Sunday, March 18, 2012

Installing Stunnel to Enable SSL Connections in Pan Newsreader

I'd like my newsreading activity to remain private and I enjoy using the PAN Newsreader. The newsreader is open and free, but unfortunately doesn't support SSL connections. My news provider astraweb does support SSL at no additional cost. So I decided to take the plunge an utilize stunnel to encrypt connections to news service provider on my 64-bit Kubuntu linux machine. Hope the following procedure helps anyone trying to do the same.

Install stunnel4 form the Ubuntu repositories:

sudo apt-get install stunnel4
Configure stunnel to start automatically by editing the main configuration file with nano text editir (my favorite) and change the ENABLED=0 line to 1:
sudo nano /etc/default/stunnel4
ENABLED=1
Copy the example configuration /usr/share/doc/stunnel4/examples/stunnel.conf-sample to /etc/stunnel/
sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
Edit the newly copied configuration file to make news request secure
Uncomment the line (remove the ;) to enable client secure tunnels
client=yes
Uncomment the line (remove the ;) to add compression to stunnel traffic
compression = zlib
Add the lines encrypt news (port 119) traffic:
accept = localhost:119
connect = ssl.astraweb.com:563
Allow nntp in the /etc/hosts.allow file
sudo nano /etc/hosts.allow
nntp: 127.0.0.1
Before you can use and start stunnel, you need a key. Upon installation, stunnel does not come with a key file. So you need to generate your personal key.
This key you need to generate with these commands.
openssl genrsa -out priv.pem
and again with this
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095
You will have two files. One named priv.pem, the other stunnel.pem.
You need to add the content of priv.pem into stunnel.pem to have a complete key. The stunnel man page states the format of the key should look like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]
sudo nano priv.pem
sudo nano stunnel.pem
sudo mv stunnel.pem /etc/ssl/certs/stunnel.pem
After you did this, you need to set the right permissions to secure the key file.
chmod 600 /etc/ssl/certs/stunnel.pem
Start Stunnel4:
sudo /etc/init.d/stunnel4 start
The next step is configure Pan Newsreader to make it's newsreader request to stunnel4. Then stunnel will make the secure connections with the astraweb news servers:

Start Pan and enter the following settings for your secure newsgroup server (Edit:Edit News Servers:Add):

Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your astraweb setup.
The last thing I do is change my connection limit for the astraweb News servers to 50 You can't do this in the GUI, so I just do a quick edit of the Pan configuration file:
sudo nano ~/.pan2/servers.xml
and change the connection limit from 4 to 50
<connection-limit>50</connection-limit>
Happy secure newsreading. If you want to check the version of stunnel that your running you can:
stunnel4 -version
UPDATED 12/31/2012: Here is my working /etc/stunnel/stunnel.conf:
cert = /etc/ssl/certs/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

; performance tunings and added compression DT 12/31/2012
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; debugging stuff (may useful for troubleshooting) DT 13/31/2012 log doesn't write out look in /var/log/syslog)
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; service-level configuration

[nntp]
client = yes
accept = localhost:119
connect = ssl-us.astraweb.com:563