Installing Stunnel to Enable SSL Connections in Pan Newsreader

I'd like my newsreading activity to remain private and I enjoy using the PAN Newsreader. The newsreader is open and free, but unfortunately doesn't support SSL connections. My news provider astraweb does support SSL at no additional cost. So I decided to take the plunge an utilize stunnel to encrypt connections to news service provider on my 64-bit Kubuntu linux machine. Hope the following procedure helps anyone trying to do the same.

Install stunnel4 form the Ubuntu repositories:

sudo apt-get install stunnel4
Configure stunnel to start automatically by editing the main configuration file with nano text editir (my favorite) and change the ENABLED=0 line to 1:
sudo nano /etc/default/stunnel4
ENABLED=1
Copy the example configuration /usr/share/doc/stunnel4/examples/stunnel.conf-sample to /etc/stunnel/
sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
Edit the newly copied configuration file to make news request secure
Uncomment the line (remove the ;) to enable client secure tunnels
client=yes
Uncomment the line (remove the ;) to add compression to stunnel traffic
compression = zlib
Add the lines encrypt news (port 119) traffic:
accept = localhost:119
connect = ssl.astraweb.com:563
Allow nntp in the /etc/hosts.allow file
sudo nano /etc/hosts.allow
nntp: 127.0.0.1
Before you can use and start stunnel, you need a key. Upon installation, stunnel does not come with a key file. So you need to generate your personal key.
This key you need to generate with these commands.
openssl genrsa -out priv.pem
and again with this
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095
You will have two files. One named priv.pem, the other stunnel.pem.
You need to add the content of priv.pem into stunnel.pem to have a complete key. The stunnel man page states the format of the key should look like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]
sudo nano priv.pem
sudo nano stunnel.pem
sudo mv stunnel.pem /etc/ssl/certs/stunnel.pem
After you did this, you need to set the right permissions to secure the key file.
chmod 600 /etc/ssl/certs/stunnel.pem
Start Stunnel4:
sudo /etc/init.d/stunnel4 start
The next step is configure Pan Newsreader to make it's newsreader request to stunnel4. Then stunnel will make the secure connections with the astraweb news servers:

Start Pan and enter the following settings for your secure newsgroup server (Edit:Edit News Servers:Add):

Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your astraweb setup.
The last thing I do is change my connection limit for the astraweb News servers to 50 You can't do this in the GUI, so I just do a quick edit of the Pan configuration file:
sudo nano ~/.pan2/servers.xml
and change the connection limit from 4 to 50
<connection-limit>50</connection-limit>
Happy secure newsreading. If you want to check the version of stunnel that your running you can:
stunnel4 -version
UPDATED 12/31/2012: Here is my working /etc/stunnel/stunnel.conf:
cert = /etc/ssl/certs/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

; performance tunings and added compression DT 12/31/2012
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; debugging stuff (may useful for troubleshooting) DT 13/31/2012 log doesn't write out look in /var/log/syslog)
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; service-level configuration

[nntp]
client = yes
accept = localhost:119
connect = ssl-us.astraweb.com:563

Comments

  1. Thanks for the tutorial. Can you post your /etc/stunnel/stunnel.conf? Also how can it be verified stunnel is working and using the certificates?

    ReplyDelete
  2. Thanks a lot for the tutorial. Yesterday I followed your instructions exactly, turned off the PC, started it again and PAN worked perfectly. Today I tried to use PAN again but it does not work. I have the following error : Error connecting to localhost/Error reading from localhost. What is happening ???

    ReplyDelete
    Replies
    1. My suggestion would be to enable debugging on stunnel.

      1. Remove the semicolon from the line ;debug = 7 in /etc/stunnel/stunnel.conf (use sudo nano /etc/stunnel/stunnel.conf).
      2. Restart stunnel4 (sudo service stunnel4 restart).
      3. When I uncomment the debug line - stunnel writes to my syslog. To see only stunnel messages in your syslog run something like grep limits to stunnel messages only: sudo cat /var/log/syslog | grep stunnel

      My startup looks like with debugging turned on:
      Clients allowed=500
      stunnel 4.53 on x86_64-pc-linux-gnu platform
      Compiled with OpenSSL 1.0.1 14 Mar 2012
      Running with OpenSSL 1.0.1c 10 May 2012
      Update OpenSSL shared libraries or rebuild stunnel
      Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
      Reading configuration from file /etc/stunnel/stunnel.conf
      Compression enabled: 2 algorithm(s)
      Snagged 64 random bytes from /dev/urandom
      PRNG seeded successfully
      Initializing service section [nntp]
      Certificate: /etc/ssl/certs/stunnel.pem
      Certificate loaded
      Key file: /etc/ssl/certs/stunnel.pem
      Private key loaded
      SSL options set: 0x00000004
      Configuration successful
      Service [nntp] (FD=12) bound to 127.0.0.1:119
      Created pid file /stunnel4.pid

      Looking around that's a pretty unusual error. I'd definitely double check you configuration. Sorry I can't be of more help.

      Delete
    2. Thanks David. In the meanwhile I have seen that, if I run “sudo /etc/init.d/stunnel4 start” I get the following message :
      Starting SSL tunnels: [Failed: /etc/stunnel/stunnel.conf]
      You should check that you have specified the pid= in you configuration file

      Delete
    3. Last effort here -perhaps another service is listening on port 119 try:
      sudo netstat -tupan | grep 119

      With stunnel running I get:
      tcp 0 0 127.0.0.1:119 0.0.0.0:* LISTEN 26209/stunnel4

      from https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/137472

      Delete
  3. Thanks. You are a real life saver. :)

    ReplyDelete
  4. Thanks, This blog is really helpful.

    ReplyDelete

Post a Comment

Popular posts from this blog

Moen 1225 Kitchen Faucet Cartridge Repair or Replacement

Outdoor Temperature - Waiting for Update Honeywell WiFI Thermostat (RTH9580WF)

Comcast Xfinity HD uDTA Pace DC60Xu Unboxing and Setup Instructions