;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome} stunnel.conf (tested on January 10th, 2024)
; See
https://groups.google.com/g/news.software.readers/c/sxkkJYuI728
; Use a different port for each identity between 49152 & 65535
; Stunnel log will always report at least these next four lines:
; Reading configuration from file (path)\stunnel.conf
; UTF-8 byte order mark detected
; FIPS mode disabled
; Configuration successful
; Like it or not, posting to
news.neodome.net requires a login/password
; Like it or not,
news.neodome.net requires at least a 10-char passwd
; Like it or not, the
news.neodome.net certificate is self-signed
; Like it or not, the
news.neodome.net certificate expired in 12/2020
; Like it or not,
news.neodome.net REQUIRES encryption when posting
; Like it or not, Dialog (circa 2005) uses old encryption standards
; Like it or not,
news.neodome.net won't accept Dialog port 119
; Like it or not,
news.neodome.net won't accept Dialog port 119 SSL
; Like it or not,
news.neodome.net won't accept Dialog port 563
; But
news.neodome.net will accept Dialog port 563 with Dialog SSL
; Like it or not, Dialog port 563 SSL uses old encryption standards
; These four tests suggested by Bernd & Vanguard worked in Jan 2024
; 1.
news.neodome.net accepts Dialog port 563 SSL posts
; 2.
news.neodome.net accepts sTunnel port 119 STARTTLS posts
; 3.
news.neodome.net accepts sTunnel port 563 posts (ignoring the cert)
; 4.
news.neodome.net accepts sTunnel port 563 posts (acknowledging cert)
; Each solution below is tested workaround thanks to Bernd Rose & Vanguard
; Like it or not, Dialog obfuscates or omits some identify information
; So you may want to save that identify information here in stunnel.conf
; Neodome Identity: (archive your real email address here if you like)
; Dialog Identity: (archive your Dialog email address here if you like)
; Dialog Username = (archive your Dialog username here if you like)
; Dialog Password = (archive your Dialog password here if you like)
; System timezone: (archive your system timezone here if you like)
; Like it or not, SSL often cares about accurate time zone matching
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome1}
; This method sets Dialog to use Dialog port 563 SSL encryption
; 40Tude Dialog will NOT use the latest encryption standards.
; sTunnel is not involved so the stunnel.conf should be empty
; Dialog Host:
news.neodome.net
; Dialog Port: 563
; Dialog SSL: checked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; No stunnel.conf entries are used for [Neodome1] setup
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome2}
; This method sets Dialog to use sTunnel port 119 STARTTLS.
; You'd think it wouldn't require a password, but it does
; If you are able to connect through sTunnel to a server
; that connection will always be encrypted (e.g., as STARTTLS)
; (Although, with the right setting, it is possible to use
; "null encryption" [aka a non-encrypting "encryption" method])
; Setting sTunnel to connect with protocol NNTP on port 119
; leads to a handshake with STARTTLS by default
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome2] needs authentication to prevent MITM attacks
; Dialog Host: 127.0.0.1
; Dialog Port: 49152 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; For self-signed certificates that have not expired, a good way to
; deal with them is to download them & they will be checked against
; the existing non-expired self-signed certificate (which has no chain)
; In Stunnel, if you've recently posted, you can do the following:
; Stunnel: Save Peer Certificate -> Peer-Neodome2.pem
; Up comes a box saying:
; Stunnel 5.69 on Win64
; Peer certificate change has been saved.
; Add the following lines to section [Neodome2]:
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
; to enable cryptographic authentication.
; Then reload stunnel configuration file.
; This approach will fail for neodome but only because it is expired
[Neodome2]
client = yes
accept =
127.0.0.1:49152
connect =
news.neodome.net:119
protocol = nntp
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome3}
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method does not even touch the certificate
; It's probably the best option because it uses current encryption
; Dialog Host: 127.0.0.1
; Dialog Port: 49153 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome3] needs authentication to prevent MITM attacks
[Neodome3]
client = yes
accept =
127.0.0.1:49153
connect =
news.neodome.net:563
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome4}
; This is a very minor variation on the method #3 tested above
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method requires but does not check the certificate
; The "verify = 0" was initially suggested by the Neodome admin
; The "verify = 0" requests a certificate but does not check it
; Dialog Host: 127.0.0.1
; Dialog Port: 49154 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required)
; Dialog Password: (required)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome4] needs authentication to prevent MITM attacks
[Neodome4]
client = yes
accept =
127.0.0.1:49154
connect =
news.neodome.net:563
verify = 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;