Installing Stunnel to Enable SSL Connections in Pan Newsreader

I'd like my newsreading activity to remain private and I enjoy using the PAN Newsreader. The newsreader is open and free, but unfortunately doesn't support SSL connections. My news provider astraweb does support SSL at no additional cost. So I decided to take the plunge an utilize stunnel to encrypt connections to news service provider on my 64-bit Kubuntu linux machine. Hope the following procedure helps anyone trying to do the same.

Install stunnel4 form the Ubuntu repositories:
sudo apt-get install stunnel4
Configure stunnel to start automatically by editing the main configuration file with nano text editir (my favorite) and change the ENABLED=0 line to 1:
sudo nano /etc/default/stunnel4

ENABLED=1
Copy the example configuration /usr/share/doc/stunnel4/examples/stunnel.conf-sample to /etc/stunnel/
sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
Edit the newly copied configuration file to make news request secure
Uncomment the line (remove the ;) to enable client secure tunnels
client=yes
Uncomment the line (remove the ;) to add compression to stunnel traffic
compression = zlib
Add the lines encrypt news (port 119) traffic:
accept = localhost:119
connect = ssl.astraweb.com:563
Allow nntp in the /etc/hosts.allow file
sudo nano /etc/hosts.allow

nntp: 127.0.0.1
Before you can use and start stunnel, you need a key. Upon installation, stunnel does not come with a key file. So you need to generate your personal key.
This key you need to generate with these commands.
openssl genrsa -out priv.pem
and again with this
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095
You will have two files. One named priv.pem, the other stunnel.pem.
You need to add the content of priv.pem into stunnel.pem to have a complete key. The stunnel man page states the format of the key should look like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]

sudo nano priv.pem
sudo nano stunnel.pem
sudo mv stunnel.pem /etc/ssl/certs/stunnel.pem
After you did this, you need to set the right permissions to secure the key file.
chmod 600 /etc/ssl/certs/stunnel.pem
Start Stunnel4:
sudo /etc/init.d/stunnel4 start
The next step is configure Pan Newsreader to make it's newsreader request to stunnel4. Then stunnel will make the secure connections with the astraweb news servers:

Start Pan and enter the following settings for your secure newsgroup server (Edit:Edit News Servers:Add):
Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your astraweb setup.
The last thing I do is change my connection limit for the astraweb News servers to 50 You can't do this in the GUI, so I just do a quick edit of the Pan configuration file:
sudo nano ~/.pan2/servers.xml
and change the connection limit from 4 to 50
<connection-limit>50</connection-limit>
Happy secure newsreading. If you want to check the version of stunnel that your running you can:
stunnel4 -version
UPDATED 12/31/2012: Here is my working /etc/stunnel/stunnel.conf:
cert = /etc/ssl/certs/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

; performance tunings and added compression DT 12/31/2012
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; debugging stuff (may useful for troubleshooting) DT 13/31/2012 log doesn't write out look in /var/log/syslog)
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; service-level configuration

[nntp]
client = yes
accept = localhost:119
connect = ssl-us.astraweb.com:563

Comments

  1. AnonymousNovember 23, 2012 at 8:25 AM

    Thanks for the tutorial. Can you post your /etc/stunnel/stunnel.conf? Also how can it be verified stunnel is working and using the certificates?

    ReplyDelete
  2. AnonymousJanuary 3, 2013 at 7:36 AM

    Thanks a lot for the tutorial. Yesterday I followed your instructions exactly, turned off the PC, started it again and PAN worked perfectly. Today I tried to use PAN again but it does not work. I have the following error : Error connecting to localhost/Error reading from localhost. What is happening ???

    ReplyDelete
    Replies
    1. TrebaczJanuary 3, 2013 at 9:10 AM

      My suggestion would be to enable debugging on stunnel.

      1. Remove the semicolon from the line ;debug = 7 in /etc/stunnel/stunnel.conf (use sudo nano /etc/stunnel/stunnel.conf).
      2. Restart stunnel4 (sudo service stunnel4 restart).
      3. When I uncomment the debug line - stunnel writes to my syslog. To see only stunnel messages in your syslog run something like grep limits to stunnel messages only: sudo cat /var/log/syslog | grep stunnel

      My startup looks like with debugging turned on:
      Clients allowed=500
      stunnel 4.53 on x86_64-pc-linux-gnu platform
      Compiled with OpenSSL 1.0.1 14 Mar 2012
      Running with OpenSSL 1.0.1c 10 May 2012
      Update OpenSSL shared libraries or rebuild stunnel
      Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
      Reading configuration from file /etc/stunnel/stunnel.conf
      Compression enabled: 2 algorithm(s)
      Snagged 64 random bytes from /dev/urandom
      PRNG seeded successfully
      Initializing service section [nntp]
      Certificate: /etc/ssl/certs/stunnel.pem
      Certificate loaded
      Key file: /etc/ssl/certs/stunnel.pem
      Private key loaded
      SSL options set: 0x00000004
      Configuration successful
      Service [nntp] (FD=12) bound to 127.0.0.1:119
      Created pid file /stunnel4.pid

      Looking around that's a pretty unusual error. I'd definitely double check you configuration. Sorry I can't be of more help.

      Delete
    2. AnonymousJanuary 3, 2013 at 9:52 AM

      Thanks David. In the meanwhile I have seen that, if I run “sudo /etc/init.d/stunnel4 start” I get the following message :
      Starting SSL tunnels: [Failed: /etc/stunnel/stunnel.conf]
      You should check that you have specified the pid= in you configuration file

      Delete
    3. TrebaczJanuary 3, 2013 at 10:25 AM

      Last effort here -perhaps another service is listening on port 119 try:
      sudo netstat -tupan | grep 119

      With stunnel running I get:
      tcp 0 0 127.0.0.1:119 0.0.0.0:* LISTEN 26209/stunnel4

      from https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/137472

      Delete
  3. AnonymousMarch 1, 2013 at 3:29 PM

    Thanks. You are a real life saver. :)

    ReplyDelete
  4. SivaMay 14, 2013 at 5:07 PM

    Thanks, This blog is really helpful.

    ReplyDelete

Post a Comment

Popular posts from this blog

Moen 1225 Kitchen Faucet Cartridge Repair or Replacement

Image
Is your your Moen single handle kitchen faucet hard to use or leaking around the handle? If it is you can easily lubricate or replace the 1225 cartridge in the faucet. If you're the original owner owner of the faucet Moen warrants them to be leak-free for lifetime. I called the 800 number at 1-800-289-6636 and requested a replacement cartridge kit for the faucet (think ours is model 7730). They sent it out no charge in about 10 days. If your in a hurry you can also buy it from Amazon ( Moen 1225 One-Handle Replacement Cartridge ). Our Moen 7730 Single Handle Kitchen Faucet I shot a video of the dis-assembly and re-assembly of the kitchen faucet: The kit contained everything you need to replace the cartridge and get the faucet working like new again 1225 Cartridge Repair Kit 1225 Cartridge Kit Contents Here is a link to a pdf with the Moen 1225 cartridge installation instructions that came in the kit: Here are the components in the kit: Moen 122
Read more

Outdoor Temperature - Waiting for Update Honeywell WiFI Thermostat (RTH9580WF)

Image
Just bought my wife a new thermostat for our house. We missed the HAI home automation thermostats in our previous house and their ability to display outdoor temperature. The NEST removed too much of our ability to control our thermostat and didn't show outdoor weather conditions. We choose the Honeywell RTH9580WF  (from Amazon) for a few reasons: RTH9580WF Outdoor Temperature - shows waiting for update Pros: Ability to control from a remotely Easy WiFi connectivity Reliable thermostat company Good 4 star plus reviews from Amazon Ability to show outdoor temperature and humidity Easy to use touchscreen and nice design Cons: C wire required No external temperature sensor Replacing  our existing heat pump thermostat was uneventful. I just carefully followed the instructions from Honeywell on how to install it. Our system was new enough to have a C-wire run but not connected to the existing thermostat. Honeywell's online tools and video helped me through this q
Read more

Comcast Xfinity HD uDTA Pace DC60Xu Unboxing and Setup Instructions

Image
Today I picked up two Comcast Xfinity uDTA (HD Digital Transport Adapters). These are the latest DTA's from Comcast that allow you to view HDTV using a tiny cable box as opposed to the huge boxes. They also have the advantage of being much less expensive to rent than the settop boxes. In my area they are easily exchanged for the for the original Thompson DTA's ( http://blog.trebacz.com/2010/03/comcast-dta-digital-transport-adapter.html ) from a couple years ago. Advantages of Comcast Xfinity HD DTA: Small compact size HDMI output or standard cable TV RF remote option (no line of site needed) Same monthly rental as standard definition DTA's Disadvantages of Xfinity HD uDTA: No menu system (or extremely limited) No on-demand programming No channel favorites Below is the unboxing process and what it took to hook it all up. If you'd rather see a video of the process, I did that also. You can see the video on my YouTube channel at: http://www.yo
Read more