Configuring a newsreader with Stunnel SSL

It seems that many folks out there are having hard times getting their non-ssl enabled newsreader to talk ssl with the nntp server.
The thing is that if you want to use SSL for encrypting your news reading habits (or any other ssl enabled habit) you can use Stunnel to work as a local SSL “proxy” to tunnel different protocols.

Read all about it at http://www.stunnel.org

So. I just wanted to post a recipe for making stuff work. This works for any newsreader, not just Pan. Knode and all the others also works through stunnel.

First of all you need to download and install stunnel. This can be done through your distribution’s package manager, or downloaded and built from http://www.stunnel.org

Depending on what version of stunnel you get or your distributions setup script, you may or may not have a stunnel.pem file lying around in your file system.
This is a SSL certificate file, that stunnel needs. You could use the default stunnel.pem, if you’re not going to use it for anything but getting stunnel up and running. That is you don’t want the certificate to represent any part of you or your organization.

I use an older version 3.x of stunnel, because that’s what my package manager gave me. I didn’t get no stunnel.pem file. If this is also your case, you have to make one of your own.

This is done with the openssl tools. The stunnel.pem needs to be in the right format to be parsed, and have the correct permissions to it, or else things won’t work.
I’m no wizard of SSL, so my guide may freak someone out, but at least I got it working…

I did the following:

openssl genrsa -out priv.pem
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095

Now the format of the stunnel.pem needs to be like the following:

-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAKF94YxmWBxpQIl1OWAj0VqWSrYgh3LuNtWRN71g6lP4nSYLKqBD
iJemS7yXXxaOQSJzl/iTsnee6x5o0CVMc58CAwEAAQJANViQ9kEkoBYAtKedkW2j
.... (more blabla here)
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIICQDCCAeqgAwIBAgIJANiDZT8yJWiaMA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
... (more blabla here)
-----END CERTIFICATE-----

To make this file, I simply copied and pasted the privatekey from priv.pem into stunnel.pem.

Now you need to save your stunnel.pem anywhere you like. You’ll point to it in the stunnel.conf file.
Allso you need to have the correct permissions for the file, more accurately 600. Issue this command on the file:

chmod 600 stunnel.pem

Now it’s time for the config file stunnel.conf, located (on my system) in /etc/ssl/stunnel/stunnel.conf
If it isn’t there just create it with sudo vi /etc/ssl/stunnel/stunnel.conf
(You need to have root privileges, so use sudo or su before using your editor of choice. I chose vi.)
Then type in these silly lines:

client = yes
key = PATH TO YOUR STUNNEL.PEM FILE HERE

[nntp]
accept = localhost:119
connect = SERVER:PORT OF YOUR NEWS PROVIDER HERE
(mine is news-europe.giganews.com:563)

Now that is pretty much it. Type sudo stunnel, to start stunnel, or as root /usr/sbin/stunnel.
make sure it is running with

ps aux | grep stunnel

You should see a pid there.
Now configure your newsreader to use localhost as server address and 119 as port.
You should be able to connect, knowing that your traffic is now secured with SSL.

Hope this helps.

Baltazaar

6 thoughts on “Configuring a newsreader with Stunnel SSL

  1. I’ve been hunting for an SSL capable newsreader – this solved my problem perfectly, and I can continue using PAN. Thanks for the clear, helpful instructions, too! Very simple to follow. You are a boon to humanity!!

  2. Thanks very much .. !

    My old configuring approach required me
    to set up an stunnel user .. This is *much*
    easier.

    Tom

  3. Wow, outstanding! Thanks very much this worked really well. I’m wondering what else I can use stunnel for =D

Comments are closed.