On Windows, I ran this command just now.
echo q | openssl s_client -connect news.neodome.net:563 | openssl x509 -noout -enddate | findstr "notAfter"

It reported this result:
depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
verify error:num=10:certificate has expired
notAfter=Dec 31 21:59:46 2020 GMT
verify return:1
depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
notAfter=Dec 31 21:59:46 2020 GMT
verify return:1
notAfter=Dec 31 21:59:46 2020 GMT
DONE

Then I ran this command.
openssl s_client -ign_eof -connect news.neodome.net:563

Which reported a long output but I cut out the non errors to result in this.
verify error:num=10:certificate has expired
Verification error: certificate has expired
Verify return code: 10 (certificate has expired)

But Neodome uses a self-signed certificate.
So it's never supposed to expire, right?

I don't know what the output is SUPPOSED to be for a self-signed certificate.
I don't even know what a self-signed certificate even means.

Can you help me make better sense of the output and how to fix it?

Ronald wrote:
> On Windows, I ran this command just now.
> echo q | openssl s_client -connect news.neodome.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
>
> It reported this result:
> depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
> verify error:num=10:certificate has expired
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> notAfter=Dec 31 21:59:46 2020 GMT
> DONE
>
> Then I ran this command.
> openssl s_client -ign_eof -connect news.neodome.net:563
>
> Which reported a long output but I cut out the non errors to result in this.
> verify error:num=10:certificate has expired
> Verification error: certificate has expired
> Verify return code: 10 (certificate has expired)
>
> But Neodome uses a self-signed certificate.
> So it's never supposed to expire, right?
>
> I don't know what the output is SUPPOSED to be for a self-signed certificate.
> I don't even know what a self-signed certificate even means.
>
> Can you help me make better sense of the output and how to fix it?
>

I couldn't get it to work on port 563 but it works on port 119 but I
couldn't post replies just read only. On Seamonkey.

Am 07.01.2024 um 04:21:34 Uhr schrieb Ronald:

> Which reported a long output but I cut out the non errors to result
> in this. verify error:num=10:certificate has expired
> Verification error: certificate has expired
> Verify return code: 10 (certificate has expired)
>
> But Neodome uses a self-signed certificate.
> So it's never supposed to expire, right?

That is not related to self-signed.

> I don't know what the output is SUPPOSED to be for a self-signed
> certificate. I don't even know what a self-signed certificate even
> means.

It means that the certificate isn't signed by an authority upper in the
hierarchy.
The default for most software is to reject those certificates because
they can't be checked against the authorized CAs.

> Can you help me make better sense of the output and how to fix it?

It is a fault at their side.
The cert is invalid for 3 years - they don't seem to care. Contact them
by email and tell them about that, so they can fix it.

admin@neodome.net

Am 07.01.2024 um 13:41:25 Uhr schrieb Tony:

> I couldn't get it to work on port 563 but it works on port 119 but I
> couldn't post replies just read only. On Seamonkey.

Works for me on 563 (I haven't tested posting or reading, only
connecting).

openssl s_client -ign_eof -connect news.neodome.net:563

119 is usable and offers STARTTLS:
openssl s_client -starttls nntp -ign_eof -connect news.neodome.net:119

Although, posting is not allowed there.

On 2024-01-07 10:21, Ronald wrote:
> On Windows, I ran this command just now.
> echo q | openssl s_client -connect news.neodome.net:563 | openssl x509 -noout -enddate | findstr "notAfter"
>
> It reported this result:
> depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
> verify error:num=10:certificate has expired
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress = admin@neodome.net
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> notAfter=Dec 31 21:59:46 2020 GMT
> DONE
>
> Then I ran this command.
> openssl s_client -ign_eof -connect news.neodome.net:563
>
> Which reported a long output but I cut out the non errors to result in this.
> verify error:num=10:certificate has expired
> Verification error: certificate has expired
> Verify return code: 10 (certificate has expired)
>
> But Neodome uses a self-signed certificate.
> So it's never supposed to expire, right?

No. They are different and independent properties. A self signed
certificate can certainly expire. Depending on your client software, you
can ignore that and make an exception.

>
> I don't know what the output is SUPPOSED to be for a self-signed certificate.
> I don't even know what a self-signed certificate even means.

That it is not signed by a certificate authority, and thus will not be
accepted automatically by your client software.

>
> Can you help me make better sense of the output and how to fix it?

You can not _fix_ it. Not in your power.

--
Cheers, Carlos.

On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:

>> I don't know what the output is SUPPOSED to be for a self-signed certificate.
>> I don't even know what a self-signed certificate even means.
>
> That it is not signed by a certificate authority, and thus will not be
> accepted automatically by your client software.

The strange thing is the self-signed certificate apparently expired 3 years
ago yet I've been posting to 563 using the same setup for years on end.
;40tude Dialog newsreader setup
Dialog Host: 127.0.0.1
Dialog Port: 123456
Dialog SSL: unchecked
Dialog Username: mylogin
Dialog Password: mypasswd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; sTunnel.conf setup
[Neodome]
client = yes
accept = 127.0.0.1:123456
connect = news.neodome.net:563
verify = 0
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.neodome.net
OCSPaia = yes

How could that be that this setup worked until only about three weeks ago?

What suddenly happened a few weeks ago was a "socket error" in 40Tude
Dialog, which I didn't debug fully until yesterday as an expired cert.

I know what I just said makes no sense.

How could I have been posting all along with the same setup which all of a
sudden errors out - but when I debug - the certificate expired years ago?

On 1/7/2024 10:11 PM, Ronald wrote:
> On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:
>
>>> I don't know what the output is SUPPOSED to be for a self-signed certificate.
>>> I don't even know what a self-signed certificate even means.
>>
>> That it is not signed by a certificate authority, and thus will not be
>> accepted automatically by your client software.
>
> The strange thing is the self-signed certificate apparently expired 3 years
> ago yet I've been posting to 563 using the same setup for years on end.
> ;40tude Dialog newsreader setup
> Dialog Host: 127.0.0.1
> Dialog Port: 123456
> Dialog SSL: unchecked
> Dialog Username: mylogin
> Dialog Password: mypasswd
> Dialog Allwd. conn.: 2
> Dialog Use pipelining (unchecked)
>
> ; sTunnel.conf setup
> [Neodome]
> client = yes
> accept = 127.0.0.1:123456
> connect = news.neodome.net:563
> verify = 0
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = news.neodome.net
> OCSPaia = yes
>
> How could that be that this setup worked until only about three weeks ago?
>
> What suddenly happened a few weeks ago was a "socket error" in 40Tude
> Dialog, which I didn't debug fully until yesterday as an expired cert.
>
> I know what I just said makes no sense.
>
> How could I have been posting all along with the same setup which all of a
> sudden errors out - but when I debug - the certificate expired years ago?
>

Is the node actually up ?

Maybe the reason you can't post to it, is it's half-up
or not-up-at-all.

Fire up Wireshark and see if the server is sending "RST"
packets indicating a "buzz off please" state. You would
be checking, on whatever machine of yours is doing the
stunnel (making the direct connection to Neodome).

Wireshark is available for multiple platforms, Win/Mac/Linux.
On Mac, you have to guess at which version runs on your machine,
and no one will help you. They don't like to label their releases
in a useful way. I have probably, at one time or another,
used it on all three platforms. On my Mac, I downloaded multiple
copies until I found one that ran.

https://en.wikipedia.org/wiki/Wireshark

Unless Wireshark has a Dissector for SSL/TLS, there's not much to see.
In this case though, we're just checking for RST, to see if the
node is in trouble, or has run out of some resource and has
functionally croaked.

Paul

Am 07.01.2024 um 22:11:36 Uhr schrieb Ronald:

> ; sTunnel.conf setup
> [Neodome]
> client = yes
> accept = 127.0.0.1:123456
> connect = news.neodome.net:563
> verify = 0

Does that maybe disable cert checking at all?

> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = news.neodome.net
> OCSPaia = yes

Am 08.01.2024 um 01:28:53 Uhr schrieb Paul:

> On 1/7/2024 10:11 PM, Ronald wrote:
> > On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:
> >
> >>> I don't know what the output is SUPPOSED to be for a self-signed
> >>> certificate. I don't even know what a self-signed certificate
> >>> even means.
> >>
> >> That it is not signed by a certificate authority, and thus will
> >> not be accepted automatically by your client software.
> >
> > The strange thing is the self-signed certificate apparently expired
> > 3 years ago yet I've been posting to 563 using the same setup for
> > years on end. ;40tude Dialog newsreader setup
> > Dialog Host: 127.0.0.1
> > Dialog Port: 123456
> > Dialog SSL: unchecked
> > Dialog Username: mylogin
> > Dialog Password: mypasswd
> > Dialog Allwd. conn.: 2
> > Dialog Use pipelining (unchecked)
> >
> > ; sTunnel.conf setup
> > [Neodome]
> > client = yes
> > accept = 127.0.0.1:123456
> > connect = news.neodome.net:563
> > verify = 0
> > verifyChain = yes
> > CAfile = ca-certs.pem
> > checkHost = news.neodome.net
> > OCSPaia = yes
> >
> > How could that be that this setup worked until only about three
> > weeks ago?
> >
> > What suddenly happened a few weeks ago was a "socket error" in
> > 40Tude Dialog, which I didn't debug fully until yesterday as an
> > expired cert.
> >
> > I know what I just said makes no sense.
> >
> > How could I have been posting all along with the same setup which
> > all of a sudden errors out - but when I debug - the certificate
> > expired years ago?
>
> Is the node actually up ?

Yesterday it was.

> Maybe the reason you can't post to it, is it's half-up
> or not-up-at-all.

It is prohibited, with or without encryption.

m@ryz:~$ telnet news.neodome.net 119
Trying 95.216.243.224...
Connected to news.neodome.net.
Escape character is '^]'.
200 news.neodome.net InterNetNews NNRP server INN 2.6.3 ready (posting
ok)

POST
340 Ok, recommended message-ID <ung4tm$25ia$1@neodome.net>
Newsgroups: de.test
Subject: test
From: <m@example.org>

test
..
441 You are not allowed to post to de.test

> Fire up Wireshark and see if the server is sending "RST"
> packets indicating a "buzz off please" state. You would
> be checking, on whatever machine of yours is doing the
> stunnel (making the direct connection to Neodome).

I can confirm that it works on 119 with and without STARTTLS and on 563
using TLS.
It simply denies posting, but that is not related to TLS.

> Unless Wireshark has a Dissector for SSL/TLS, there's not much to see.
> In this case though, we're just checking for RST, to see if the
> node is in trouble, or has run out of some resource and has
> functionally croaked.

Wireshark shows the TLS negotiation. To show inside of it, you need to
do a mitm attack or run your own TLS proxy.

On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:

>> But Neodome uses a self-signed certificate.
>> So it's never supposed to expire, right?
>
> That is not related to self-signed.

Thanks. It's crazy that I was able to post for years with nothing changing
on my side, but then a few weeks ago I got the certificate expiry error.

But when I debugged as suggested, the certificate expired three years ago.
That sounds crazy. Even to me. And I've been posting to Neodome for years.

>> I don't know what the output is SUPPOSED to be for a self-signed
>> certificate. I don't even know what a self-signed certificate even
>> means.
>
> It means that the certificate isn't signed by an authority upper in the
> hierarchy.
> The default for most software is to reject those certificates because
> they can't be checked against the authorized CAs.

It seems there's still a way to post to Neodome without needing login
credentials (which they no longer give out to anyone I'm told) if you use
something called an "anonymous remailer" but I don't know what that is.

I found info for another free news server which may work for neodome.
http://news.mixmin.net/banana/m2n.html

Since I have valid posting credentials, do you think any anonymous remailer
like that documented one will accept my login/password to news.neodome.net?

>> Can you help me make better sense of the output and how to fix it?
>
> It is a fault at their side.
> The cert is invalid for 3 years - they don't seem to care. Contact them
> by email and tell them about that, so they can fix it.
> admin@neodome.net

I have to admit it sounds crazy but I've been posting using that same
sTunnel setup for Neodome for a long time but it only stopped recently.

; 40-tude Dialog newsreader setup on Windows
Dialog Host: 127.0.0.1 [You can use "localhost" if you like]
Dialog Port: 60563 [You can choose any unused port you like]
Dialog SSL: unchecked
Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; Windows sTunnel setup (for old clients with old TLS or SSL)
[Neodome]
client = yes
accept = 127.0.0.1:60563 [Use the same internal port as in Dialog]
connect = news.neodome.net:563
; Use these next 5 lines to check the certificate for validity
verify = 0
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.neodome.net
OCSPaia = yes

It makes no sense to me that the certificate has been expired for 3 years
and yet I was posting using that exact setup above until a few weeks ago.

On Mon, 8 Jan 2024 07:30:30 +0100, Marco Moock wrote:

>> ; sTunnel.conf setup
>> [Neodome]
>> client = yes
>> accept = 127.0.0.1:123456
>> connect = news.neodome.net:563
>> verify = 0
>
> Does that maybe disable cert checking at all?
>
>> verifyChain = yes
>> CAfile = ca-certs.pem
>> checkHost = news.neodome.net
>> OCSPaia = yes

I do NOT know what you're asking but I do very much respect your help.
Can you clarify for me what you're asking?

Please bear in mind I don't even know what a certificate is.
I didn't come up with that sTunnel.conf on my own.
It was given to me many years ago when I signed up for Neodome.
And it had been working for a long time until just a few weeks ago.

I only set up my newsreader (40tude Dialog) to use sTunnel because the
circa-2005 newsreader is no longer supported by the developer so the
encryption it uses is outdated and yet, it's my opinion it's the best
newsreader on Windows, bar none (because of its scripting abilities).

Am 08.01.2024 um 01:46:56 Uhr schrieb Ronald:

> On Mon, 8 Jan 2024 07:30:30 +0100, Marco Moock wrote:
>
> >> ; sTunnel.conf setup
> >> [Neodome]
> >> client = yes
> >> accept = 127.0.0.1:123456
> >> connect = news.neodome.net:563
> >> verify = 0
> >
> > Does that maybe disable cert checking at all?
> >
> >> verifyChain = yes
> >> CAfile = ca-certs.pem
> >> checkHost = news.neodome.net
> >> OCSPaia = yes
>
> I do NOT know what you're asking but I do very much respect your help.
> Can you clarify for me what you're asking?

I have no experience with stunnel.
Certificates are normally signed by a certificate authority like
Verisign, Comodo etc.
The certificate a server provides can be checked against those root
certificates from the CAs to verify it comes from them.
The check can also talk to their server to verify the certificate
hasn't been revocated.

> Please bear in mind I don't even know what a certificate is.

https://www.techtarget.com/searchsecurity/definition/X509-certificate

> I didn't come up with that sTunnel.conf on my own.

Why do you need it?
A newsreader can directly contact the newsserver.
A current newsreader (yours is very old) can also talk current TLS 1.3
with current ciphers.

> It was given to me many years ago when I signed up for Neodome.
> And it had been working for a long time until just a few weeks ago.
>
> I only set up my newsreader (40tude Dialog) to use sTunnel because the
> circa-2005 newsreader is no longer supported by the developer so the
> encryption it uses is outdated and yet, it's my opinion it's the best
> newsreader on Windows, bar none (because of its scripting abilities).

Have you tried Claws mail?
It also support wide-range filter/processing rulesets.

Am 08.01.2024 um 01:37:48 Uhr schrieb Ronald:

> On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:
>
> >> But Neodome uses a self-signed certificate.
> >> So it's never supposed to expire, right?
> >
> > That is not related to self-signed.
>
> Thanks. It's crazy that I was able to post for years with nothing
> changing on my side, but then a few weeks ago I got the certificate
> expiry error.
>
> But when I debugged as suggested, the certificate expired three years
> ago. That sounds crazy. Even to me. And I've been posting to Neodome
> for years.

That is crazy, but maybe someone installed that cert (maybe an
automatic mechanism like Ansible).

> >> I don't know what the output is SUPPOSED to be for a self-signed
> >> certificate. I don't even know what a self-signed certificate even
> >> means.
> >
> > It means that the certificate isn't signed by an authority upper in
> > the hierarchy.
> > The default for most software is to reject those certificates
> > because they can't be checked against the authorized CAs.
>
> It seems there's still a way to post to Neodome without needing login
> credentials (which they no longer give out to anyone I'm told) if you
> use something called an "anonymous remailer" but I don't know what
> that is.

https://en.wikipedia.org/wiki/Anonymous_remailer

> I found info for another free news server which may work for neodome.
> http://news.mixmin.net/banana/m2n.html

I have tried it, message didn't recht misc.test.

> Since I have valid posting credentials, do you think any anonymous
> remailer like that documented one will accept my login/password to
> news.neodome.net?

No.
But why do you stick with neodome?
They currently intentionally disable posting without login.

If you have credentials, you can use them and if not, use one of the
free news server that offer registration for free that works.

solani.org
eternal-september.org
i2pn2.org

> It makes no sense to me that the certificate has been expired for 3
> years and yet I was posting using that exact setup above until a few
> weeks ago.

Having a working connection (the certificate and the check is relevant
here) and being able to post are 2 completely different steps.

Is reading possible?
Then you connection works fine and the certificate is NOT the actual
problem.

Are you not allowed to post?
Then it is related to the settings of neodome.

On 07 Jan 2024, Ronald <ronald@nospam.me> posted some
news:undqeu$tpek$1@paganini.bofh.team:

> On Windows, I ran this command just now.
> echo q | openssl s_client -connect news.neodome.net:563 | openssl x509
> -noout -enddate | findstr "notAfter"
>
> It reported this result:
> depth=0 O = Neodome, CN = neodome.net, emailAddress =
> admin@neodome.net verify error:num=18:self signed certificate
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress =
> admin@neodome.net verify error:num=10:certificate has expired
> notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> depth=0 O = Neodome, CN = neodome.net, emailAddress =
> admin@neodome.net notAfter=Dec 31 21:59:46 2020 GMT
> verify return:1
> notAfter=Dec 31 21:59:46 2020 GMT
> DONE
>
> Then I ran this command.
> openssl s_client -ign_eof -connect news.neodome.net:563
>
> Which reported a long output but I cut out the non errors to result in
> this.
> verify error:num=10:certificate has expired
> Verification error: certificate has expired
> Verify return code: 10 (certificate has expired)
>
> But Neodome uses a self-signed certificate.
> So it's never supposed to expire, right?
>
> I don't know what the output is SUPPOSED to be for a self-signed
> certificate. I don't even know what a self-signed certificate even
> means.
>
> Can you help me make better sense of the output and how to fix it?

Sikker!

Slik fikser du en 40tude-socket-feil.

https://www.youtube.com/watch?v=g2r9I2-LMNo

Cngu: cntnavav.obsu.grnz!abg-sbe-znvy
Sebz: ebppb cbegryyv <ebppbcbegryyv@abfcnz.vg>
Arjftebhcf: arjf.fbsgjner.aagc,nyg.serr.arjffreiref,arjf.fbsgjner.ernqref
Fhowrpg: Cbfgvat negvpyr snvyrq. Fbpxrg reebe # 0
Qngr: Jrq, 29 Abi 2023 06:55:38 -0500
Betnavmngvba: Gb cebgrpg naq gb freire
Zrffntr-VQ: <hx78ed$3te0u$1@cntnavav.obsu.grnz>
Zvzr-Irefvba: 1.0
Pbagrag-Glcr: grkg/cynva; punefrg="hf-nfpvv"
Pbagrag-Genafsre-Rapbqvat: 8ovg
Vawrpgvba-Qngr: Jrq, 29 Abi 2023 11:55:38 -0000 (HGP)
Vawrpgvba-Vasb: cntnavav.obsu.grnz; ybttvat-qngn="3697681"; cbfgvat-
ubfg="sx6t7YXZ0j/uEc9nXqutND.hfre.cntnavav.obsu.grnz"; znvy-pbzcynvagf-
gb="hfrarg@obsu.grnz"; cbfgvat-nppbhag="9qVDYKOZ7JZ9XmN+lwqE4N";
Hfre-Ntrag: 40ghqr_Qvnybt/2.0.15.41 (Orgn 38)
Pnapry-Ybpx: fun256:o/fhPb/K4CSqrRz4O4oB6mT6aDUsSdL4nmTy9nc9SZD=
K-Abgvpr: Svygrerq ol cbfgsvygre i. 0.9.3
Kers: cntnavav.obsu.grnz arjf.fbsgjner.aagc:3309 nyg.serr.arjffreiref:6105
arjf.fbsgjner.ernqref:274990

Orsber V obgure gur nqzva bs n pbzzba serr arjf freire (jub V cebzvfrq vs
ur tnir zr n cbfgvat nppbhag, V jbhyqa'g or nal gebhoyr) V jbhyq yvxr gb
svther bhg vs gur ceboyrz vf uvf rapelcgrq arjf freire be vs vg'f va zvar.

Vg hfrq gb jbex ohg fgbccrq jbexvat nobhg n jrrx ntb jvgu guvf "fbpxrg
reebe" bs "Cbfgvat negvpyr snvyrq. Fbpxrg reebe # 0".

V hfr 40GhqrQvnybt jvgu fghaary ba Jvaqbjf ohg V qba'g xabj jung n
"fbpxrg"
vf abe vs vg'f rira eryngrq gb fghaary be gb gur arjf freire.

Fghaary unf orra ehaavat sbe lrnef jvgu bgure arjf freiref naq sbe zbaguf
jvgu guvf arjf freire (juvpu V pna'g fnl jung vg vf nf vg'f abg xabja gb
or
ninvynoyr sbe cbfgvat hayrff lbh nfx gur arjf freire nqzva gb nyybj vg).

Ubj qb V qroht ba zl bja?
Jung ner gur glcvpny qroht fgrcf sbe grfgvat na rapelcgrq pbaarpgvba?

Guvaxvat fbzrguvat zvtug unir hfrq gur cbeg, V punatrq gur cbeg va obgu
40Ghqr Qvnybt naq va gur fghaary.pbas svyr, ohg gung neovgenel cbeg punatr
znqr ab qvssrerapr (127.0.0.1:12345 => 127.0.0.1:54321) va gur reebe.

[arjffreire]
pyvrag = lrf
npprcg = 127.0.0.1:54321
pbaarpg = arjf.arjffreire.arg:563
irevsl = 0
irevslPunva = lrf
PNsvyr = pn-pregf.crz
purpxUbfg = arjf.arjffreire.arg
BPFCnvn = lrf

Ubj qb V qroht guvf reebe gb frr ng yrnfg vs gur ceboyrz vf zr be uvz?

Jung'f n "cbfgvat negvpyr snvyrq fbpxrg reebe # 0" va 40ghqr qvnybt
naljnl?

On 07 Jan 2024, Ronald <ronald@nospam.me> posted some
news:unfp57$15kco$1@paganini.bofh.team:

> On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:
>
>>> I don't know what the output is SUPPOSED to be for a self-signed
>>> certificate. I don't even know what a self-signed certificate even
>>> means.
>>
>> That it is not signed by a certificate authority, and thus will not
>> be accepted automatically by your client software.
>
> The strange thing is the self-signed certificate apparently expired 3
> years ago yet I've been posting to 563 using the same setup for years
> on end.
> ;40tude Dialog newsreader setup
> Dialog Host: 127.0.0.1
> Dialog Port: 123456
> Dialog SSL: unchecked
> Dialog Username: mylogin
> Dialog Password: mypasswd
> Dialog Allwd. conn.: 2
> Dialog Use pipelining (unchecked)
>
> ; sTunnel.conf setup
> [Neodome]
> client = yes
> accept = 127.0.0.1:123456
> connect = news.neodome.net:563
> verify = 0
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = news.neodome.net
> OCSPaia = yes
>
> How could that be that this setup worked until only about three weeks
> ago?

Maybe your user credentials got cancelled / revoked. Reach out to neodome
and ask: admin@neodome.net.

> What suddenly happened a few weeks ago was a "socket error" in 40Tude
> Dialog, which I didn't debug fully until yesterday as an expired cert.

What OS are you using and specifically what is the exact 40Tude socket
error you are receiving?

> I know what I just said makes no sense.

Makes sense. 40Tude is known to have socket errors for various sometimes
illogical and unexplainable reasons.

> How could I have been posting all along with the same setup which all
> of a sudden errors out - but when I debug - the certificate expired
> years ago?

Certificate has nothing to do with it. There are equipment management
environments running 12-year-old+ expired certs out there.

https://www.stunnel.org/TODO.html
stunnel TODO
Updated defaults planned for stunnel 6.xx
More secure defaults planned for the next major version.

OCSPaia = yes

Current download version:
stunnel-5.71-win64-installer.exe 4078592 19th September 2023

OCSPaia = yes | no
validate certificates with their AIA OCSP responders

This option enables stunnel to validate certificates with the list of OCSP
responder URLs retrieved from their AIA (Authority Information Access)
extension.

verifyChain = yes | no
verify the peer certificate chain starting from the root CA

For server certificate verification it is essential to also require a
specific certificate with checkHost or checkIP.

The self-signed root CA certificate needs to be stored either in the file
specified with CAfile, or in the directory specified with CApath.

default: no

checkHost = HOST
verify the host of the end-entity (leaf) peer certificate subject

Certificates are accepted if no subject checks were specified, or the host
name of the end-entity (leaf) peer certificate matches any of the hosts
specified with checkHost.

Multiple checkHost options are allowed in a single service section.

This option requires OpenSSL 1.0.2 or later.

CAfile = CA_FILE
load trusted CA certificates from a file

The loaded CA certificates will be used with the verifyChain and
verifyPeer options.

verify = LEVEL
verify the peer certificate

This option is obsolete and should be replaced with the verifyChain and
verifyPeer options.

level 0
Request and ignore the peer certificate chain.

level 1
Verify the peer certificate chain if present.

level 2
Verify the peer certificate chain.

level 3
Verify the peer certificate chain and the end-entity (leaf) peer
certificate against a locally installed certificate.

level 4
Ignore the peer certificate chain and only verify the end-entity (leaf)
peer certificate against a locally installed certificate.

default
No verify.

START HERE

Do yourself a favor, comment out the lines as shown, restart stunnel and
test your connection again.

; Windows sTunnel setup (for old clients with old TLS or SSL)
[Neodome]
client = yes
accept = 127.0.0.1:60563 [Use the same internal port as in Dialog]
connect = news.neodome.net:563
; Use these next 5 lines to check the certificate for validity
;verify = 0
;verifyChain = yes
;CAfile = ca-certs.pem
;checkHost = news.neodome.net
;OCSPaia = yes

Testing what I see.

OpenSSL-Win64>bin\openssl s_client -connect news.neodome.net:563

CONNECTED(0000023C)
---
Certificate chain
0 s:/O=Neodome/CN=neodome.net/emailAddress=admin@neodome.net
i:/O=Neodome/CN=neodome.net/emailAddress=admin@neodome.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIJAMjzT5Snv/udMA0GCSqGSIb3DQEBCwUAMEoxEDAOBgNV
BAoMB05lb2RvbWUxFDASBgNVBAMMC25lb2RvbWUubmV0MSAwHgYJKoZIhvcNAQkB
FhFhZG1pbkBuZW9kb21lLm5ldDAeFw0xOTEyMzEyMTU5NDZaFw0yMDEyMzEyMTU5
NDZaMEoxEDAOBgNVBAoMB05lb2RvbWUxFDASBgNVBAMMC25lb2RvbWUubmV0MSAw
HgYJKoZIhvcNAQkBFhFhZG1pbkBuZW9kb21lLm5ldDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMDHOV3vrVOZ/dOpsSOOLseJEFol1aqFPun3Pa5UQpAw
irbg05+M6yrlKGUxKqQ+W8zcrUTqO9J1SBkkRIiT2xj5NsV3Jp6CPxP++esZiEBJ
jnpyZyqSnaosbBOzBkWJ1voQxtN3wJHBYuxaO76jHJDvhN1p9IDnxcK5mjTYHmvD
0OkuLwZwsyZAZ9NXHxEGyOnkpTMVhD6t0rgzfqz+unyPalIiE8Ju2kW1Zx/LWY8p
GR2+l7/sMBXaRd9iXnoU0GK/wTSPTdOBmuqz0yw8qE9Chgl4nvH1iRxYRF02Xt17
2gNocPgXsTWib+yaQ7YMyNIDv2k4LO38tiUPDh8yVA0CAwEAAaNQME4wHQYDVR0O
BBYEFHYe0Uf3pw5b1hZASpufo4/9w/b2MB8GA1UdIwQYMBaAFHYe0Uf3pw5b1hZA
Spufo4/9w/b2MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHFdG2Po
P0CBOeLOtNDYlDxYVUkaLhl1OYzcHZK/aDyksLgtqnVJw4hgQ0JspUJQo7Iz1i/b
psWxPIv33+RA3Q9Llj4Ju/R8oYVEvwhTT7eZBTBfrs2ui34N0m8erUAptBqOckyB
CKZO5otBwGsjt7FOskTaOAWX/Z2IRP3FUIt9NvKeIsUF9gl7bt27O8IbWLIaNIqw
MjtaTxMaVcOksQqu0MMSQp/Py87KHStkAcHfB3p8zQIP7uSfb+yt+Jng24wXRN67
9Ci6TbDyF1udZPzfe/Yyjtw1beKJ4/cZgB02bQx3VqdlF0B0vlWp+4faUKmdaRnX
FEa++THLqrNGbDg=
-----END CERTIFICATE-----
subject=/O=Neodome/CN=neodome.net/emailAddress=admin@neodome.net
issuer=/O=Neodome/CN=neodome.net/emailAddress=admin@neodome.net
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1534 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
8CBD215E5DD10739672C0189CAB9007777FA8EF013CAD6CC5280D82D113DAEE0
Session-ID-ctx:
Master-Key:
47B070587E3826A9C73838A37FFA4EA1035B9D1555EA0FB75CAE022CBEF3CEE866255601AC
5783213AE35B5A19D8E8F8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e9 15 59 e1 fe 63 3f 94-ac 87 ea 4d a0 b3 f5 2c
...Y..c?....M...,
0010 - bb b6 70 ae ad 89 c2 fb-ce 32 90 75 ba 24 4a 2c
...p......2.u.$J,
0020 - c5 07 4e 02 71 14 a0 13-a1 3e 3e a6 60 4d c8 16
...N.q....>>.`M..
0030 - c7 91 7d b1 bd 18 ef 7b-26 c7 18 cf 0b 04 a4 21
...}....{&......!
0040 - 2a 50 c4 e1 88 26 6a 2d-b6 57 2f 08 9b 30 6e d0 *P...&j-
..W/..0n.
0050 - 27 db a4 af 7d 61 cb 61-b1 26 81 f3 1f b8 5f 52
'...}a.a.&...._R
0060 - 7c f6 cd 34 09 b2 6f 69-90 81 cc cf ce 01 59 6d
|..4..oi......Ym
0070 - 6f 59 8c e3 98 49 a5 34-be 2a 90 ba d9 c0 a0 86
oY...I.4.*......
0080 - 2d 44 f2 a9 ea 5c 11 c8-c0 18 90 08 38 7e bb 21 -
D...\......8~.!
0090 - d9 4e e2 91 54 99 16 36-95 ba 60 51 bf 2e 12 0b
..N..T..6..`Q....

Start Time: 1704700781
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
200 news.neodome.net InterNetNews NNRP server INN 2.6.3 ready (posting ok)

On 2024-01-08 04:11, Ronald wrote:
> On Mon, 8 Jan 2024 02:58:21 +0100, Carlos E.R. wrote:
>
>>> I don't know what the output is SUPPOSED to be for a self-signed certificate.
>>> I don't even know what a self-signed certificate even means.
>>
>> That it is not signed by a certificate authority, and thus will not be
>> accepted automatically by your client software.
>
> The strange thing is the self-signed certificate apparently expired 3 years
> ago yet I've been posting to 563 using the same setup for years on end.

That's not strange at all.

At some point in the past you told your side of the software to ignore
the expiration date, and you forgot. It was three years ago, after all.

> ;40tude Dialog newsreader setup
> Dialog Host: 127.0.0.1
> Dialog Port: 123456
> Dialog SSL: unchecked
> Dialog Username: mylogin
> Dialog Password: mypasswd
> Dialog Allwd. conn.: 2
> Dialog Use pipelining (unchecked)
>
> ; sTunnel.conf setup
> [Neodome]
> client = yes
> accept = 127.0.0.1:123456
> connect = news.neodome.net:563
> verify = 0
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = news.neodome.net
> OCSPaia = yes
>
> How could that be that this setup worked until only about three weeks ago?

Because it is a different problem. It is not that the certificate is
suddenly invalid, but that some other thing changed.

>
> What suddenly happened a few weeks ago was a "socket error" in 40Tude
> Dialog, which I didn't debug fully until yesterday as an expired cert.
>
> I know what I just said makes no sense.
>
> How could I have been posting all along with the same setup which all of a
> sudden errors out - but when I debug - the certificate expired years ago?

You simply noticed the expiration error and got fixated on it.

/IF/ you told your software to ignore the expiration rate AND it being a
selfsigned certificate, there is another problem you have not looked into.

For instance, someone, at your end or their end, could have updated the
software, and the new software does not ignore the validity.

They might even have done a backup restore operation and restored an old
certificate.

--
Cheers, Carlos.

On 2024-01-08 07:37, Ronald wrote:
> On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:
>
>>> But Neodome uses a self-signed certificate.
>>> So it's never supposed to expire, right?

....

>>> Can you help me make better sense of the output and how to fix it?
>>
>> It is a fault at their side.
>> The cert is invalid for 3 years - they don't seem to care. Contact them
>> by email and tell them about that, so they can fix it.
>> admin@neodome.net
>
> I have to admit it sounds crazy but I've been posting using that same
> sTunnel setup for Neodome for a long time but it only stopped recently.

Why are you using a tunnel? :-?

--
Cheers, Carlos.

Am 08.01.2024 um 10:32:44 Uhr schrieb Carlos E.R.:

> Why are you using a tunnel? :-?

Because his ancient newsreader doesn't support current encryption
technology.

On Mon, 8 Jan 2024 09:00:38 +0100, Marco Moock wrote:

>> I didn't come up with that sTunnel.conf on my own.
>
> Why do you need it?
> A newsreader can directly contact the newsserver.

Yes. I can use Dialog without sTunnel.
But it's old encryption with Dialog.
It's new encryption with sTunnel.

That's not a problem.

> A current newsreader (yours is very old) can also talk current TLS 1.3
> with current ciphers.

Everyone who uses 40Tude Dialog uses sTunnel which isn't a problem at all.
https://www.newsgroupreviews.com/40tude-dialog.html

On the newserver newsgroup it has been discussed for very many years that
40Tude Dialog uses deprecated circa-2005 encryption so while it might work,
it's not as good as using sTunnel which uses the latest encrpytion.

The simple answer is that there is no other option for Dialog than sTunnel.
>> It was given to me many years ago when I signed up for Neodome.
>> And it had been working for a long time until just a few weeks ago.
>>
>> I only set up my newsreader (40tude Dialog) to use sTunnel because the
>> circa-2005 newsreader is no longer supported by the developer so the
>> encryption it uses is outdated and yet, it's my opinion it's the best
>> newsreader on Windows, bar none (because of its scripting abilities).
>
> Have you tried Claws mail?
> It also support wide-range filter/processing rulesets.

I appreciate the kind and thoughtful advice to try again the Claws MUA,
which I dropped when Google implemented their OAuth/2FA a while ago.

We don't need to re-hash that a jack of all trades is master of none,
where I started with nn and tin and used Claws for email until I went to
Thunderbird/Betterbird which itself royally sucks at being both a
newsreader and a MUA - so let's just leave it at I'm sticking with sTunnel
and Dialog as it works fine and has worked fine for decades sans support.

Even almost two decades after it was written, Dialog is still the best.
https://wilk13.net/en/40tude-dialog.php

I have so many 40Tude Dialog scripts which were collected over the years
https://groups.google.com/g/news.software.readers/c/BY32vtci8Uk

I must be using a dozen of them, many with comments in German, as they do
lots of very neat things. Bernd Rose is the acknowledged expert in Dialog.

On Mon, 8 Jan 2024 10:33:37 +0100, Carlos E.R. wrote:

> You simply noticed the expiration error and got fixated on it.
>
> /IF/ you told your software to ignore the expiration rate AND it being a
> selfsigned certificate, there is another problem you have not looked into.
>
> For instance, someone, at your end or their end, could have updated the
> software, and the new software does not ignore the validity.
>
> They might even have done a backup restore operation and restored an old
> certificate.

Thank you for being firm that something /else/ changed.
Not the certificate.

You gave me an idea of where to look, which is probably what happened.
I think I did change the stunnel.conf file as I noticed in my backups:
[Neodome]
client = yes
accept = 127.0.0.1:62563
connect = news.neodome.net:563
verify = 0
;verifyChain = yes
;CAfile = ca-certs.pem
;checkHost = news.neodome.net
;OCSPaia = yes

I went back to the original email about the setup, and lo and behold the
ONLY thing the admin told me to use was the "verify = 0" line (which he
said was because it was a self-signed certificate).

He never gave me the rest of those lines.
I must have boilerplated them, and commented them out at that time.

This probably explains what happened.

The certificate probably was expired all along.
I probably had the correct commented out entries for a long time.
At some point, I uncommented those entries (not understanding them).
That's almost certainly when the error occured without me noticing.
Since then, it has failed.

Just now I set teh file back to what it was in that backup.
That "verify = 0" (without the others) worked to post to Neodome!

Of course, sTunnel gives the warning:
Service [Neodome] needs authentication to prevent MITM attacks

But it's working again.
Thank you for reminding me of what happened a few weeks ago.

This one can be chalked up to user error.

Ronald wrote:

>> A newsreader can directly contact the newsserver.
>
>Yes. I can use Dialog without sTunnel.
>But it's old encryption with Dialog.

I do not really understand why you need encryption since you are posting
to publically readable newsgroups anyway. If you were doing binaries
instead...

-jw-

--

And now for something completely different...

On Mon, 08 Jan 2024 11:49:03 +0100, Joerg Walther wrote:

> I do not really understand why you need encryption since you are posting
> to publically readable newsgroups anyway. If you were doing binaries
> instead...

I agree with you.

I don't need encryption for my own sense of security but the Neodome server
will not allow any posting without encryption. The server is what needs it.

Not me.

On Mon, 8 Jan 2024 10:43:15 +0100, Marco Moock wrote:

>> Why are you using a tunnel? :-?
>
> Because his ancient newsreader doesn't support current encryption
> technology.

It's solved now.

You and others helped me figure out the problem because you convinced me it
wasn't the certificate that changed so I went back to my backup conf files.

In those backups I had all the sTunnel certification lines commented out!
The only certificate-related line not commented out was "verify = 0".

I again commented out those other lines, and now sTunnel works to post.

Of course sTunnel complains that MITM attacks can happen but I'm not
worried about that (as I only use encryption because Neodome requires it).

Even the original email from the Neodome admin only mentions that one line,
saying it's needed because it's a self-signed certificate.

What must have happened is at some point I uncommented those lines.
Silly me. The problem turns out to have been self inflicted.

What I learned in this thread is that there are two separate tasks.
One is CHECKING the certificate.
The other is ENCRYPTING the packets.

By setting "verify = 0" I'm telling sTunnel to NOT check the certificate.
So it doesn't matter that it has been expired for over three years.

It's still doing the encryption.
And yes, I'm subject to MITM attacks (which doesn't bother me).

Thank you for helping me figure out what the problem was.
It was all my fault.

Thank you and others for helping me track down the cause & solution.

Am 08.01.2024 um 06:03:11 Uhr schrieb Ronald:

> Of course sTunnel complains that MITM attacks can happen but I'm not
> worried about that (as I only use encryption because Neodome requires
> it).

You can use 119 without STARTTLS.

> Even the original email from the Neodome admin only mentions that one
> line, saying it's needed because it's a self-signed certificate.
>
> What must have happened is at some point I uncommented those lines.
> Silly me. The problem turns out to have been self inflicted.
>
> What I learned in this thread is that there are two separate tasks.
> One is CHECKING the certificate.
> The other is ENCRYPTING the packets.

And reading/posting is another task.
If one of that works, the connection is established.

> By setting "verify = 0" I'm telling sTunnel to NOT check the
> certificate. So it doesn't matter that it has been expired for over
> three years.

That will ignore that it is expired.
But that won't fix the problem that you aren't allowed to post.

Am 08.01.2024 um 05:55:27 Uhr schrieb Ronald:

> I don't need encryption for my own sense of security but the Neodome
> server will not allow any posting without encryption. The server is
> what needs it.

I am not allowed to post with encryption via 563 (unauthenticated).