Sunday, March 18, 2012

Installing Stunnel to Enable SSL Connections in Pan Newsreader

I'd like my newsreading activity to remain private and I enjoy using the PAN Newsreader. The newsreader is open and free, but unfortunately doesn't support SSL connections. My news provider astraweb does support SSL at no additional cost. So I decided to take the plunge an utilize stunnel to encrypt connections to news service provider on my 64-bit Kubuntu linux machine. Hope the following procedure helps anyone trying to do the same.

Install stunnel4 form the Ubuntu repositories:

sudo apt-get install stunnel4
Configure stunnel to start automatically by editing the main configuration file with nano text editir (my favorite) and change the ENABLED=0 line to 1:
sudo nano /etc/default/stunnel4
ENABLED=1
Copy the example configuration /usr/share/doc/stunnel4/examples/stunnel.conf-sample to /etc/stunnel/
sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
Edit the newly copied configuration file to make news request secure
Uncomment the line (remove the ;) to enable client secure tunnels
client=yes
Uncomment the line (remove the ;) to add compression to stunnel traffic
compression = zlib
Add the lines encrypt news (port 119) traffic:
accept = localhost:119
connect = ssl.astraweb.com:563
Allow nntp in the /etc/hosts.allow file
sudo nano /etc/hosts.allow
nntp: 127.0.0.1
Before you can use and start stunnel, you need a key. Upon installation, stunnel does not come with a key file. So you need to generate your personal key.
This key you need to generate with these commands.
openssl genrsa -out priv.pem
and again with this
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095
You will have two files. One named priv.pem, the other stunnel.pem.
You need to add the content of priv.pem into stunnel.pem to have a complete key. The stunnel man page states the format of the key should look like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]
sudo nano priv.pem
sudo nano stunnel.pem
sudo mv stunnel.pem /etc/ssl/certs/stunnel.pem
After you did this, you need to set the right permissions to secure the key file.
chmod 600 /etc/ssl/certs/stunnel.pem
Start Stunnel4:
sudo /etc/init.d/stunnel4 start
The next step is configure Pan Newsreader to make it's newsreader request to stunnel4. Then stunnel will make the secure connections with the astraweb news servers:

Start Pan and enter the following settings for your secure newsgroup server (Edit:Edit News Servers:Add):

Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your astraweb setup.
The last thing I do is change my connection limit for the astraweb News servers to 50 You can't do this in the GUI, so I just do a quick edit of the Pan configuration file:
sudo nano ~/.pan2/servers.xml
and change the connection limit from 4 to 50
<connection-limit>50</connection-limit>
Happy secure newsreading. If you want to check the version of stunnel that your running you can:
stunnel4 -version
UPDATED 12/31/2012: Here is my working /etc/stunnel/stunnel.conf:
cert = /etc/ssl/certs/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

; performance tunings and added compression DT 12/31/2012
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; debugging stuff (may useful for troubleshooting) DT 13/31/2012 log doesn't write out look in /var/log/syslog)
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; service-level configuration

[nntp]
client = yes
accept = localhost:119
connect = ssl-us.astraweb.com:563

Saturday, March 17, 2012

Fixed - Windows 7 Home Won't Accept My Windows 2000 Server Share Login and Password

For whatever reason my Windows 7 machine stopped accepting my credentials for my Windows 2000 server mapped drive shares. I had been using mapped drives in Windows 7 for at least a year. I did have a stuck Windows 7 upgrade, that forced to to go back to a previous restore point. I also ended up reinstalling my antivirus. I could login via remote desktop, so I knoew the cedentials were correct and the account was not locked.

The solution that worked in about 30 seconds was adding the LmCompatibilityLevel registry key to my Windows 7 Home PC:
  1. Open Notepad (or your favorite text editor):
  2. Copy the text below and paste in Notepad:
  3. Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "LmCompatibilityLevel"=dword:00000002
  4. Save the file on your desktop (or anywhere else) as name.reg - ".reg" is important.
  5. Run the file and press yes on the 2 pop ups.
There is no need to restart -my mapped drive just began working again. Hope this helps you out. All the file above does is change one registry key.

The original reference pointed here, but I don't read Norwegian:
http://www.ntnu.no/itinfo/read_article.php?aid=711 


Microsoft's documentation on the registry LmCompatibilityLevel key is here:
http://technet.microsoft.com/en-us/library/cc960646.aspx


I found a useful (but long post) on the problem here:
http://social.technet.microsoft.com/Forums/en-US/w7itprovirt/thread/e08c3500-a722-4b44-b644-64f94f63c8e5

and a shorter one later found here:
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/windows7-adds-the-computername-to-the-username/606ab4d3-1863-4160-9fc0-b6dfa9533d88