• secure binkp

    From Al@21:4/106 to Oli on Mon Dec 9 17:19:34 2019
    Hello Oli,

    Did you see Rob's post in FIDONEWS?

    I have a Synchronet here, Equinox BBS that I have listening as Rob suggested on
    port 24555 for secure binkps, and also good old binkp on 24554.

    The details for that BBS is..

    Equinox BBS
    1:153/757.2
    equinoxbbs.ddns.net

    I don't know how to initiate a poll over TLS from my binkd to it and I don't know if I have all the needed bits yet for a secure session over TLS but it is listening so feel free to try.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to Al on Thu Dec 12 07:19:07 2019
    On Mon, 9 Dec 2019 17:19:34 -0800
    "Al -> Oli" <0@106.4.21> wrote:

    Hello Oli,

    Did you see Rob's post in FIDONEWS?

    I have a Synchronet here, Equinox BBS that I have listening as Rob suggested on port 24555 for secure binkps, and also good old binkp on 24554.

    The details for that BBS is..

    Equinox BBS
    1:153/757.2
    equinoxbbs.ddns.net

    I don't know how to initiate a poll over TLS from my binkd to it and
    I don't know if I have all the needed bits yet for a secure session
    over TLS but it is listening so feel free to try.

    this should work with binkley
    node 1:153/757.2 -pipe "openssl s_client -quiet -alpn binkp -connect *H:*I" equinoxbbs.ddns.net:24555

    but it doesn't.

    ? 07:12 [1059] Cannot find domain for zone 1, assuming 'fidonet'
    07:12 [1059] BEGIN, binkd/1.1a-99/Linux -p -P 1:153/757.2 /srv/ftn/binkd/binkd.cfg
    ? 07:12 [1059] Cannot find domain for zone 1, assuming 'fidonet'
    07:12 [1059] creating a poll for 1:153/757.2@fidonet (`d' flavour)
    07:12 [1059] clientmgr started
    $ -d 1:153/757.2@fidonet
    + 07:12 [1060] call to 1:153/757.2@fidonet
    + 07:12 [1060] External command 'openssl s_client -quiet -alpn binkp -connect equinoxbbs.ddns.net:24555' started, pid 1061
    07:12 [1060] connected
    + 07:12 [1060] outgoing session with equinoxbbs.ddns.net:24555
    - 07:12 [1060] hiding aka 21:1/151@fsxnet
    depth=0 C = ZZ, O = The Rusty MailBox, CN = trmb.synchro.net
    verify error:num=66:EE certificate key too weak
    verify return:1
    depth=0 C = ZZ, O = The Rusty MailBox, CN = trmb.synchro.net
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = ZZ, O = The Rusty MailBox, CN = trmb.synchro.net
    verify error:num=21:unable to verify the first certificate
    verify return:1
    1996181520:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
    ? 07:12 [1060] recv: connection closed by foreign host
    + 07:12 [1060] holding 1:153/757.2@fidonet (2019/12/12 07:22:59)
    + 07:12 [1060] done (to 1:153/757.2@fidonet, failed, S/R: 0/0 (0/0 bytes))
    07:12 [1060] session closed, quitting...
    07:12 [1060] rc(1061)=1
    07:12 [1059] rc(1060)=0
    07:12 [1059] the queue is empty, quitting...

    ncat doesn't work either. I'm mostly offline for the next couple of days or weeks. And I will not read much of the fsx/fidonet mails.

    ---
    * Origin: (21:1/151)
  • From apam@21:1/126 to Oli on Thu Dec 12 18:49:21 2019

    verify error:num=66:EE certificate key too weak
    verify return:1

    Taking bets on whether it's cryptlib related ... :P

    Andrew

    --- MagickaBBS v0.13alpha (Linux/x86_64)
    * Origin: HappyLand - telnet://magickabbs.com:2023/ (21:1/126)
  • From Al@21:4/106 to Oli on Thu Dec 12 01:52:06 2019
    Hello Oli,

    this should work with binkley
    node 1:153/757.2 -pipe "openssl s_client -quiet -alpn binkp -connect *H:*I" equinoxbbs.ddns.net:24555

    but it doesn't.

    [...]

    + 07:12 [1060] call to 1:153/757.2@fidonet
    + 07:12 [1060] External command 'openssl s_client -quiet -alpn binkp -connect equinoxbbs.ddns.net:24555' started, pid 1061 07:12 [1060] connected + 07:12 [1060] outgoing session with
    equinoxbbs.ddns.net:24555 - 07:12 [1060] hiding aka
    21:1/151@fsxnet depth=0 C = ZZ, O = The Rusty MailBox, CN = trmb.synchro.net verify error:num=66:EE certificate key too
    weak verify return:1 depth=0 C = ZZ, O = The Rusty MailBox, CN = trmb.synchro.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = ZZ, O = The Rusty MailBox, CN
    = trmb.synchro.net verify error:num=21:unable to verify the first certificate verify return:1
    1996181520:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:

    ncat doesn't work either. I'm mostly offline for the next couple of
    days or weeks. And I will not read much of the fsx/fidonet mails.

    That is a default self signed cert. Also is was a bit old so I've deleted those
    and created new ones.

    I does actually work between binkit mailers but we may need to up that a bit to
    work with binkd. I'll try getting a cert from letsencrypt. That may work better.

    Thanks for testing and we'll catch you back here when you can make it.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to Al on Thu Dec 12 12:28:34 2019

    That is a default self signed cert. Also is was a bit old so I've
    deleted those and created new ones.

    I does actually work between binkit mailers but we may need to up
    that a bit to work with binkd. I'll try getting a cert from
    letsencrypt. That may work better.

    Self-signed cert is fine with my setup. I think it has more to do with the TLS implementation binkit uses, but I'm not a TLS expert.

    Thanks for testing and we'll catch you back here when you can make it.

    ---
    * Origin: (21:1/151)
  • From Al@21:4/106 to Oli on Sun Dec 15 13:29:32 2019
    I does actually work between binkit mailers but we may need to
    up that a bit to work with binkd. I'll try getting a cert from
    letsencrypt. That may work better.

    Self-signed cert is fine with my setup. I think it has more to do
    with the TLS implementation binkit uses, but I'm not a TLS expert.

    Can you try again? I'm going to try sending to and from that point with
    binkd and just want to be sure it works before messing with it.

    Ttyl :-),
    Al

    --- MagickaBBS v0.13alpha (Linux/x86_64)
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to Al on Mon Dec 16 19:40:01 2019
    On Sun, 15 Dec 2019 13:29:32 -0800
    "Al -> Oli" <0@106.4.21> wrote:

    I does actually work between binkit mailers but we may need to
    up that a bit to work with binkd. I'll try getting a cert from
    letsencrypt. That may work better.

    Self-signed cert is fine with my setup. I think it has more to
    do with the TLS implementation binkit uses, but I'm not a TLS
    expert.

    Can you try again? I'm going to try sending to and from that point
    with binkd and just want to be sure it works before messing with it.

    same error

    ---
    * Origin: REPLY (21:1/151)