Installing Stunnel to Enable SSL Connections in Pan Newsreader

I'd like my newsreading activity to remain private and I enjoy using the PAN Newsreader. The newsreader is open and free, but unfortunately doesn't support SSL connections. My news provider astraweb does support SSL at no additional cost. So I decided to take the plunge an utilize stunnel to encrypt connections to news service provider on my 64-bit Kubuntu linux machine. Hope the following procedure helps anyone trying to do the same.

Install stunnel4 form the Ubuntu repositories:

sudo apt-get install stunnel4
Configure stunnel to start automatically by editing the main configuration file with nano text editir (my favorite) and change the ENABLED=0 line to 1:
sudo nano /etc/default/stunnel4
ENABLED=1
Copy the example configuration /usr/share/doc/stunnel4/examples/stunnel.conf-sample to /etc/stunnel/
sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
Edit the newly copied configuration file to make news request secure
Uncomment the line (remove the ;) to enable client secure tunnels
client=yes
Uncomment the line (remove the ;) to add compression to stunnel traffic
compression = zlib
Add the lines encrypt news (port 119) traffic:
accept = localhost:119
connect = ssl.astraweb.com:563
Allow nntp in the /etc/hosts.allow file
sudo nano /etc/hosts.allow
nntp: 127.0.0.1
Before you can use and start stunnel, you need a key. Upon installation, stunnel does not come with a key file. So you need to generate your personal key.
This key you need to generate with these commands.
openssl genrsa -out priv.pem
and again with this
openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095
You will have two files. One named priv.pem, the other stunnel.pem.
You need to add the content of priv.pem into stunnel.pem to have a complete key. The stunnel man page states the format of the key should look like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]
sudo nano priv.pem
sudo nano stunnel.pem
sudo mv stunnel.pem /etc/ssl/certs/stunnel.pem
After you did this, you need to set the right permissions to secure the key file.
chmod 600 /etc/ssl/certs/stunnel.pem
Start Stunnel4:
sudo /etc/init.d/stunnel4 start
The next step is configure Pan Newsreader to make it's newsreader request to stunnel4. Then stunnel will make the secure connections with the astraweb news servers:

Start Pan and enter the following settings for your secure newsgroup server (Edit:Edit News Servers:Add):

Set the Location Address to: "localhost" (without the quotes).
Set the port to: 119
Enter your Login information if required by your astraweb setup.
The last thing I do is change my connection limit for the astraweb News servers to 50 You can't do this in the GUI, so I just do a quick edit of the Pan configuration file:
sudo nano ~/.pan2/servers.xml
and change the connection limit from 4 to 50
<connection-limit>50</connection-limit>
Happy secure newsreading. If you want to check the version of stunnel that your running you can:
stunnel4 -version
UPDATED 12/31/2012: Here is my working /etc/stunnel/stunnel.conf:
cert = /etc/ssl/certs/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

; performance tunings and added compression DT 12/31/2012
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; debugging stuff (may useful for troubleshooting) DT 13/31/2012 log doesn't write out look in /var/log/syslog)
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; service-level configuration

[nntp]
client = yes
accept = localhost:119
connect = ssl-us.astraweb.com:563

Comments

  1. Thanks for the tutorial. Can you post your /etc/stunnel/stunnel.conf? Also how can it be verified stunnel is working and using the certificates?

    ReplyDelete
  2. Thanks a lot for the tutorial. Yesterday I followed your instructions exactly, turned off the PC, started it again and PAN worked perfectly. Today I tried to use PAN again but it does not work. I have the following error : Error connecting to localhost/Error reading from localhost. What is happening ???

    ReplyDelete
    Replies
    1. My suggestion would be to enable debugging on stunnel.

      1. Remove the semicolon from the line ;debug = 7 in /etc/stunnel/stunnel.conf (use sudo nano /etc/stunnel/stunnel.conf).
      2. Restart stunnel4 (sudo service stunnel4 restart).
      3. When I uncomment the debug line - stunnel writes to my syslog. To see only stunnel messages in your syslog run something like grep limits to stunnel messages only: sudo cat /var/log/syslog | grep stunnel

      My startup looks like with debugging turned on:
      Clients allowed=500
      stunnel 4.53 on x86_64-pc-linux-gnu platform
      Compiled with OpenSSL 1.0.1 14 Mar 2012
      Running with OpenSSL 1.0.1c 10 May 2012
      Update OpenSSL shared libraries or rebuild stunnel
      Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
      Reading configuration from file /etc/stunnel/stunnel.conf
      Compression enabled: 2 algorithm(s)
      Snagged 64 random bytes from /dev/urandom
      PRNG seeded successfully
      Initializing service section [nntp]
      Certificate: /etc/ssl/certs/stunnel.pem
      Certificate loaded
      Key file: /etc/ssl/certs/stunnel.pem
      Private key loaded
      SSL options set: 0x00000004
      Configuration successful
      Service [nntp] (FD=12) bound to 127.0.0.1:119
      Created pid file /stunnel4.pid

      Looking around that's a pretty unusual error. I'd definitely double check you configuration. Sorry I can't be of more help.

      Delete
    2. Thanks David. In the meanwhile I have seen that, if I run “sudo /etc/init.d/stunnel4 start” I get the following message :
      Starting SSL tunnels: [Failed: /etc/stunnel/stunnel.conf]
      You should check that you have specified the pid= in you configuration file

      Delete
    3. Last effort here -perhaps another service is listening on port 119 try:
      sudo netstat -tupan | grep 119

      With stunnel running I get:
      tcp 0 0 127.0.0.1:119 0.0.0.0:* LISTEN 26209/stunnel4

      from https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/137472

      Delete
  3. Thanks. You are a real life saver. :)

    ReplyDelete
  4. Thanks, This blog is really helpful.

    ReplyDelete

Post a Comment

Popular posts from this blog

Moen 1225 Kitchen Faucet Cartridge Repair or Replacement

Comcast Xfinity HD uDTA Pace DC60Xu Unboxing and Setup Instructions

How to Fix Leaking Moen High Arc Kitchen Faucet -DIY