Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Using Xnews 2006 with SSL tunnel
23 views
Skip to first unread message
Hey
Jan 30, 2022, 5:45:55 PM1/30/22
to
Does anyone have instructions how to set up Xnews 2006 with stunnel
using windows 10? The sites I find on Google are out of date or
come with a malware warning from my ISP software.
Thank You,
Hey
Nil
Jan 30, 2022, 7:06:12 PM1/30/22
to
being developed about 15 years ago, so even out-of-date instructions
are probably still valid.
I use that combination. I install Stunnel from
<https://www.stunnel.org/> and set it up as a system service. I then
replace the default stunnel.conf file (make a backup of it - it may
have some useful comments in it) with my custom one (for eternal-
september):
[eternal-september-news]
; connect to individual.net NNTPS for Xnews
client = yes
accept = 562
connect = news.eternal-september.org:563
Then I set up my server in Xnews like this:
Server name: 127.0.0.1 (or localhost)
Port number: 562
Username and Password, of course.
I don't bother with the SMTP server - don't use that feature.
The Port Number is arbitrary, but it has to be otherwise unused on your
computer and must agree with the Accept line in stunnel.conf.
I may have glossed over some details. Is that enough to get you going?
knuttle
Jan 30, 2022, 11:02:47 PM1/30/22
to
On 1/30/2022 9:06 PM, Nil wrote:
> The Port Number is arbitrary, but it has to be otherwise unused on your
> computer and must agree with the Accept line in stunnel.conf.
To add to that advice, I've had problems with the port number getting used
> The Port Number is arbitrary, but it has to be otherwise unused on your
> computer and must agree with the Accept line in stunnel.conf.
long after I've assigned it (like many days, weeks or even months later).
What I do to avoid collisions (since I don't know what uses the port),
I make the port arbitrarily large - and always above 1024 for sure.
Looking at my own stunnel config, here's mine for Ray Banana's server.
; From: Wolfgang M. Weyand [wolfgang at eternal-september.org]
; Address: Berliner Strasse 26 D-61348 Bad Homburg v.d.H. ICQ 335794777
; Status: http://www.eternal-september.org/serverstatus.php
; Register: http://www.eternal-september.org/RegisterNewsAccount.php
[nntp-esep]
client = yes
accept = 127.0.0.1:12345
connect = news.eternal-september.org:563
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.eternal-september.org
OCSPaia = yes
In your newsreader you can set the server:port to the "accept" line.
I really do not know what most of those lines do (maybe you can tell me)
but those are what Ray Banana provided me a long time ago (years ago).
In the newsreader if you have an SSL box, I don't set SSL there
but I'm not sure if that works for everyone on every newsreader or not.
Nil
Feb 1, 2022, 6:13:04 PM2/1/22
to
On 30 Jan 2022, knuttle <keith_...@sbcglobal.net> wrote in
news.software.readers:
Here are descriptions of those lines according the the stunnel
documentation. I don't really understand their implication, but I guess
it has to do with verifying that the e-s host is trusted. I've been
operating just fine without them for several years, but I'm using your
settings now and they work well, too. It maybe even connects faster,
but that might be my imagination.
==============
verifyChain = yes | no
verify the peer certificate chain starting from the root CA
For server certificate verification it is essential to also require
a specific certificate with checkHost or checkIP.
The self-signed root CA certificate needs to be stored either in
the file specified with CAfile, or in the directory specified with
CApath.
default: no
-----------
CAfile = CA_FILE
Certificate Authority file
This file contains multiple CA certificates, to be used with the
verifyChain and verifyPeer options.
-----------
checkHost = HOST
host of the peer certificate subject
Multiple checkHost options are allowed in a single service section.
Certificates are accepted if no subject checks were specified, or the
host name of the peer certificate matches any of the hosts specified
with checkHost.
This option requires OpenSSL 1.0.2 or later.
-----------
OCSPaia = yes | no
validate certificates with their AIA OCSP responders
This option enables stunnel to validate certificates with the list
of OCSP responder URLs retrieved from their AIA (Authority Information
Access) extension.
news.software.readers:
documentation. I don't really understand their implication, but I guess
it has to do with verifying that the e-s host is trusted. I've been
operating just fine without them for several years, but I'm using your
settings now and they work well, too. It maybe even connects faster,
but that might be my imagination.
==============
verifyChain = yes | no
verify the peer certificate chain starting from the root CA
For server certificate verification it is essential to also require
a specific certificate with checkHost or checkIP.
The self-signed root CA certificate needs to be stored either in
the file specified with CAfile, or in the directory specified with
CApath.
default: no
-----------
CAfile = CA_FILE
Certificate Authority file
This file contains multiple CA certificates, to be used with the
verifyChain and verifyPeer options.
-----------
checkHost = HOST
host of the peer certificate subject
Multiple checkHost options are allowed in a single service section.
Certificates are accepted if no subject checks were specified, or the
host name of the peer certificate matches any of the hosts specified
with checkHost.
This option requires OpenSSL 1.0.2 or later.
-----------
OCSPaia = yes | no
validate certificates with their AIA OCSP responders
This option enables stunnel to validate certificates with the list
of OCSP responder URLs retrieved from their AIA (Authority Information
Access) extension.
0 new messages