SSL on mixmin

[Mike Easter]

My investigation so far indicates that:

- Tb can post SSL port 563 to news.individual.net
- Tb can NOT post SSL port 563 to news.mixmin.net
- OE can post SSL port 563 to news.mixmin.net (w/ cert)
- SeaMonkey can post SSL port 563 to news.mixmin.net (w/ cert)

Background:
- Tb default certs do not include CAcert
- SM default certs do not include CAcert
- OE default certs do not include CAcert
- mixmin.net CA is CAcert
- CAcert cert available at cacert.org
- OE, SM, & Tb can import the CAcert
- absent a CAcert, OE & SM cannot acquire grouplist from mixmin or post

One reader commented during a tiresome thread in alt.free.newsservers
that he thought that the problem was that Moz uses NSS instead of openSSL.

http://al.howardknight.net/msgid.cgi?ID=144321276200

From: Michael Baeuerle
Newsgroups: alt.free.newsservers
Subject: Re: mixmin SSL certificates for NewsTap
Date: 24 Sep 2015 13:56:45 -0000
Message-ID: <AABWA/7L3noAAAn9...@WStation3.stz-e.de>

> Likely it's the untrusted root certificate from CAcert. AFAIK
> Mozilla uses NSS instead of OpenSSL and therefore anything works
> different there.



--
Mike Easter

[Mike Easter]

Mike Easter wrote:
> - Tb can NOT post SSL port 563 to news.mixmin.net

Said another way, with or without importing the CAcert from
news.mixmin.net, Tb cannot acquire the group list or post to mixmin over
port 563; but SM can and OE can.

--
Mike Easter

[Ron K.]

IIRC, CAcert was involved in a fraudulent Cert scandal a few years back
and their root cert was deleted by Mozilla.
--
Ron K.
Who is General Failure, and why is he searching my HDD?
Kernel Restore reported Major Error used BSOD to msg the enemy!

[Mike Easter]

Ron K. wrote:
> Mike Easter wrote on 9/25/2015 4:03 PM:
>> Mike Easter wrote:
>>> - Tb can NOT post SSL port 563 to news.mixmin.net
>>
>> Said another way, with or without importing the CAcert from
>> news.mixmin.net, Tb cannot acquire the group list or post to mixmin
>> over port 563; but SM can and OE can.
>
> IIRC, CAcert was involved in a fraudulent Cert scandal a few years
> back and their root cert was deleted by Mozilla.

Steve Crook is the admin of mixmin. He is aware of reports of some news
agents not being able to access without using stunnel and he is
interested in making appropriate changes. He is apparently of the
strong belief that nntp access should be secure rather than not, so
non-secure port such as 119 isn't available.

CAcert's history can be reviewed in the wp article:

https://en.wikipedia.org/wiki/CAcert.org

SC has indicated an interest in solving some of this by getting a
letsencrypt cert.

http://al.howardknight.net/msgid.cgi?ID=144321735800

From: Steve Crook
Newsgroups: alt.free.newsservers
Subject: Re: mixmin SSL certificates for NewsTap

Date: Fri, 25 Sep 2015 09:54:11 +0000 (UTC)
Message-ID: <slrnn0a6e3...@snorky.mixmin.net>

> Mixmin will almost certainly switch to using letsencrypt.org as soon
> as they go live. Hopefully very soon!


https://en.wikipedia.org/wiki/Let's_Encrypt

"On September 14, 2015, Let's Encrypt issued its first certificate,
which was for the domain helloworld.letsencrypt.org. On the same day,
ISRG submitted its root program applications to Mozilla, Microsoft,
Google and Apple.[25]"


A significant part of my issue is that I believe that Tb should be able
to access mixmin after importing its CAcert just like OE and SM can do.


--
Mike Easter

[David E. Ross]

On 9/25/2015 2:25 PM, Ron K. wrote:
> Mike Easter wrote on 9/25/2015 4:03 PM:
>> Mike Easter wrote:
>>> - Tb can NOT post SSL port 563 to news.mixmin.net
>>
>> Said another way, with or without importing the CAcert from
>> news.mixmin.net, Tb cannot acquire the group list or post to mixmin over
>> port 563; but SM can and OE can.
>>
>
> IIRC, CAcert was involved in a fraudulent Cert scandal a few years back
> and their root cert was deleted by Mozilla.
>

Having known of CAcert for over 10 years, I do not believe its root was
ever in the NSS root certificate database. The request by CAcert to add
its root to the database was withdrawn when it appeared there would be a
substantial cost for having an audit. This cost would be a problem
since CAcert was a non-profit organization will very little money.

--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.

[Mike Easter]

David E. Ross wrote:
> Having known of CAcert for over 10 years, I do not believe its root was
> ever in the NSS root certificate database. The request by CAcert to add
> its root to the database was withdrawn when it appeared there would be a
> substantial cost for having an audit. This cost would be a problem
> since CAcert was a non-profit organization will very little money.

Separate from whether or not CAcert was or wasn't in the default Tb (or
Ffx) database, the user has the ability to import a cert.

http://www.cacert.org/index.php?id=3 Root Certificate (PEM Format)

(Save root.crt to disk, aim Tb Import cert at it)

Similar strategies exist for OE and SM.

Without importing the cert, none of them can access mixmin port 563 SSL
for groups list or posting a message.

After importing the cert, OE and SM can access the groups list and post
to mixmin port 563 SSL, but Tb cannot.

--
Mike Easter

[Ron K.]

Seems odd that SM is odd man out of the Mozilla family since they all use
the Gecko code suite for desktop systems.

[Mike Easter]

Ron K. wrote:
> Mike Easter:

>> After importing the cert, OE and SM can access the groups list and
>> post to mixmin port 563 SSL, but Tb cannot.
>>
> Seems odd that SM is odd man out of the Mozilla family since they all
> use the Gecko code suite for desktop systems.

I think of gecko as a rendering engine, whereas this inability to
transact correctly between client and server based on using SSL
certificate handling would be unrelated to the rendering function.

And/But I was also interested to see SM different from Tb in this
regard. The report I had heard was that 'some clients' could not handle
mixmin's SSL without using stunnel.

I was trying to figure out which ones of the ones I had handy. I could
get mixmin to engage using openssl.

news.mixmin.net is a server which doesn't require authentication, but
does require port 563 SSL.


--
Mike Easter

[Mike Easter]

Mike Easter wrote:
> I could get mixmin to engage using openssl.

.... such as

openssl s_client -connect news.mixmin.net:563


--
Mike Easter

[David E. Ross]

On 9/25/2015 6:29 PM, Ron K. wrote:
> Mike Easter wrote on 9/25/2015 6:25 PM:
>> David E. Ross wrote:
>>> Having known of CAcert for over 10 years, I do not believe its root was
>>> ever in the NSS root certificate database. The request by CAcert to add
>>> its root to the database was withdrawn when it appeared there would be a
>>> substantial cost for having an audit. This cost would be a problem
>>> since CAcert was a non-profit organization will very little money.
>>
>> Separate from whether or not CAcert was or wasn't in the default Tb (or
>> Ffx) database, the user has the ability to import a cert.
>>
>> http://www.cacert.org/index.php?id=3 Root Certificate (PEM Format)
>>
>> (Save root.crt to disk, aim Tb Import cert at it)
>>
>> Similar strategies exist for OE and SM.
>>
>> Without importing the cert, none of them can access mixmin port 563 SSL
>> for groups list or posting a message.
>>
>> After importing the cert, OE and SM can access the groups list and post to
>> mixmin port 563 SSL, but Tb cannot.
>>
>
> Seems odd that SM is odd man out of the Mozilla family since they all use
> the Gecko code suite for desktop systems.
>

I believe SeaMonkey's mail-news capabilities use SeaMonkey's certificate
database. Thunderbird has its own certificate database. Thus, CAcert's
root must be separately imported for Thunderbird.

[Mike Easter]

David E. Ross wrote:
> I believe SeaMonkey's mail-news capabilities use SeaMonkey's certificate
> database. Thunderbird has its own certificate database. Thus, CAcert's
> root must be separately imported for Thunderbird.

SM would not acquire mixmin's groups list or post in its default v. 2.19.

Then I imported CAcert's cert, and SM would acquire the groups list and
post.

Same sequence with OE.

In the default condition, both SM and Tb handle news.individual.net SSL
563 without difficulty.

--
Mike Easter

[Ron K.]

In my reference to Gecko, I ment the Gecko Runtime Environment which
includes Necko and Toolkit among the list of components. The GRE is much
more then the rendering. I believe SM may be a bit behind on GRE version,
so may have some behavior differences. Plus SM and TB do differ on what
patches are picked-up.

[Mike Easter]

Mike Easter wrote:
> Background:
> - Tb default certs do not include CAcert
> - SM default certs do not include CAcert
> - OE default certs do not include CAcert
> - mixmin.net CA is CAcert
> - CAcert cert available at cacert.org
> - OE, SM, & Tb can import the CAcert

Hmmph. The upteenth time I tried to get the groups list with Tb at
mixmin SSL on 563, I succeeded. Then I successfully posted a message
with Tb.

Consider this issue 'fixed'/resolved.

While I was whining, I was going to post a mixmin nntp session log by
giving a couple of bash commands and then starting Tb from the terminal.

--
Mike Easter