It seems that many folks out there are having hard times getting their non-ssl enabled newsreader to talk ssl with the nntp server.
The thing is that if you want to use SSL for encrypting your news reading habits (or any other ssl enabled habit) you can use Stunnel to work as a local SSL “proxy” to tunnel different protocols.
Read all about it at http://www.stunnel.org
So. I just wanted to post a recipe for making stuff work. This works for any newsreader, not just Pan. Knode and all the others also works through stunnel.
First of all you need to download and install stunnel. This can be done through your distribution’s package manager, or downloaded and built from http://www.stunnel.org
Depending on what version of stunnel you get or your distributions setup script, you may or may not have a stunnel.pem file lying around in your file system.
This is a SSL certificate file, that stunnel needs. You could use the default stunnel.pem, if you’re not going to use it for anything but getting stunnel up and running. That is you don’t want the certificate to represent any part of you or your organization.
I use an older version 3.x of stunnel, because that’s what my package manager gave me. I didn’t get no stunnel.pem file. If this is also your case, you have to make one of your own.
This is done with the openssl tools. The stunnel.pem needs to be in the right format to be parsed, and have the correct permissions to it, or else things won’t work.
I’m no wizard of SSL, so my guide may freak someone out, but at least I got it working…
I did the following:
openssl genrsa -out priv.pem
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095
Now the format of the stunnel.pem needs to be like the following:
-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAKF94YxmWBxpQIl1OWAj0VqWSrYgh3LuNtWRN71g6lP4nSYLKqBD
iJemS7yXXxaOQSJzl/iTsnee6x5o0CVMc58CAwEAAQJANViQ9kEkoBYAtKedkW2j
.... (more blabla here)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICQDCCAeqgAwIBAgIJANiDZT8yJWiaMA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
... (more blabla here)
-----END CERTIFICATE-----
To make this file, I simply copied and pasted the privatekey from priv.pem into stunnel.pem.
Now you need to save your stunnel.pem anywhere you like. You’ll point to it in the stunnel.conf file.
Allso you need to have the correct permissions for the file, more accurately 600. Issue this command on the file:
chmod 600 stunnel.pem
Now it’s time for the config file stunnel.conf, located (on my system) in /etc/ssl/stunnel/stunnel.conf
If it isn’t there just create it with sudo vi /etc/ssl/stunnel/stunnel.conf
(You need to have root privileges, so use sudo or su before using your editor of choice. I chose vi.)
Then type in these silly lines:
client = yes
key = PATH TO YOUR STUNNEL.PEM FILE HERE
[nntp]
accept = localhost:119
connect = SERVER:PORT OF YOUR NEWS PROVIDER HERE
(mine is news-europe.giganews.com:563)
Now that is pretty much it. Type sudo stunnel, to start stunnel, or as root /usr/sbin/stunnel.
make sure it is running with
ps aux | grep stunnel
You should see a pid there.
Now configure your newsreader to use localhost as server address and 119 as port.
You should be able to connect, knowing that your traffic is now secured with SSL.
Hope this helps.
Baltazaar
The Thoughts of a Madman 