accessing TLS/SSL services, including snews://

3 views
Skip to first unread message

Ivan Shmakov

unread,
Sep 18, 2012, 6:39:12 AM9/18/12
to
>>>>> John F Morse <jo...@example.invalid> writes:

[Cross-posting to news:comp.security.misc and
news:comp.protocols.misc, just in case. Please omit the latter
when replying, unless the intent is to discuss the Telnet
protocol.]

[...]

> The OP simply asked "how to post from the command line" and I
> provided one solution: telnet.

May I remind you that the Telnet protocol has its own control
sequences, and may be unsuitable for, e. g., transferring
arbitrary binary data? Arguably, a Netcat tool, such as nc6(1),
or OpenBSD nc(1), would be a better fit.

(For that reason, the hosts under my control rarely provide the
telnet(1) client.)

> You provided another: openssl.

Let me provide the third: gnutls-cli(1). Consider, e. g. (line
wrapping by me), the following session.

$ gnutls-cli -p 563 news.panix.com
Resolving 'news.panix.com'...
Connecting to '166.84.1.69:563'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=US,ST=NY,L=New_York,
O=PANIX Public Access Networks Usenet News Servers,OU=news,
CN=news.panix.com,EMAIL=st...@panix.com',
issuer `C=US,ST=NY,L=New_York,
O=PANIX Public Access Networks Usenet News Servers,OU=news,
CN=PANIX Public Access Networks Usenet News Servers CA,
EMAIL=st...@panix.com',

[... Arguably, they should use a certificate signed by a
recognized trusted party, such as, e. g., https://cacert.org/.]

RSA key 2048 bits, signed using RSA-SHA,
activated `2012-01-20 19:20:16 UTC',
expires `2022-01-17 19:20:16 UTC',
SHA-1 fingerprint `e588294d02985ea671e2c2a7e84f23c524b755bc'
- The hostname in the certificate matches 'news.panix.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

200 reader1.panix.com InterNetNews NNRP server INN 2.3.3 ready (posting ok).
QUIT
205 .
- Peer has closed the GNUTLS connection
$

> I realize the Subject includes "snews" and telnet is not usable for
> SSL/TLS without a helper, like Stunnel.

I still don't get how using two TCP connections (Netcat or
Telnet to Stunnel, and Stunnel to TLS/SSL server) could be
better than using a single one (openssl or gnutls-cli to TLS/SSL
server.)

[...]

--
FSF associate member #7257
Reply all
Reply to author
Forward
0 new messages