTunnel.conf setup
> >> [Neodome]
> >> client = yes
> >> accept = 127.0.0.1:123456
> >> connect = news.neodome.net:563
> >> verify = 0
> >
> > Does that maybe disable cert checking at all?
> >
> >> verifyChain = yes
> >> CAfile = ca-certs.pem
> >> checkHost = news.neodome.net
> >> OCSPaia = yes
>
> I do NOT know what you're asking but I do very much respect your help.
> Can you clarify for me what you're asking?

I have no experience with stunnel.
Certificates are normally signed by a certificate authority like
Verisign, Comodo etc.
The certificate a server provides can be checked against those root
certificates from the CAs to verify it comes from them.
The check can also talk to their server to verify the certificate
hasn't been revocated.

> Please bear in mind I don't even know what a certificate is.

https://www.techtarget.com/searchsecurity/definition/X509-certificate

> I didn't come up with that sTunnel.conf on my own.

Why do you need it?
A newsreader can directly contact the newsserver.
A current newsreader (yours is very old) can also talk current TLS 1.3
with current ciphers.

> It was given to me many years ago when I signed up for Neodome.
> And it had been working for a long time until just a few weeks ago.
>
> I only set up my newsreader (40tude Dialog) to use sTunnel because the
> circa-2005 newsreader is no longer supported by the developer so the
> encryption it uses is outdated and yet, it's my opinion it's the best
> newsreader on Windows, bar none (because of its scripting abilities).

Have you tried Claws mail?
It also support wide-range filter/processing rulesets.

[Marco Moock]

Am 08.01.2024 um 01:37:48 Uhr schrieb Ronald:

> On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:
>
> >> But Neodome uses a self-signed certificate.
> >> So it's never supposed to expire, right?
> >
> > That is not related to self-signed.
>
> Thanks. It's crazy that I was able to post for years with nothing
> changing on my side, but then a few weeks ago I got the certificate
> expiry error.
>
> But when I debugged as suggested, the certificate expired three years
> ago. That sounds crazy. Even to me. And I've been posting to Neodome
> for years.

That is crazy, but maybe someone installed that cert (maybe an
automatic mechanism like Ansible).

> >> I don't know what the output is SUPPOSED to be for a self-signed
> >> certificate. I don't even know what a self-signed certificate even
> >> means.
> >
> > It means that the certificate isn't signed by an authority upper in
> > the hierarchy.
> > The default for most software is to reject those certificates
> > because they can't be checked against the authorized CAs.
>
> It seems there's still a way to post to Neodome without needing login
> credentials (which they no longer give out to anyone I'm told) if you
> use something called an "anonymous remailer" but I don't know what
> that is.

https://en.wikipedia.org/wiki/Anonymous_remailer

> I found info for another free news server which may work for neodome.
> http://news.mixmin.net/banana/m2n.html

I have tried it, message didn't recht misc.test.

> Since I have valid posting credentials, do you think any anonymous
> remailer like that documented one will accept my login/password to
> news.neodome.net?

No.
But why do you stick with neodome?
They currently intentionally disable posting without login.

If you have credentials, you can use them and if not, use one of the
free news server that offer registration for free that works.

solani.org
eternal-september.org
i2pn2.org

> It makes no sense to me that the certificate has been expired for 3
> years and yet I was posting using that exact setup above until a few
> weeks ago.

Having a working connection (the certificate and the check is relevant
here) and being able to post are 2 completely different steps.

Is reading possible?
Then you connection works fine and the certificate is NOT the actual
problem.

Are you not allowed to post?
Then it is related to the settings of neodome.

[Ivan Fjellstad]

On 07 Jan 2024, Ronald <ron...@nospam.me> posted some
news:undqeu$tpek$1...@paganini.bofh.team:

Sikker!

Slik fikser du en 40tude-socket-feil.

https://www.youtube.com/watch?v=g2r9I2-LMNo

Cngu: cntnavav.obsu.grnz!abg-sbe-znvy
Sebz: ebppb cbegryyv <ebppbc...@abfcnz.vg>
Arjftebhcf: arjf.fbsgjner.aagc,nyg.serr.arjffreiref,arjf.fbsgjner.ernqref
Fhowrpg: Cbfgvat negvpyr snvyrq. Fbpxrg reebe # 0
Qngr: Jrq, 29 Abi 2023 06:55:38 -0500
Betnavmngvba: Gb cebgrpg naq gb freire
Zrffntr-VQ: <hx78ed$3te0u$1...@cntnavav.obsu.grnz>
Zvzr-Irefvba: 1.0
Pbagrag-Glcr: grkg/cynva; punefrg="hf-nfpvv"
Pbagrag-Genafsre-Rapbqvat: 8ovg
Vawrpgvba-Qngr: Jrq, 29 Abi 2023 11:55:38 -0000 (HGP)
Vawrpgvba-Vasb: cntnavav.obsu.grnz; ybttvat-qngn="3697681"; cbfgvat-
ubfg="sx6t7YXZ0j/uEc9nXqutND.hfre.cntnavav.obsu.grnz"; znvy-pbzcynvagf-
gb="hfr...@obsu.grnz"; cbfgvat-nppbhag="9qVDYKOZ7JZ9XmN+lwqE4N";
Hfre-Ntrag: 40ghqr_Qvnybt/2.0.15.41 (Orgn 38)
Pnapry-Ybpx: fun256:o/fhPb/K4CSqrRz4O4oB6mT6aDUsSdL4nmTy9nc9SZD=
K-Abgvpr: Svygrerq ol cbfgsvygre i. 0.9.3
Kers: cntnavav.obsu.grnz arjf.fbsgjner.aagc:3309 nyg.serr.arjffreiref:6105
arjf.fbsgjner.ernqref:274990

Orsber V obgure gur nqzva bs n pbzzba serr arjf freire (jub V cebzvfrq vs
ur tnir zr n cbfgvat nppbhag, V jbhyqa'g or nal gebhoyr) V jbhyq yvxr gb
svther bhg vs gur ceboyrz vf uvf rapelcgrq arjf freire be vs vg'f va zvar.

Vg hfrq gb jbex ohg fgbccrq jbexvat nobhg n jrrx ntb jvgu guvf "fbpxrg
reebe" bs "Cbfgvat negvpyr snvyrq. Fbpxrg reebe # 0".

V hfr 40GhqrQvnybt jvgu fghaary ba Jvaqbjf ohg V qba'g xabj jung n
"fbpxrg"
vf abe vs vg'f rira eryngrq gb fghaary be gb gur arjf freire.

Fghaary unf orra ehaavat sbe lrnef jvgu bgure arjf freiref naq sbe zbaguf
jvgu guvf arjf freire (juvpu V pna'g fnl jung vg vf nf vg'f abg xabja gb
or
ninvynoyr sbe cbfgvat hayrff lbh nfx gur arjf freire nqzva gb nyybj vg).

Ubj qb V qroht ba zl bja?
Jung ner gur glcvpny qroht fgrcf sbe grfgvat na rapelcgrq pbaarpgvba?

Guvaxvat fbzrguvat zvtug unir hfrq gur cbeg, V punatrq gur cbeg va obgu
40Ghqr Qvnybt naq va gur fghaary.pbas svyr, ohg gung neovgenel cbeg punatr
znqr ab qvssrerapr (127.0.0.1:12345 => 127.0.0.1:54321) va gur reebe.

[arjffreire]
pyvrag = lrf
npprcg = 127.0.0.1:54321
pbaarpg = arjf.arjffreire.arg:563
irevsl = 0
irevslPunva = lrf
PNsvyr = pn-pregf.crz
purpxUbfg = arjf.arjffreire.arg
BPFCnvn = lrf

Ubj qb V qroht guvf reebe gb frr ng yrnfg vs gur ceboyrz vf zr be uvz?

Jung'f n "cbfgvat negvpyr snvyrq fbpxrg reebe # 0" va 40ghqr qvnybt
naljnl?

[lms]

On 07 Jan 2024, Ronald <ron...@nospam.me> posted some

news:unfp57$15kco$1...@paganini.bofh.team:

Maybe your user credentials got cancelled / revoked. Reach out to neodome
and ask: ad...@neodome.net.

> What suddenly happened a few weeks ago was a "socket error" in 40Tude
> Dialog, which I didn't debug fully until yesterday as an expired cert.

What OS are you using and specifically what is the exact 40Tude socket
error you are receiving?

> I know what I just said makes no sense.

Makes sense. 40Tude is known to have socket errors for various sometimes
illogical and unexplainable reasons.

> How could I have been posting all along with the same setup which all
> of a sudden errors out - but when I debug - the certificate expired
> years ago?

Certificate has nothing to do with it. There are equipment management
environments running 12-year-old+ expired certs out there.

https://www.stunnel.org/TODO.html
stunnel TODO
Updated defaults planned for stunnel 6.xx
More secure defaults planned for the next major version.

OCSPaia = yes

Current download version:
stunnel-5.71-win64-installer.exe 4078592 19th September 2023

OCSPaia = yes | no
validate certificates with their AIA OCSP responders

This option enables stunnel to validate certificates with the list of OCSP
responder URLs retrieved from their AIA (Authority Information Access)
extension.

verifyChain = yes | no
verify the peer certificate chain starting from the root CA

For server certificate verification it is essential to also require a
specific certificate with checkHost or checkIP.

The self-signed root CA certificate needs to be stored either in the file
specified with CAfile, or in the directory specified with CApath.

default: no

checkHost = HOST
verify the host of the end-entity (leaf) peer certificate subject

Certificates are accepted if no subject checks were specified, or the host
name of the end-entity (leaf) peer certificate matches any of the hosts
specified with checkHost.

Multiple checkHost options are allowed in a single service section.

This option requires OpenSSL 1.0.2 or later.

CAfile = CA_FILE
load trusted CA certificates from a file

The loaded CA certificates will be used with the verifyChain and
verifyPeer options.

verify = LEVEL
verify the peer certificate

This option is obsolete and should be replaced with the verifyChain and
verifyPeer options.

level 0
Request and ignore the peer certificate chain.

level 1
Verify the peer certificate chain if present.

level 2
Verify the peer certificate chain.

level 3
Verify the peer certificate chain and the end-entity (leaf) peer
certificate against a locally installed certificate.

level 4
Ignore the peer certificate chain and only verify the end-entity (leaf)
peer certificate against a locally installed certificate.

default
No verify.

START HERE

Do yourself a favor, comment out the lines as shown, restart stunnel and
test your connection again.

; Windows sTunnel setup (for old clients with old TLS or SSL)

[Neodome]
client = yes

accept = 127.0.0.1:60563 [Use the same internal port as in Dialog]
connect = news.neodome.net:563
; Use these next 5 lines to check the certificate for validity

;verify = 0

;verifyChain = yes
;CAfile = ca-certs.pem
;checkHost = news.neodome.net
;OCSPaia = yes

Testing what I see.

OpenSSL-Win64>bin\openssl s_client -connect news.neodome.net:563

CONNECTED(0000023C)
---
Certificate chain
0 s:/O=Neodome/CN=neodome.net/emailAddress=ad...@neodome.net
i:/O=Neodome/CN=neodome.net/emailAddress=ad...@neodome.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIJAMjzT5Snv/udMA0GCSqGSIb3DQEBCwUAMEoxEDAOBgNV
BAoMB05lb2RvbWUxFDASBgNVBAMMC25lb2RvbWUubmV0MSAwHgYJKoZIhvcNAQkB
FhFhZG1pbkBuZW9kb21lLm5ldDAeFw0xOTEyMzEyMTU5NDZaFw0yMDEyMzEyMTU5
NDZaMEoxEDAOBgNVBAoMB05lb2RvbWUxFDASBgNVBAMMC25lb2RvbWUubmV0MSAw
HgYJKoZIhvcNAQkBFhFhZG1pbkBuZW9kb21lLm5ldDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMDHOV3vrVOZ/dOpsSOOLseJEFol1aqFPun3Pa5UQpAw
irbg05+M6yrlKGUxKqQ+W8zcrUTqO9J1SBkkRIiT2xj5NsV3Jp6CPxP++esZiEBJ
jnpyZyqSnaosbBOzBkWJ1voQxtN3wJHBYuxaO76jHJDvhN1p9IDnxcK5mjTYHmvD
0OkuLwZwsyZAZ9NXHxEGyOnkpTMVhD6t0rgzfqz+unyPalIiE8Ju2kW1Zx/LWY8p
GR2+l7/sMBXaRd9iXnoU0GK/wTSPTdOBmuqz0yw8qE9Chgl4nvH1iRxYRF02Xt17
2gNocPgXsTWib+yaQ7YMyNIDv2k4LO38tiUPDh8yVA0CAwEAAaNQME4wHQYDVR0O
BBYEFHYe0Uf3pw5b1hZASpufo4/9w/b2MB8GA1UdIwQYMBaAFHYe0Uf3pw5b1hZA
Spufo4/9w/b2MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHFdG2Po
P0CBOeLOtNDYlDxYVUkaLhl1OYzcHZK/aDyksLgtqnVJw4hgQ0JspUJQo7Iz1i/b
psWxPIv33+RA3Q9Llj4Ju/R8oYVEvwhTT7eZBTBfrs2ui34N0m8erUAptBqOckyB
CKZO5otBwGsjt7FOskTaOAWX/Z2IRP3FUIt9NvKeIsUF9gl7bt27O8IbWLIaNIqw
MjtaTxMaVcOksQqu0MMSQp/Py87KHStkAcHfB3p8zQIP7uSfb+yt+Jng24wXRN67
9Ci6TbDyF1udZPzfe/Yyjtw1beKJ4/cZgB02bQx3VqdlF0B0vlWp+4faUKmdaRnX
FEa++THLqrNGbDg=
-----END CERTIFICATE-----
subject=/O=Neodome/CN=neodome.net/emailAddress=ad...@neodome.net
issuer=/O=Neodome/CN=neodome.net/emailAddress=ad...@neodome.net
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1534 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
8CBD215E5DD10739672C0189CAB9007777FA8EF013CAD6CC5280D82D113DAEE0
Session-ID-ctx:
Master-Key:
47B070587E3826A9C73838A37FFA4EA1035B9D1555EA0FB75CAE022CBEF3CEE866255601AC
5783213AE35B5A19D8E8F8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e9 15 59 e1 fe 63 3f 94-ac 87 ea 4d a0 b3 f5 2c
..Y..c?....M...,
0010 - bb b6 70 ae ad 89 c2 fb-ce 32 90 75 ba 24 4a 2c
..p......2.u.$J,
0020 - c5 07 4e 02 71 14 a0 13-a1 3e 3e a6 60 4d c8 16
..N.q....>>.`M..
0030 - c7 91 7d b1 bd 18 ef 7b-26 c7 18 cf 0b 04 a4 21
..}....{&......!
0040 - 2a 50 c4 e1 88 26 6a 2d-b6 57 2f 08 9b 30 6e d0 *P...&j-
.W/..0n.
0050 - 27 db a4 af 7d 61 cb 61-b1 26 81 f3 1f b8 5f 52
'...}a.a.&...._R
0060 - 7c f6 cd 34 09 b2 6f 69-90 81 cc cf ce 01 59 6d
|..4..oi......Ym
0070 - 6f 59 8c e3 98 49 a5 34-be 2a 90 ba d9 c0 a0 86
oY...I.4.*......
0080 - 2d 44 f2 a9 ea 5c 11 c8-c0 18 90 08 38 7e bb 21 -
D...\......8~.!
0090 - d9 4e e2 91 54 99 16 36-95 ba 60 51 bf 2e 12 0b
.N..T..6..`Q....

Start Time: 1704700781
Timeout : 300 (sec)

Verify return code: 10 (certificate has expired)

---

[Carlos E.R.]

On 2024-01-08 04:11, Ronald wrote:
> On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:
>
>>> I don't know what the output is SUPPOSED to be for a self-signed certificate.
>>> I don't even know what a self-signed certificate even means.
>>
>> That it is not signed by a certificate authority, and thus will not be
>> accepted automatically by your client software.
>
> The strange thing is the self-signed certificate apparently expired 3 years
> ago yet I've been posting to 563 using the same setup for years on end.

That's not strange at all.

At some point in the past you told your side of the software to ignore
the expiration date, and you forgot. It was three years ago, after all.

> ;40tude Dialog newsreader setup
> Dialog Host: 127.0.0.1
> Dialog Port: 123456
> Dialog SSL: unchecked
> Dialog Username: mylogin
> Dialog Password: mypasswd
> Dialog Allwd. conn.: 2
> Dialog Use pipelining (unchecked)
>
> ; sTunnel.conf setup
> [Neodome]
> client = yes
> accept = 127.0.0.1:123456
> connect = news.neodome.net:563
> verify = 0
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = news.neodome.net
> OCSPaia = yes
>
> How could that be that this setup worked until only about three weeks ago?

Because it is a different problem. It is not that the certificate is
suddenly invalid, but that some other thing changed.

>
> What suddenly happened a few weeks ago was a "socket error" in 40Tude
> Dialog, which I didn't debug fully until yesterday as an expired cert.
>
> I know what I just said makes no sense.
>
> How could I have been posting all along with the same setup which all of a
> sudden errors out - but when I debug - the certificate expired years ago?

You simply noticed the expiration error and got fixated on it.

/IF/ you told your software to ignore the expiration rate AND it being a
selfsigned certificate, there is another problem you have not looked into.

For instance, someone, at your end or their end, could have updated the
software, and the new software does not ignore the validity.

They might even have done a backup restore operation and restored an old
certificate.


--
Cheers, Carlos.

[Carlos E.R.]

On 2024-01-08 07:37, Ronald wrote:
> On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:
>
>>> But Neodome uses a self-signed certificate.
>>> So it's never supposed to expire, right?

...

>>> Can you help me make better sense of the output and how to fix it?
>>
>> It is a fault at their side.
>> The cert is invalid for 3 years - they don't seem to care. Contact them
>> by email and tell them about that, so they can fix it.
>> ad...@neodome.net
>
> I have to admit it sounds crazy but I've been posting using that same
> sTunnel setup for Neodome for a long time but it only stopped recently.

Why are you using a tunnel? :-?

--
Cheers, Carlos.

[Marco Moock]

Am 08.01.2024 um 10:32:44 Uhr schrieb Carlos E.R.:

> Why are you using a tunnel? :-?

Because his ancient newsreader doesn't support current encryption
technology.

[Ronald]

On Mon, 8 Jan 2024 09:00:38 +0100, Marco Moock wrote:

>> I didn't come up with that sTunnel.conf on my own.
>
> Why do you need it?
> A newsreader can directly contact the newsserver.

Yes. I can use Dialog without sTunnel.
But it's old encryption with Dialog.
It's new encryption with sTunnel.

That's not a problem.

> A current newsreader (yours is very old) can also talk current TLS 1.3
> with current ciphers.

Everyone who uses 40Tude Dialog uses sTunnel which isn't a problem at all.
https://www.newsgroupreviews.com/40tude-dialog.html

On the newserver newsgroup it has been discussed for very many years that
40Tude Dialog uses deprecated circa-2005 encryption so while it might work,
it's not as good as using sTunnel which uses the latest encrpytion.

The simple answer is that there is no other option for Dialog than sTunnel.

>> It was given to me many years ago when I signed up for Neodome.
>> And it had been working for a long time until just a few weeks ago.
>>
>> I only set up my newsreader (40tude Dialog) to use sTunnel because the
>> circa-2005 newsreader is no longer supported by the developer so the
>> encryption it uses is outdated and yet, it's my opinion it's the best
>> newsreader on Windows, bar none (because of its scripting abilities).
>
> Have you tried Claws mail?
> It also support wide-range filter/processing rulesets.

I appreciate the kind and thoughtful advice to try again the Claws MUA,
which I dropped when Google implemented their OAuth/2FA a while ago.

We don't need to re-hash that a jack of all trades is master of none,
where I started with nn and tin and used Claws for email until I went to
Thunderbird/Betterbird which itself royally sucks at being both a
newsreader and a MUA - so let's just leave it at I'm sticking with sTunnel
and Dialog as it works fine and has worked fine for decades sans support.

Even almost two decades after it was written, Dialog is still the best.
https://wilk13.net/en/40tude-dialog.php

I have so many 40Tude Dialog scripts which were collected over the years
https://groups.google.com/g/news.software.readers/c/BY32vtci8Uk

I must be using a dozen of them, many with comments in German, as they do
lots of very neat things. Bernd Rose is the acknowledged expert in Dialog.

[Ronald]

On Mon, 8 Jan 2024 10:33:37 +0100, Carlos E.R. wrote:

> You simply noticed the expiration error and got fixated on it.
>
> /IF/ you told your software to ignore the expiration rate AND it being a
> selfsigned certificate, there is another problem you have not looked into.
>
> For instance, someone, at your end or their end, could have updated the
> software, and the new software does not ignore the validity.
>
> They might even have done a backup restore operation and restored an old
> certificate.

Thank you for being firm that something /else/ changed.
Not the certificate.

You gave me an idea of where to look, which is probably what happened.
I think I did change the stunnel.conf file as I noticed in my backups:
[Neodome]
client = yes
accept = 127.0.0.1:62563

connect = news.neodome.net:563
verify = 0
;verifyChain = yes
;CAfile = ca-certs.pem
;checkHost = news.neodome.net
;OCSPaia = yes

I went back to the original email about the setup, and lo and behold the
ONLY thing the admin told me to use was the "verify = 0" line (which he
said was because it was a self-signed certificate).

He never gave me the rest of those lines.
I must have boilerplated them, and commented them out at that time.

This probably explains what happened.

The certificate probably was expired all along.
I probably had the correct commented out entries for a long time.
At some point, I uncommented those entries (not understanding them).
That's almost certainly when the error occured without me noticing.
Since then, it has failed.

Just now I set teh file back to what it was in that backup.
That "verify = 0" (without the others) worked to post to Neodome!

Of course, sTunnel gives the warning:
Service [Neodome] needs authentication to prevent MITM attacks

But it's working again.
Thank you for reminding me of what happened a few weeks ago.

This one can be chalked up to user error.

[Joerg Walther]

Ronald wrote:

>> A newsreader can directly contact the newsserver.
>
>Yes. I can use Dialog without sTunnel.
>But it's old encryption with Dialog.

I do not really understand why you need encryption since you are posting
to publically readable newsgroups anyway. If you were doing binaries
instead...

-jw-

--

And now for something completely different...

[Ronald]

On Mon, 08 Jan 2024 11:49:03 +0100, Joerg Walther wrote:

> I do not really understand why you need encryption since you are posting
> to publically readable newsgroups anyway. If you were doing binaries
> instead...

I agree with you.

I don't need encryption for my own sense of security but the Neodome server
will not allow any posting without encryption. The server is what needs it.

Not me.

[Ronald]

On Mon, 8 Jan 2024 10:43:15 +0100, Marco Moock wrote:

>> Why are you using a tunnel? :-?
>
> Because his ancient newsreader doesn't support current encryption
> technology.

It's solved now.

You and others helped me figure out the problem because you convinced me it
wasn't the certificate that changed so I went back to my backup conf files.

In those backups I had all the sTunnel certification lines commented out!
The only certificate-related line not commented out was "verify = 0".

I again commented out those other lines, and now sTunnel works to post.

Of course sTunnel complains that MITM attacks can happen but I'm not
worried about that (as I only use encryption because Neodome requires it).

Even the original email from the Neodome admin only mentions that one line,
saying it's needed because it's a self-signed certificate.

What must have happened is at some point I uncommented those lines.
Silly me. The problem turns out to have been self inflicted.

What I learned in this thread is that there are two separate tasks.
One is CHECKING the certificate.
The other is ENCRYPTING the packets.

By setting "verify = 0" I'm telling sTunnel to NOT check the certificate.
So it doesn't matter that it has been expired for over three years.

It's still doing the encryption.
And yes, I'm subject to MITM attacks (which doesn't bother me).

Thank you for helping me figure out what the problem was.
It was all my fault.

Thank you and others for helping me track down the cause & solution.

[Marco Moock]

Am 08.01.2024 um 06:03:11 Uhr schrieb Ronald:

> Of course sTunnel complains that MITM attacks can happen but I'm not
> worried about that (as I only use encryption because Neodome requires
> it).

You can use 119 without STARTTLS.

> Even the original email from the Neodome admin only mentions that one
> line, saying it's needed because it's a self-signed certificate.
>
> What must have happened is at some point I uncommented those lines.
> Silly me. The problem turns out to have been self inflicted.
>
> What I learned in this thread is that there are two separate tasks.
> One is CHECKING the certificate.
> The other is ENCRYPTING the packets.

And reading/posting is another task.
If one of that works, the connection is established.

> By setting "verify = 0" I'm telling sTunnel to NOT check the
> certificate. So it doesn't matter that it has been expired for over
> three years.

That will ignore that it is expired.
But that won't fix the problem that you aren't allowed to post.

[Marco Moock]

Am 08.01.2024 um 05:55:27 Uhr schrieb Ronald:

> I don't need encryption for my own sense of security but the Neodome
> server will not allow any posting without encryption. The server is
> what needs it.

I am not allowed to post with encryption via 563 (unauthenticated).

[Ronald]

On Mon, 8 Jan 2024 12:09:09 +0100, Marco Moock wrote:

>> Of course sTunnel complains that MITM attacks can happen but I'm not
>> worried about that (as I only use encryption because Neodome requires
>> it).
>
> You can use 119 without STARTTLS.

I don't know what that "without STARTTLS" means, but I already tried 119
with and without the 40Tude Dialog "SSL" button checked & posting failed.

You can _read_ from Neodome servers using this basic newsreader setup.
Dialog Host: news.neodome.net
Dialog Port: 119
Dialog SSL: unchecked
Dialog Username: leave blank
Dialog Password: leave blank

Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

You can post to Neodome using the old deprecated Dialog encryption.
Dialog Host: news.neodome.net
Dialog Port: 563
Dialog SSL: checked

Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

You _should_ post to Neodome (with an account) using sTunnel encryption

Dialog Host: 127.0.0.1 [You can use "localhost" if you like]
Dialog Port: 60563 [You can choose any unused port you like]
Dialog SSL: unchecked
Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

[Neodome]
; This skips the check of the expired self-signed certificate

client = yes
accept = 127.0.0.1:60563

connect = news.neodome.net:563

verify = 0
; verifyChain = yes
; CAfile = ca-certs.pem
; checkHost = news.neodome.net
; OCSPaia = yes

This also works to post to Neodome with an account using sTunnel encryption

Dialog Host: 127.0.0.1 [You can use "localhost" if you like]
Dialog Port: 60563 [You can choose any unused port you like]
Dialog SSL: unchecked
Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; sTunnel will use the latest encryption standards (Dialog will not)
[Neodome]
; This skips encryption for when the certificate has expired
client = yes
accept = localhost:65555
connect = news.neodome.net:563

If all else fails, apparently you can post using anonymous remailers.
But I don't know how to do that.

>> Even the original email from the Neodome admin only mentions that one
>> line, saying it's needed because it's a self-signed certificate.
>>
>> What must have happened is at some point I uncommented those lines.
>> Silly me. The problem turns out to have been self inflicted.
>>
>> What I learned in this thread is that there are two separate tasks.
>> One is CHECKING the certificate.
>> The other is ENCRYPTING the packets.
>
> And reading/posting is another task.
> If one of that works, the connection is established.

Yes. Reading doesn't need login credentials, but posting does.
Posting needs encryption but it does not need certificate checking.
In fact, checking the certificate turned out to be the problem all along.
The certificate doesn't want to be checked. :->

>
>> By setting "verify = 0" I'm telling sTunnel to NOT check the
>> certificate. So it doesn't matter that it has been expired for over
>> three years.
>
> That will ignore that it is expired.
> But that won't fix the problem that you aren't allowed to post.

I never said I wasn't allowed to post.
The only problem was the socket error.

Turns out that simply meant that the post failed.
But it only failed because the certificate checking failed.

Once I told sTunnel to not check the certificate, posting worked again.
This is the correct setup for sTunnel with Neodome for posting.

;40tude Dialog newsreader setup
Dialog Host: 127.0.0.1 [localhost also works]
Dialog Port: 62563 [use any available unused port]
Dialog SSL: unchecked
Dialog Username: mylogin [login is assigned by Neodome admin]
Dialog Password: mypasswd [passwd is assigned by Neodome admin]

Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; sTunnel.conf setup
[Neodome]
client = yes
accept = 127.0.0.1:62563 [use whatever was assigned in Dialog]
connect = news.neodome.net:563
verify = 0 [this is required to /skip/ the certificate checks]
;verifyChain = yes

;CAfile = ca-certs.pem
;checkHost = news.neodome.net
;OCSPaia = yes

That works for posting!

[Ronald]

On Mon, 8 Jan 2024 12:11:49 +0100, Marco Moock wrote:

>> I don't need encryption for my own sense of security but the Neodome
>> server will not allow any posting without encryption. The server is
>> what needs it.
>
> I am not allowed to post with encryption via 563 (unauthenticated).

I don't think the Neodome admin is giving out credentials anymore, so
(AFAIK) nobody will be allowed to post unless they've been grandfathered.

There are "some" postable newsgroups I'm told by Vanguard though.
Everything below is a paste from a Vanguard post on the newsreader group.

Their web site disappeared (www.neodome.net). Last time
it was found per web.archive.org was Jun 18, 2021:

http://web.archive.org/web/20210618113621/http://neodome.net/

I can still do "telnet news.neodome.net 119" to get a connect.

Their archived web page says:
- 3 of their servers are read only for non-neodome.* newsgroups, and
require login (user=test, pass=test) to post only to their neodome.*
newsgroups.
- 2 of those look to be for onion/Tor connects.
- The 4th server (top of their list) doesn't mention any restriction on
reading or posting for any newsgroup, and no mention of login.

Their web site disappeared a couple years ago, so I have no idea if
their conditions on use have changed since then, but no way to check
since they don't have a web site anymore. Maybe they put announcements
in their own neodome.* newsgroups.

However, from their archived web page, looks like one of their servers
(the most used one since the others look for Onion/Tor access) requires
no login for read/write access.

news.neodome.net:
119 - read/write
119 (STARTTLS) - read/write
563 (SSL) - read/write

For the /other/ servers, a login was specified:

test login: test
test password: test

When I added Neodome to Dialog and tested access (read), I needed no
login credentials to read. I wasn't interested in using Neodome, so I
didn't try submitting an article (write).

I actually have a filter to ignore-flag any posts originating at Neodome
(and also ignore any subthreads to an ignore-flagged article), and use a
default view of Hide Ignored. I don't keep messages very long in the
client (purged after 60 days). A search on "neodome" in headers didn't
find any still left in my Dialog. Not sure anyone still uses Neodome.
Not what they peer, but what gets submitted to them as the injection
node.

[Marco Moock]

Am 08.01.2024 um 06:40:45 Uhr schrieb Ronald:

> On Mon, 8 Jan 2024 12:09:09 +0100, Marco Moock wrote:
>
> >> Of course sTunnel complains that MITM attacks can happen but I'm
> >> not worried about that (as I only use encryption because Neodome
> >> requires it).
> >
> > You can use 119 without STARTTLS.
>
> I don't know what that "without STARTTLS" means,

It is a mechanism to run TLS inside of NNTP (and other protocols).

> but I already tried 119 with and without the 40Tude Dialog "SSL" button checked & posting
> failed.

Does reading work?
If so, the connection is fine.

Posting is DENIED without authentication, regardless of the encryption
mechanism.

Please try posting WITH authentication directly without stunnel in a
current newsreader like Thunderbird.

[Ronald]

On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:

> Please try posting WITH authentication directly without stunnel in a
> current newsreader like Thunderbird.

I'm pretty sure that will work, but Thunderbird is just about the worst
newsreader that can be written - it thinks news is email last I used it.

I had used Claws for email but Google email just didn't like it when they
removed the password authorization in favor of OAuth2 & then forced 2FV.

I did use Pan as my newsreader for a time before stumbling upon Dialog.
Dialog was love at first sight (but it only works on Windows).

The problem had nothing to do with dialog other than dialog gave
an error which simply said it failed but nothing more than that really.

It was stunnel which erred out on the bad certificate.
It didn't occur to me to just turn off the certificate checks.

Duh!

I never knew they were optional.
It's only when I want to a backup that I realized what probably occurred.

And I didn't go to the backup until you and others convinced me the
certificate has been expired for three years, so it couldn't have been it.

The problem turned out to be likely that I had accidentally unchecked the
lines to tell sTunnel to check the certificate (which all other news
servers which require encryption needed). It was a mistake. I didn't catch
it.

The socket error of 0 apparently just means it failed.
The check for the server certificate expiry is true, but if you don't check
the certificate, it doesn't matte that the self-signed certificate expired.

Is is the best way to run a news server?
I don't know. Probably not.

But it is what it is.

[Marco Moock]

Am 08.01.2024 um 07:28:17 Uhr schrieb Ronald:

> On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:
>
> > Please try posting WITH authentication directly without stunnel in a
> > current newsreader like Thunderbird.
>
> I'm pretty sure that will work, but Thunderbird is just about the
> worst newsreader that can be written - it thinks news is email last I
> used it.

I agree that TB has some disadvantages, but ancient software creates
other problems.
You can also choose a news server that allows authentication without
encryption.

> I had used Claws for email but Google email just didn't like it when
> they removed the password authorization in favor of OAuth2 & then
> forced 2FV.

IIRC Google still supports PW auth with an App password.
CM also support OAuth in the current version.

> The problem had nothing to do with dialog other than dialog gave
> an error which simply said it failed but nothing more than that
> really.

Doesn't it give more details?

Claws provides the full network log with the NNTP messages.

> Is is the best way to run a news server?
> I don't know. Probably not.

No, but other servers exist. Simply use them.

[D]

On Mon, 8 Jan 2024 07:28:17 -0500, Ronald <ron...@nospam.me> wrote:
>On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:
>> Please try posting WITH authentication directly without stunnel in a
>> current newsreader like Thunderbird.
>
>I'm pretty sure that will work, but Thunderbird is just about the worst
>newsreader that can be written - it thinks news is email last I used it.
>I had used Claws for email but Google email just didn't like it when they
>removed the password authorization in favor of OAuth2 & then forced 2FV.
>I did use Pan as my newsreader for a time before stumbling upon Dialog.
>Dialog was love at first sight (but it only works on Windows).

some say that 40tude dialog can also work in linux with some tweaking;
for windows, i'm still using using version 2.0.15.1 (build 1 beta 38);
for posting, i've always used the old free agent (version 1.93/32.576)
because of its simplicity; "tbird" seems deliberately too complicated;
current omnimix (2.7.2) and current tor browser (13.0.8) are essential
for everyday newsgroup interactions and also for browsing the internet
(using other web browsers only when necessary); also the "neodome.net"
will open on occasion (albeit slowly) in tor browser with meek bridge;
learning how to use remailers isn't that hard to do, but remailers do
have limitations so they're not for everyone; it's a jungle out there

[Ronald]

On Mon, 8 Jan 2024 14:39:32 +0100, Marco Moock wrote:

>> I'm pretty sure that will work, but Thunderbird is just about the
>> worst newsreader that can be written - it thinks news is email last I
>> used it.
>
> I agree that TB has some disadvantages, but ancient software creates
> other problems.

I agree that TB works for many people but it tries to be both email and
newsreader and that doesn't work for me but I'm sure it works for others.

> You can also choose a news server that allows authentication without
> encryption.

I agree that there are other news servers to choose from.
I was merely trying to debug the one that I had an account already for.
It's all fixed now. User error combined with a strange nntp server setup.

>
>> I had used Claws for email but Google email just didn't like it when
>> they removed the password authorization in favor of OAuth2 & then
>> forced 2FV.
>
> IIRC Google still supports PW auth with an App password.
> CM also support OAuth in the current version.

IIRC, the app password requires 2FA (but it has been a while for me).

It's good the Claws supports OAuth as all the MUAs had to scramble to
repair the damage Google caused by being unfriendly to competition.

For about a month or two all the good MUAs failed to work (not TB, but
others) until they were able to catch up and implement the OAuth after
Google changed their rules on the auditing needs (which cost > $15K).

Paying for an audit is easy for Mozilla but not so easy for others.

Most people caved in and set up 2FA but I just didn't do mail for a month
until the developers had it all sorted out with Google changing rules.

I went through that hell when Google started this mess and I do NOT want to
go through it again now that I got OAuth2 to work with Google Mail.

>> The problem had nothing to do with dialog other than dialog gave
>> an error which simply said it failed but nothing more than that
>> really.
>
> Doesn't it give more details?

I set Dialog to a full level-0 log (which is everything), and it still
didn't say anything other than the connection failed (socket 0).

0 25674390: Creating worker thread: Sending message to news.software.readers neodome Username ok1
0 25674390: FDATA: Opening 1
0 25674390: FDATA: Reading itemcount 3
0 25674390: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
3 25674390: Sending message to news.software.readers (Started) [$0000250C]
1 25674390: NNTP slot used by this thread: neodome Username ok1 [$0000250C]
3 25674390: Connecting to NNTP 127.0.0.1:55555 [$0000250C]
1 25675500: Reindexing (Order: 3, no filtering) of group 1 with 2574 articles took 16 ms
0 25675500: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
0 25675500: FDATA: Regular update PAK - ChangeCount: 0
0 25675500: FDATA: adding GroupKey: 1 ArticleKey: 2573
0 25675500: FDATA: Regular update PAK - ChangeCount: 1
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FontFB: No non-ASCII characters found; Using default font
0 25675515: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675546: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675484: !Quit (Finished) [$0000250C]
5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
5 25675484: Posting article failed: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
1 25675500: Sending message to news.software.readers (Finished) (Finished) [$0000250C]
0 25676328: TFlushBodiesThread started with ThreadID: $16A0
1 25678328: Flushing body db
0 25678328: FDATA: Updating PAK, number of subfiles: 29
0 25678328: FDATA: Writing itemcount 3
0 25678328: FDATA: Closing 1
1 25679687: Main window close query
1 25679750: Main window destroy called - Goodbye
0 25679765: FDATA: destroying; Changecount: 0
1 25679765: Flushing group and server list

> Claws provides the full network log with the NNTP messages.

To get a clean log out of Stunnel, I killed and restarted it.
This shows it's ready to take connections.
2024.01.07 02:18:11 LOG5[main]: stunnel 5.69 on x64-pc-mingw32-gnu platform
2024.01.07 02:18:11 LOG5[main]: Compiled/running with OpenSSL 3.0.8 7 Feb 2023
2024.01.07 02:18:11 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2024.01.07 02:18:11 LOG5[main]: Reading configuration from file C:\Program Files\stunnel\config\stunnel.conf
2024.01.07 02:18:11 LOG5[main]: UTF-8 byte order mark detected
2024.01.07 02:18:11 LOG5[main]: FIPS mode disabled
2024.01.07 02:18:32 LOG5[main]: Configuration successful

This is what happens when I post to another server (not neodome).
2024.01.07 02:34:17 LOG5[0]: Service [eternal] accepted connection from 127.0.0.1:55554
2024.01.07 02:34:20 LOG5[0]: s_connect: connected 135.181.20.170:563
2024.01.07 02:34:20 LOG5[0]: Service [eternal] connected remote server from 10.212.1.145:60382
2024.01.07 02:34:24 LOG5[0]: OCSP: Connecting the AIA responder "http://r3.o.lencr.org"
2024.01.07 02:34:27 LOG5[0]: s_connect: connected 23.2.16.105:80
2024.01.07 02:34:30 LOG5[0]: OCSP: Certificate accepted
2024.01.07 02:34:30 LOG5[0]: Certificate accepted at depth=0: CN=news.eternal-september.org
2024.01.07 02:34:44 LOG3[0]: SSL_read: ssl/record/rec_layer_s3.c:321: error:0A000126:SSL routines::unexpected eof while reading
2024.01.07 02:34:44 LOG5[0]: Connection reset: 358 byte(s) sent to TLS, 388 byte(s) sent to socket

This is what happens when I post to the neodome server.
2024.01.07 02:18:55 LOG5[0]: Service [neodome] accepted connection from 127.0.0.1:55555
2024.01.07 02:19:00 LOG5[0]: s_connect: connected 95.216.243.224:563
2024.01.07 02:19:00 LOG5[0]: Service [neodome] connected remote server from 10.212.1.145:60371
2024.01.07 02:19:01 LOG4[0]: CERT: Pre-verification error: self-signed certificate
2024.01.07 02:19:01 LOG4[0]: Rejected by CERT at depth=0: O=Neodome, CN=neodome.net, emailAddress=ad...@neodome.net
2024.01.07 02:19:01 LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed
2024.01.07 02:19:01 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

This is the Dialog log file when I post using eternal september with Stunnel.
0 43532453: Creating worker thread: Sending message to alt.test username
0 43532453: FDATA: Opening 1
0 43532468: FDATA: Reading itemcount 6
0 43532468: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2579
3 43532453: Sending message to alt.test (Started) [$00002754]
1 43532453: NNTP slot used by this thread: username [$00002754]
3 43532468: Connecting to NNTP 127.0.0.1:55556 [$00002754]
0 43548968: 200 news.eternal-september.org InterNetNews NNRP server INN 2.8.0 (20231205 snapshot) ready (posting ok) [$00002754]
0 43548968: !MODE READER [$00002754]
0 43550859: 200 news.eternal-september.org InterNetNews NNRP server INN 2.8.0 (20231205 snapshot) ready (posting ok) [$00002754]
3 43550859: Connected to NNTP 127.0.0.1:55556 [$00002754]
3 43550859: Logging in to NNTP 127.0.0.1:55556 [$00002754]
0 43550859: !AUTHINFO USER ****** [$00002754]
0 43552218: 381 Enter password [$00002754]
0 43552218: !AUTHINFO PASS ********* [$00002754]
0 43554687: 281 Authentication succeeded [$00002754]
3 43554687: Posting message to NNTP server [$00002754]
0 43554687: !POST [$00002754]

This is the Dialog log file when I post using neodome with Stunnel.
0 25674390: Creating worker thread: Sending message to news.software.readers neodome Username ok1
0 25674390: FDATA: Opening 1
0 25674390: FDATA: Reading itemcount 3
0 25674390: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
3 25674390: Sending message to news.software.readers (Started) [$0000250C]
1 25674390: NNTP slot used by this thread: neodome Username ok1 [$0000250C]
3 25674390: Connecting to NNTP 127.0.0.1:55555 [$0000250C]
1 25675500: Reindexing (Order: 3, no filtering) of group 1 with 2574 articles took 16 ms
0 25675500: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
0 25675500: FDATA: Regular update PAK - ChangeCount: 0
0 25675500: FDATA: adding GroupKey: 1 ArticleKey: 2573
0 25675500: FDATA: Regular update PAK - ChangeCount: 1
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FontFB: No non-ASCII characters found; Using default font
0 25675515: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675546: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675484: !Quit (Finished) [$0000250C]
5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
5 25675484: Posting article failed: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
1 25675500: Sending message to news.software.readers (Finished) (Finished) [$0000250C]
0 25676328: TFlushBodiesThread started with ThreadID: $16A0
1 25678328: Flushing body db
0 25678328: FDATA: Updating PAK, number of subfiles: 29
0 25678328: FDATA: Writing itemcount 3
0 25678328: FDATA: Closing 1
1 25679687: Main window close query
1 25679750: Main window destroy called - Goodbye
0 25679765: FDATA: destroying; Changecount: 0
1 25679765: Flushing group and server list

The two errors (one in Dialog's log and the other in Stunnel's log) are:

Dialog error:
5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]

Stunnel error:
2024.01.07 02:19:01 LOG4[0]: CERT: Pre-verification error: self-signed certificate
2024.01.07 02:19:01 LOG4[0]: Rejected by CERT at depth=0: O=Neodome, CN=neodome.net, emailAddress=ad...@neodome.net
2024.01.07 02:19:01 LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed

Anyway, the problem wasn't really any of that, in reality.
The problem was the server doesn't want its certificate checked.

>> Is is the best way to run a news server?
>> I don't know. Probably not.
>
> No, but other servers exist. Simply use them.

I agree with your advice but you have to take into account that the
Neodome account was working fine for me, until it wasn't.

So there's really nothing wrong with it even though it's using a
faulty certificate. I just had to learn how to deal with it.

It's kind of like a car that you like and you're comfortable with,
but which has a balky clutch until it heats up a bit in use.

Thanks for all your help and encouragement.

[Adam H. Kerman]

bonk

Thunderbird has myriad issues that remain unaddressed for years at a
time. The words "current" and "Thunderbird" do not belong in the same
sentence. Mozilla hasn't quite abandoned Thunderbird but they aren't
devoting the necessary resources to it to just make sure issues are
addressed, even without adding features.

No one has any idea what triggers occassional base64 encoding in
Thunderbird, which is quite aggravating. It doesn't always post
unencoded plain text to Usenet. The automatic encoding is undesireable.

Ancient newsreaders require some of us to figure out how to comply with
standards that have been updated since the newsreader last had features
added to it, but at least that's possible to do.

I hope he figures out how to address the issue.

[Carlos E.R.]

On 2024-01-08 13:28, Ronald wrote:
> On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:
>
>> Please try posting WITH authentication directly without stunnel in a
>> current newsreader like Thunderbird.
>
> I'm pretty sure that will work, but Thunderbird is just about the worst
> newsreader that can be written - it thinks news is email last I used it.

It is the best newsreader that can be found, for many thousand of people
out there — but hey, that's only opinions. You use whatever you like :-)

The thing is, with TB you would be able to test the setup and proper
configuration for reading and posting, without having to use the stunnel
hack.

Once you found the configuration, you only had to translate for your
software.

> I had used Claws for email but Google email just didn't like it when they
> removed the password authorization in favor of OAuth2 & then forced 2FV.
>
> I did use Pan as my newsreader for a time before stumbling upon Dialog.
> Dialog was love at first sight (but it only works on Windows).
>
> The problem had nothing to do with dialog other than dialog gave
> an error which simply said it failed but nothing more than that really.
>
> It was stunnel which erred out on the bad certificate.
> It didn't occur to me to just turn off the certificate checks.
>
> Duh!
>
> I never knew they were optional.
> It's only when I want to a backup that I realized what probably occurred.
>
> And I didn't go to the backup until you and others convinced me the
> certificate has been expired for three years, so it couldn't have been it.

Now remember to write your notes inside that configuration file, as
comments, so that you don't fall in this trap again.

>
> The problem turned out to be likely that I had accidentally unchecked the
> lines to tell sTunnel to check the certificate (which all other news
> servers which require encryption needed). It was a mistake. I didn't catch
> it.

Other software, having both the news protocols and certificate
protocols, would (probably) have given more meaningful error messages.

As you had two tools in a chain, you had to check both tools for error
messages. And more difficult to interpret.

> The socket error of 0 apparently just means it failed.
> The check for the server certificate expiry is true, but if you don't check
> the certificate, it doesn't matte that the self-signed certificate expired.
>
> Is is the best way to run a news server?
> I don't know. Probably not.

You are not running a news server.

>
> But it is what it is.

--
Cheers, Carlos.

[Carlos E.R.]

On 2024-01-08 16:29, Ronald wrote:
> On Mon, 8 Jan 2024 14:39:32 +0100, Marco Moock wrote:

...

>>> The problem had nothing to do with dialog other than dialog gave
>>> an error which simply said it failed but nothing more than that
>>> really.
>>
>> Doesn't it give more details?
>
> I set Dialog to a full level-0 log (which is everything), and it still
> didn't say anything other than the connection failed (socket 0).

Because the failure is outside of Dialog.

...

stunnel is correctly identifying the problem.

...

> The two errors (one in Dialog's log and the other in Stunnel's log) are:
>
> Dialog error:
> 5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
> 0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
>
> Stunnel error:
> 2024.01.07 02:19:01 LOG4[0]: CERT: Pre-verification error: self-signed certificate
> 2024.01.07 02:19:01 LOG4[0]: Rejected by CERT at depth=0: O=Neodome, CN=neodome.net, emailAddress=ad...@neodome.net
> 2024.01.07 02:19:01 LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed

Yes.

>
> Anyway, the problem wasn't really any of that, in reality.
> The problem was the server doesn't want its certificate checked.

NO!

The server people are doing things easy and cheap, for them, and causing
problems for people. What they do is "wrong": A private certificate, and
not renewed.

This is done between private individuals, but is not fine when going public.

Configuring your side to not verifying the certificate and ignoring it
has expired is a hack. It is also a security risk (mild in this case).
You decide to play along or choose a different server.

>
>>> Is is the best way to run a news server?
>>> I don't know. Probably not.
>>
>> No, but other servers exist. Simply use them.
>
> I agree with your advice but you have to take into account that the
> Neodome account was working fine for me, until it wasn't.
>
> So there's really nothing wrong with it even though it's using a
> faulty certificate. I just had to learn how to deal with it.
>
> It's kind of like a car that you like and you're comfortable with,
> but which has a balky clutch until it heats up a bit in use.
>
> Thanks for all your help and encouragement.

--
Cheers, Carlos.

[Pertti]

On 08 Jan 2024, Marco Moock <mm+s...@dorfdsl.de> posted some
news:ungabi$5hkb$3...@solani.org:

> Am 08.01.2024 um 01:37:48 Uhr schrieb Ronald:
>
>> On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:
>>
>> >> But Neodome uses a self-signed certificate.
>> >> So it's never supposed to expire, right?
>> >
>> > That is not related to self-signed.
>>
>> Thanks. It's crazy that I was able to post for years with nothing
>> changing on my side, but then a few weeks ago I got the certificate
>> expiry error.
>>
>> But when I debugged as suggested, the certificate expired three years
>> ago. That sounds crazy. Even to me. And I've been posting to Neodome
>> for years.
>
> That is crazy, but maybe someone installed that cert (maybe an
> automatic mechanism like Ansible).

Good thing you work for government because you wouldn't last long in the
private sector.

[Pertti]

On 08 Jan 2024, Ivan Fjellstad <ifjel...@gmail.com> posted some
news:unge7d$16lla$1...@paganini.bofh.team:

That is funny and would solve his problem!

> Path: paganini.bofh.team!not-for-mail
> From: rocco portelli <roccop...@nospam.it>
> Newsgroups:
> news.software.nntp,alt.free.newsservers,news.software.readers Subject:
> Posting article failed. Socket error # 0 Date: Wed, 29 Nov 2023
> 06:55:38 -0500 Organization: To protect and to server
> Message-ID: <uk78rq$3gr0h$1...@paganini.bofh.team>
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 8bit
> Injection-Date: Wed, 29 Nov 2023 11:55:38 -0000 (UTC)
> Injection-Info: paganini.bofh.team; logging-data="3697681"; posting-
> host="fk6g7LKM0w/hRp9aKdhgAQ.user.paganini.bofh.team";
> mail-complaints- to="use...@bofh.team";
> posting-account="9dIQLXBM7WM9KzA+yjdR4A"; User-Agent:
> 40tude_Dialog/2.0.15.41 (Beta 38) Cancel-Lock:
> sha256:b/suCo/X4PFdeEm4B4bO6zG6nQHfFqY4azGl9ap9FMQ= X-Notice: Filtered
> by postfilter v. 0.9.3 Xref: paganini.bofh.team
> news.software.nntp:3309 alt.free.newsservers:6105
> news.software.readers:274990
>
> Before I bother the admin of a common free news server (who I promised
> if he gave me a posting account, I wouldn't be any trouble) I would
> like to figure out if the problem is his encrypted news server or if
> it's in mine.
>
> It used to work but stopped working about a week ago with this "socket
> error" of "Posting article failed. Socket error # 0".
>
> I use 40TudeDialog with stunnel on Windows but I don't know what a
> "socket"
> is nor if it's even related to stunnel or to the news server.
>
> Stunnel has been running for years with other news servers and for
> months with this news server (which I can't say what it is as it's not
> known to be
> available for posting unless you ask the news server admin to allow
> it).
>
> How do I debug on my own?
> What are the typical debug steps for testing an encrypted connection?
>
> Thinking something might have used the port, I changed the port in
> both 40Tude Dialog and in the stunnel.conf file, but that arbitrary
> port change made no difference (127.0.0.1:12345 => 127.0.0.1:54321) in
> the error.
>
> [newsserver]
> client = yes
> accept = 127.0.0.1:54321
> connect = news.newsserver.net:563

> verify = 0
> verifyChain = yes
> CAfile = ca-certs.pem

> checkHost = news.newsserver.net
> OCSPaia = yes
>
> How do I debug this error to see at least if the problem is me or him?
>
> What's a "posting article failed socket error # 0" in 40tude dialog
> anyway?

a.f.n regs have been had again by the same torll. Good one, Ivan.

[Marco Moock]

Am 08.01.2024 um 17:12:14 Uhr schrieb Adam H. Kerman:

> No one has any idea what triggers occassional base64 encoding in
> Thunderbird, which is quite aggravating. It doesn't always post
> unencoded plain text to Usenet. The automatic encoding is
> undesireable.
>
> Ancient newsreaders require some of us to figure out how to comply
> with standards that have been updated since the newsreader last had
> features added to it, but at least that's possible to do.

Is that encoding denied by the *current* RFCs?

I am aware that older clients don't support certain stuff, but I do
think the 20+yo clients are the reference here.

[Adam H. Kerman]

Marco Moock <mm+s...@dorfdsl.de> wrote:
>Am 08.01.2024 um 17:12:14 Uhr schrieb Adam H. Kerman:

>>No one has any idea what triggers occassional base64 encoding in
>>Thunderbird, which is quite aggravating. It doesn't always post
>>unencoded plain text to Usenet. The automatic encoding is
>>undesireable.

>>Ancient newsreaders require some of us to figure out how to comply
>>with standards that have been updated since the newsreader last had
>>features added to it, but at least that's possible to do.

>Is that encoding denied by the *current* RFCs?

As always, Marco, you aren't listening. It's unnecessary. It's
undesireable. It's not plain text. There is no benefit to Usenet. It
should not be done.

>I am aware that older clients don't support certain stuff, but I do
>think the 20+yo clients are the reference here.

My newsreader does not support certain stuff. It calls outside processes
for encoding and decoding and for anything any functions that are not
built in. The issue isn't with newsreaders that were written in the '80s
and '90s and never has been.

The problem is with newer newsreaders in which more processes are built
in that are no longer maintained and not compliant with standards, or
just do things that serve no purpose, or truly failed to implement
standards at the time they were written.

[Ronald]

On Mon, 8 Jan 2024 20:23:26 +0100, Carlos E.R. wrote:

>> I set Dialog to a full level-0 log (which is everything), and it still
>> didn't say anything other than the connection failed (socket 0).
>
> Because the failure is outside of Dialog.

You were right all along. A socket is apparently just a connection, so a
socket error just means a connection error. The error is outside of Dialog.

>> This is what happens when I post to the neodome server.

> stunnel is correctly identifying the problem.

The Dialog log said the host:port connection (which is a socket) failed.

What's good is I asked how to debug this problem and people said to look
inside the sTunnel log - and that's where the real error is found by gosh.

CERT: Pre-verification error: self-signed certificate

certificate verify failed

> The server people are doing things easy and cheap, for them, and causing
> problems for people. What they do is "wrong": A private certificate, and
> not renewed.

I'm learning more about this as I look up how to resolve this myself.
https://www.stunnel.org/howto.html
How does stunnel check certificates?
https://ftp.icm.edu.pl/packages/replay.old/ssl/stunnel/faq/certs.html
Problems with a self-signed certificate

> This is done between private individuals, but is not fine when going public.
>
> Configuring your side to not verifying the certificate and ignoring it
> has expired is a hack. It is also a security risk (mild in this case).
> You decide to play along or choose a different server.

It turns out that sTunnel has a capability to "Save Peer Certificate".
https://easynews.support.narkive.com/Voh2l6t6/stunnel-on-windows-7-64bit

This is what it says at that ten year old thread about saving the cert.

"After connecting to Easynews with verify off (or set to 1) use stunnel's
Save Peer Certificate option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file."

"The stunnel GUI console has an option "Save Peer Certificate" which saves
a copy of this certificate on your hard drive in PEM format. If you set
verify=3 and CAfile as the saved PEM file, stunnel will additionally check
that the certificate has not changed (it's the same as your local copy)
since the last time you connected. That's generally all you need.

However, if the server certificate changes legitimately (as many have
recently) verify=3
will reject the new one and you have to go through the save process again.

As you know, I recently did this with Easynews and stunnel complained that
the new certificate had "self signed components". Jason, in support,
pointed me at this link -
https://certs.godaddy.com/anonymous/repository.pki - where GoDaddy's root
certs are available in various formats.

Sadly PEM is not one of them but, if you have OpenSSL installed, you can
convert from other formats to PEM. I downloaded the DER format file
(gd-class2-root.cer) and used this command to convert it to PEM format.

openssl x509 -in gd-class2-root.cer -inform der -outform pem -out certs.pem

I concatenated this onto the my new peer-nntps.pem file (they are just
ASCII files), reloaded the stunnel configuration, and verify=1/2/3 were all
happy again.

I only use stunnel for my NNTP client so putting everything in one PEM file
is the easiest option for me. If you use stunnel for other protocols and
clients, look at the documentation for CApath which lets you keep a set of
certs in a directory."

But unfortunately, the certificate is expired. So that won't help me.

I found another way that might work with Neodome port 119 & STARTTLS with
sTunnel (as Dialog doesn't support STARTTLS either). I have to test it.

[Ronald]

To post the solution, there were four solutions that worked
for posting using Neodome on a grandfathered account (reading
probably works without any of this sTunnel configuration).

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; stunnel.conf (tested on January 10th, 2024)
; <https://groups.google.com/g/news.software.readers/c/DTYKUX3VwLw>
; <https://groups.google.com/g/news.software.readers/c/sxkkJYuI728>
; Each solution below is a tested workaround thanks mostly to Bernd Rose
; Like it or not, Dialog obfuscates or omits some identify information
; Once you type it in, it's lost forever in an unencrypted visible format
; So you may want to save that identify information here in stunnel.conf
; Or you might want to save that identify information in keepassXC
; Neodome Identity: (archive your real email address here if you like)
; Dialog Identity: (archive your Dialog email address here if you like)
; Dialog Username = (archive your Dialog username here if you like)
; Dialog Password = (archive your Dialog password here if you like)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Apparently news.neodome.net does not require authentication to read
; However, news.neodome.net requires a login/password to post
; And news.neodome.net requires at least a 10-character password
; Unfortunately, the news.neodome.net certificate is self-signed
; And worse, the news.neodome.net certificate expired in 12/2020
; Even so, news.neodome.net REQUIRES encryption when posting
; With the result that news.neodome.net won't accept Dialog port 119
; Unfortunately, Dialog (circa 2005) uses old encryption standards
; And unfortunately news.neodome.net won't accept Dialog port 119 SSL
; However news.neodome.net will accept Dialog port 563 old encryption
; And news.neodome.net will accept stunnel port 119 STARTTLS encryption
; Also news.neodome.net will accept that the certificate simply exists
; That gave us four working workarounds to the encryption problem set
; 1. news.neodome.net accepts Dialog port 563 SSL encryption
; 2. news.neodome.net accepts sTunnel port 119 protocol=nntp encryption
; 3. news.neodome.net accepts sTunnel port 563 ignoring the certificate
; 4. news.neodome.net accepts sTunnel port 563 acknowledging the cert
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome0}
; The boiler-plate section below "should" work but won't work in 2024
; because Neodome has a self-signed certificate which is also expired
; [Neodome0]
; Dialog Host: 127.0.0.1
; Dialog Port: 65534 (pick an unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; client = yes
; accept = 127.0.0.1:63534
; connect = news.neodome.net:563
; verifyChain = yes
; CAfile = ca-certs.pem
; checkHost = news.neodome.net
; OCSPaia = yes
; Ports 1191, 1192, 1193, 5631, 5632, 5633 are usually available and
; could be read (as aide-memoire) as 119-1 ... 119-3 (for STARTTLS
; connections to an external port 119) or as 563-1 ... 563-3 for
; connections to an external standard NNTP encryption port 563.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome1 workaround}
; This method sets Dialog to use Dialog port 563 SSL encryption
; 40Tude Dialog will NOT use the latest encryption standards.
; sTunnel is not involved so the stunnel.conf should be empty
; Dialog Host: news.neodome.net

; Dialog Port: 563
; Dialog SSL: checked

; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; No stunnel.conf entries are used for this [Neodome1] workaround
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome2 workaround}
; This method sets Dialog to use sTunnel port 119 STARTTLS.
; It _only_ requires a password when connection is established
; from a client, that explicitly requests STARTTLS.
; It just so happens, that sTunnel can not be configured to connect
; without any encryption (except NULL encryption, which still /is/
; encryption). So, to connect to Neodome port 119 without (STARTTLS)
; encryption one needs to bypass sTunnel and connect directly.
; (In this case from Dialog.) Without encryption, posting isn't
; permitted on Neodome, though.
; Therefore, this would be a read-only setup.
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome2] needs authentication to prevent MITM attacks
; Dialog Host: 127.0.0.1
; Dialog Port: 49152 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; For self-signed certificates that have not expired, a good way to
; deal with them is to download them & they will be checked against
; the existing non-expired self-signed certificate (which has no chain)
; In Stunnel, if you've recently posted, you can do the following:
; Stunnel: Save Peer Certificate -> Peer-Neodome2.pem
; Up comes a box saying:
; Stunnel 5.69 on Win64
; Peer certificate change has been saved.
; Add the following lines to section [Neodome2]:
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
; to enable cryptographic authentication.
; Then reload stunnel configuration file.
[Neodome2]
client = yes
accept = 127.0.0.1:49152
connect = news.neodome.net:119
protocol = nntp
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome3 workaround}
; This method sets Dialog to use sTunnel port 563 encryption
; It's probably the best option because it uses current encryption
; sTunnel uses the certificate but sTunnel just doesn't verify the
; _eligibility_ of the certificate in the described setup.
; Dialog Host: 127.0.0.1
; Dialog Port: 49153 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome3] needs authentication to prevent MITM attacks
[Neodome3]
client = yes
accept = 127.0.0.1:49153
connect = news.neodome.net:563
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome4 workaround}
; This is a very minor variation on the method #3 tested above
; which is included _only_ because the Neodome admin suggested it
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method uses a deprecated sTunnel "verify = 0" setting
; The "verify = 0" was initially suggested by the Neodome admin
; The "verify = 0" requests a certificate but does not check it
; Dialog Host: 127.0.0.1
; Dialog Port: 49154 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome4] needs authentication to prevent MITM attacks
[Neodome4]
client = yes
accept = 127.0.0.1:49154

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;