Unable to use stunnel with tin...

Hi.

I am a newbie with stunnel and news servers that use SSL connections.
What am I doing wrong as shown below? I also tried shutting down the
firewall via Guarddog program, but it didn't make any differences.

$ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
Iain Lea.
Connecting to localhost:1119...
socket or connect problem
Failed to connect to NNTP server localhost. Exiting...

Thank you in advance.
--
"The ants are back Ted!" --Dougal from Father Ted TV show.
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: (E-Mail Removed)NT
( ) or (E-Mail Removed)
Go Los Angeles/L.A. Lakers. Ant is/was listening to a song on his home
computer: Covenant - Dead Stars (Longer)

["Followup-To:" header set to comp.os.linux.misc.]
On 2008-06-15, Ant <(E-Mail Removed)> wrote:

> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
> Iain Lea.
> Connecting to localhost:1119...
> socket or connect problem
> Failed to connect to NNTP server localhost. Exiting...

Hmmmm..... do you mean 119 rather than 1119?

Andrew

--
Do you think that's air you're breathing now?

On 6/15/2008 12:30 AM PT, andrew typed:

>> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
>> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
>> Iain Lea.
>> Connecting to localhost:1119...
>> socket or connect problem
>> Failed to connect to NNTP server localhost. Exiting...
>
> Hmmmm..... do you mean 119 rather than 1119?

Same error/result:
$ stunnel -c -d 119 -r news.giganews.com:563; tin -g localhost -p 119
tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
Iain Lea.
Connecting to localhost...
socket or connect problem
Failed to connect to NNTP server localhost. Exiting...
--
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: (E-Mail Removed)NT
( ) or (E-Mail Removed)
Ant is currently not listening to any songs on his home computer. Go
Los Angeles/L.A. Lakers!

On Sun, 15 Jun 2008 07:52:06 UTC in comp.os.linux.questions, Ant
<(E-Mail Removed)> wrote:

> On 6/15/2008 12:30 AM PT, andrew typed:
>
> >> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
> >> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
> >> Iain Lea.
> >> Connecting to localhost:1119...
> >> socket or connect problem
> >> Failed to connect to NNTP server localhost. Exiting...
> >
> > Hmmmm..... do you mean 119 rather than 1119?
>
> Same error/result:
> $ stunnel -c -d 119 -r news.giganews.com:563; tin -g localhost -p 119
> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
> Iain Lea.
> Connecting to localhost...
> socket or connect problem
> Failed to connect to NNTP server localhost. Exiting...

It might help if you were using a slightly less prehistoric version of stunnel -
v3 was already old about 5 years ago. The newer v4 does everything via
stunnel.conf and mine looks like this:

cert = stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
[nntps]
accept = 127.0.0.1:119
connect = news.giganews.com:563

With this, you might also want the debugging options set on while you get it to
work.

debug = 7
output = stunnel.log

To listen on a local port < 1024 you will need to run stunnel as root.

--
Trevor Hemsley, Brighton, UK
Trevor dot Hemsley at ntlworld dot com

On 6/15/2008 2:39 AM PT, Trevor Hemsley typed:

>>>> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
>>>> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
>>>> Iain Lea.
>>>> Connecting to localhost:1119...
>>>> socket or connect problem
>>>> Failed to connect to NNTP server localhost. Exiting...

>>> Hmmmm..... do you mean 119 rather than 1119?

>> Same error/result:
>> $ stunnel -c -d 119 -r news.giganews.com:563; tin -g localhost -p 119
>> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
>> Iain Lea.
>> Connecting to localhost...
>> socket or connect problem
>> Failed to connect to NNTP server localhost. Exiting...
>
> It might help if you were using a slightly less prehistoric version of stunnel -
> v3 was already old about 5 years ago. The newer v4 does everything via
> stunnel.conf and mine looks like this:

Here is the version in Debian (I apt-get update and upgrade daily):

$ stunnel
2008.06.15 02:55:30 LOG3[29444:3083032240]: Either -r, -l (or -L) option
must be used


> cert = stunnel.pem
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> client = yes
> [nntps]
> accept = 127.0.0.1:119
> connect = news.giganews.com:563
>
> With this, you might also want the debugging options set on while you get it to
> work.
>
> debug = 7
> output = stunnel.log
>
> To listen on a local port < 1024 you will need to run stunnel as root.

Shouldn't command line parameters be enough? I searched (locate command)
for stunnel.conf, but it is nowhere found. Your debugging comment gave
me an idea:

$ stunnel -o stunnel.log -D 7 -c -d 1119 -r news.giganews.com:563; tin
-g lalhost -p 1119

$ more stunnel.log . Exiting...
2008.06.15 02:59:47 LOG5[29636:3083413168]: Using
'news.giganews.com.563' as tcpwrapper service name
2008.06.15 02:59:47 LOG7[29636:3083413168]: RAND_status claims
sufficient entropy for the PRNG
2008.06.15 02:59:47 LOG6[29636:3083413168]: PRNG seeded successfully
2008.06.15 02:59:47 LOG5[29636:3083413168]: stunnel 3.26 on
i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8g 19 Oct 2007
2008.06.15 02:59:47 LOG3[29637:3083413168]: Argument to -P
(/var/run/stunnel/) is not valid a directory name

Is it because of /var/run/stunnel/? If so, then how do I fix it? I tried
making a /var/run/stunnel/, but it didn't make any differences when I
retried.
--
"The ants are back Ted!" --Dougal from Father Ted TV show.
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: (E-Mail Removed)NT
( ) or (E-Mail Removed)
Ant is currently not listening to any songs on his home computer. Go
Los Angeles/L.A. Lakers!

On Sun, 15 Jun 2008 10:04:20 UTC in comp.os.linux.questions, Ant
<(E-Mail Removed)> wrote:

> Here is the version in Debian (I apt-get update and upgrade daily):

Sorry, I can't help, v3 is too old and I have forgotten all about it. The
difference between v3 and v4 is mainly the addition of stunnel.conf and the
dropping of all the command line parameters. I have no idea why Debian should
continue to ship something that hasn't been updated in about 7 years but all
other distros that I've used switched to v4 a long time ago.

I do know that stunnel is very fussy about permissions on all its directories
though so it's possible that just creating the directory is not enough, you
might have to chown/chmod it too. It's also possible that stunnel is running
from a chroot jail in which case you might need to be creating
/<chroot-jail>/var/run/stunnel

--
Trevor Hemsley, Brighton, UK
Trevor dot Hemsley at ntlworld dot com

I demand that Trevor Hemsley may or may not have written...

> On Sun, 15 Jun 2008 10:04:20 UTC in comp.os.linux.questions, Ant
> <(E-Mail Removed)> wrote:
>> Here is the version in Debian (I apt-get update and upgrade daily):

> Sorry, I can't help, v3 is too old and I have forgotten all about it. The
> difference between v3 and v4 is mainly the addition of stunnel.conf and the
> dropping of all the command line parameters. I have no idea why Debian
> should continue to ship something that hasn't been updated in about 7 years
> but all other distros that I've used switched to v4 a long time ago.

http://packages.debian.org/search?keywords=stunnel
http://packages.debian.org/search?keywords=stunnel4

[snip]
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Output less CO2 => avoid massive flooding. TIME IS RUNNING OUT *FAST*.

Jack the Ripper excused himself on the grounds that it was human nature.

On 6/15/2008 4:06 AM PT, Trevor Hemsley typed:

>> Here is the version in Debian (I apt-get update and upgrade daily):
>
> Sorry, I can't help, v3 is too old and I have forgotten all about it. The
> difference between v3 and v4 is mainly the addition of stunnel.conf and the
> dropping of all the command line parameters. I have no idea why Debian should
> continue to ship something that hasn't been updated in about 7 years but all
> other distros that I've used switched to v4 a long time ago.
>
> I do know that stunnel is very fussy about permissions on all its directories
> though so it's possible that just creating the directory is not enough, you
> might have to chown/chmod it too. It's also possible that stunnel is running
> from a chroot jail in which case you might need to be creating
> /<chroot-jail>/var/run/stunnel

Someone else suggested:

$ stunnel -f -c -d 1119 -r news.giganews.com:563
2008.06.15 09:45:06 LOG5[2756:3082602160]: Using 'news.giganews.com.563'
as tcpwrapper service name
2008.06.15 09:45:06 LOG5[2756:3082602160]: stunnel 3.26 on
i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8g 19 Oct 2007
2008.06.15 09:45:06 LOG3[2756:3082602160]: Argument to -P
(/var/run/stunnel/) is not valid a directory name

Then, I tried uninstalling and reinstalling stunnel and stunnel4
packages via apt-get command. I retried and got different results:

$ stunnel -f -c -d 1119 -r news.giganews.com:563
2008.06.15 10:02:12 LOG5[3325:3082749616]: stunnel 4.22 on
i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
2008.06.15 10:02:12 LOG5[3325:3082749616]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv6 Auth:LIBWRAP
2008.06.15 10:02:12 LOG5[3325:3082749616]: 500 clients allowed
2008.06.15 10:02:12 LOG3[3325:3082749616]: Cannot create pid file
/var/run/stunnel4.pid
2008.06.15 10:02:12 LOG3[3325:3082749616]: create: Permission denied (13)
$ ls -l stunnel*
total 0
$ ls -l
total 160
srw-rw-rw- 1 root root 0 2008-05-28 12:52 acpid.socket
-rw-r--r-- 1 root root 5 2008-06-01 14:56 apcupsd.pid
-rw-r--r-- 1 root root 6 2008-03-24 11:38 crond.pid
---------- 1 root root 0 2008-03-11 20:49 crond.reboot
drwxr-xr-x 3 root lp 4096 2008-06-15 06:25 cups
drwxr-xr-x 2 messagebus messagebus 4096 2008-05-07 14:11 dbus
-rw-r--r-- 1 root root 6 2008-06-15 06:25 denyhosts.pid
drwxr-xr-x 2 root root 4096 2008-06-15 06:25 dirmngr
-rw-r--r-- 1 root root 6 2008-06-15 06:25 dirmngr.pid
drwxr-x--- 2 Debian-exim Debian-exim 4096 2008-04-13 15:17 exim4
-rw-r--r-- 1 root root 5 2008-03-11 20:49 gpm.pid
drwxr-xr-x 2 haldaemon haldaemon 4096 2008-06-03 17:21 hal
drwxr-xr-x 2 hplip root 4096 2007-12-23 14:02 hplip
drwxr-xr-x 2 identd nogroup 4096 2008-03-12 12:33 identd
-rw-r--r-- 1 root root 6 2008-05-01 12:23 inetd.pid
-rw-r--r-- 1 root root 6 2008-06-14 23:36 klogd.pid
-rw-r--r-- 1 root root 352 2008-03-11 20:49 motd
drwxr-xr-x 2 root root 4096 2008-03-11 20:49 network
-rw-r--r-- 1 root root 5 2008-05-20 11:10 ntpd.pid
drwxr-xr-t 2 root root 4096 2008-06-13 06:30 pcscd
drwxr-xr-x 3 root root 4096 2008-06-06 06:42 samba
drwxrwxr-x 5 root utmp 4096 2007-11-15 21:00 screen
-rw------- 1 root root 5 2008-03-22 12:19 smartd.pid
drwxr-xr-x 2 root root 4096 2007-07-30 02:24 sshd
-rw-r--r-- 1 root root 6 2008-06-11 06:39 sshd.pid
drwxr-xr-x 2 stunnel4 stunnel4 4096 2008-06-15 10:00 stunnel4
-rw-r--r-- 1 root root 6 2008-06-14 23:36 syslogd.pid
-r----S--- 1 root root 5 2008-05-07 14:11
system-tools-backends.pid
-rw-rw-r-- 1 root utmp 13440 2008-06-15 09:45 utmp
drwxr-xr-x 2 root root 4096 2008-05-04 22:42 VirtualBox
srwxr-xr-x 1 root root 0 2008-06-02 20:48 vmnat.356
-rw-r--r-- 1 root root 4 2008-06-02 20:48
vmnet-bridge-0.pid
-rw-r----- 1 root root 4 2008-06-02 20:48
vmnet-dhcpd-vmnet1.pid
-rw-r----- 1 root root 4 2008-06-02 20:48
vmnet-dhcpd-vmnet8.pid
-rw-r--r-- 1 root root 18 2008-06-02 20:48 vmnet-natd-8.mac
-rw-r--r-- 1 root root 4 2008-06-02 20:48 vmnet-natd-8.pid
-rw-r--r-- 1 root root 4 2008-06-02 20:48
vmnet-netifup-vmnet1.pid
-rw-r--r-- 1 root root 4 2008-06-02 20:48
vmnet-netifup-vmnet8.pid
drwxr-xr-x 3 root root 4096 2008-06-10 21:26 vmware
drwxr-xr-x 2 root root 4096 2008-04-11 10:54 vsftpd

It seems like it is mentioning the same permission problems you are
referring to. Do I chown and chmod to my user/accountname or what? I
don't know what this chroot jail thing is about.
--
"The tiny ant dares to enter the lion's ear." --Armenian
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: (E-Mail Removed)NT
( ) or (E-Mail Removed)
Ant is currently not listening to any songs on his home computer. Go
Los Angeles/L.A. Lakers!

On Sun, 15 Jun 2008 17:09:52 UTC in comp.os.linux.questions, Ant
<(E-Mail Removed)> wrote:

> Do I chown and chmod to my user/accountname or what? I
> don't know what this chroot jail thing is about.

Here's a working set up from a Centos 5 system which should give you an idea of
how it works.

cert = /etc/stunnel/stunnel.pem
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail (/var/run/stunnel/stunnel.pid)
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
output = /stunnel.log

chroot = points to a directory and all other paths and file names are then
relative to that - though I just checked my working system and it does not have
a /var/run/stunnel/etc/stunnel/stunnel.pem so the cert may be different. The
directory /var/run/stunnel is then owned by the uid/gid named in the
setuid/setgid lines and the dir has 700 permissions.


--
Trevor Hemsley, Brighton, UK
Trevor dot Hemsley at ntlworld dot com

On 6/15/2008 11:54 AM PT, Trevor Hemsley typed:

> On Sun, 15 Jun 2008 17:09:52 UTC in comp.os.linux.questions, Ant
> <(E-Mail Removed)> wrote:
>
>> Do I chown and chmod to my user/accountname or what? I
>> don't know what this chroot jail thing is about.
>
> Here's a working set up from a Centos 5 system which should give you an idea of
> how it works.
>
> cert = /etc/stunnel/stunnel.pem
> chroot = /var/run/stunnel/
> setuid = nobody
> setgid = nobody
> ; PID is created inside chroot jail (/var/run/stunnel/stunnel.pid)
> pid = /stunnel.pid
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> client = yes
> output = /stunnel.log
>
> chroot = points to a directory and all other paths and file names are then
> relative to that - though I just checked my working system and it does not have
> a /var/run/stunnel/etc/stunnel/stunnel.pem so the cert may be different. The
> directory /var/run/stunnel is then owned by the uid/gid named in the
> setuid/setgid lines and the dir has 700 permissions.

Is your sample/example same as this one (didn't change anything in it) I
have?
# cat /etc/stunnel/stunnel.conf
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular
configuration
; Please make sure you understand them (especially the effect of chroot
jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[pop3s]
accept = 995
connect = 110

[imaps]
accept = 993
connect = 143

[ssmtp]
accept = 465
connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini


If not, then where would I put this sample/example in and what filename?
--
"Now I have you where I want you... where is my jar of Bull ants?" --unknown
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: (E-Mail Removed)NT
( ) or (E-Mail Removed)
Ant is currently not listening to any songs on his home computer. Go
Los Angeles/L.A. Lakers!