There's some discussions on the Mystic area about binkp over SSL. Does anyone know if binkd support this or would I need to use something like stunnel?

I'm connected to hub2 btw.

--- ENiGMA 1/2 v0.0.11-beta (linux; arm; 12.16.1)
* Origin: sbb systems ~ (web https://bbs.sbbsystems.com | telnet bbs.sbbsystems.com:8888 | ssh bbs.sbbsystems.com:8889) (21:2/159)

Hello pokeswithastick,

There's some discussions on the Mystic area about binkp over SSL. Does anyone know if binkd support this or would I need to use something
like stunnel?

Yes, you can do this with hub 2. This is the node line I use for hub 4 in binkd.conf.

node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL:@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 c

I'm connected to hub2 btw.

The above works for outbound polls and you'll need to adjust the hostname:port for hub 2, I'm not sure of the hub 2 hostname and port.

For incomming support I have a web server listening on port 24553 and doing the
TLS handshake and if successfull it passed the connection to my running binkd.

I think that can be done with inet.d or xinet.d also but haven't looked at that
yet. I use nginx for that. If you like I can look up the details how I did that and pass them along.

Hopefully at some point binkd will support this itself and no web servers will be needed but that is a road to travel.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

For incomming support I have a web server listening on port 24553 and doing the TLS handshake and if successfull it passed the connection to
my running binkd.

I'm interested in this too.. though I'm connected via Hub 4, I'm not sure if it supports ssl yet.

Thanks,
matt // eggy
Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Eggy BBS (21:4/143)

Hello eggy,

For incomming support I have a web server listening on port 24553
and doing the TLS handshake and if successfull it passed the
connection to my running binkd.

I'm interested in this too.. though I'm connected via Hub 4, I'm not
sure if it supports ssl yet.

It does. I run TLS polls in and out with hub 4. You can poll with TLS now on port 24553 and if you have your binkp listening for tls on port 24553 (or any port really, 24553 is default) you can ask BP to send stuff there.. :)

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

On 02 Mar 2020 at 10:57p, pokeswithastick pondered and said...

There's some discussions on the Mystic area about binkp over SSL. Does anyone know if binkd support this or would I need to use something like stunnel?

I'm connected to hub2 btw.

Yes, Al and Oli can advise.. HUB 2 21:2/100 will offer this connectivity in
the coming 24 hours.

--- Mystic BBS v1.12 A46 2020/02/29 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 02 Mar 2020 at 05:50p, eggy pondered and said...

For incomming support I have a web server listening on port 24553 and doing the TLS handshake and if successfull it passed the connection t my running binkd.

I'm interested in this too.. though I'm connected via Hub 4, I'm not
sure if it supports ssl yet.

Hi folks

Please ensure you are connected to FSX_NET as I will be posting updates there and encourage other HUB admins to do the same.

--- Mystic BBS v1.12 A46 2020/02/29 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

Re: binkd ssl
By: pokeswithastick to All on Mon Mar 02 2020 10:57 pm

BTW: something looks odd with your message:

³ To : All
³ From: pokeswithastick (1:1/0)

I wonder if it was because your origin line was sooooo long.
...deon


... The most delicate component will drop.
--- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello Avon,

Yes, Al and Oli can advise.. HUB 2 21:2/100 will offer this
connectivity in the coming 24 hours.

Opps.. did I jump the gun a bit.. :)

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Hello alter,

I wonder if it was because your origin line was sooooo long.

Yes, it is. I've seen that before when origin lines wrap. SBBS seems to get the
from address wrong in that case. SBBS expects the origin to be a single line I
think.

BTW, I have polled your node successfully, for the most part. There is some kind of issue perhaps because I poll alterant.leenooks.net:24456 but get dev.bbs.leenooks.net. I get a couple of errors about the certificate.

I'll get connected to the areas and get better info for you.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

On 02 Mar 2020 at 10:57p, pokeswithastick pondered and said...

There's some discussions on the Mystic area about binkp over SSL. Does anyone know if binkd support this or would I need to use something like stunnel?

Binkd does not support SSL out of the box. You have to
use something like stunnel.

--- Mystic BBS v1.12 A46 2020/02/29 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 03 Mar 2020 at 11:29a, alter ego pondered and said...

BTW: something looks odd with your message:

³ To : All
³ From: pokeswithastick (1:1/0)

I wonder if it was because your origin line was sooooo long.

Indeed! In fact, that origin line is actually two lines.
I ran into that in my packet parser and added a heuristic
to look for the origin line within three lines of the end
of the message.

--- Mystic BBS v1.12 A46 2020/02/29 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 02 Mar 2020, eggy said the following...

For incomming support I have a web server listening on port 24553 and doing the TLS handshake and if successfull it passed the connection t my running binkd.

I'm interested in this too.. though I'm connected via Hub 4, I'm not
sure if it supports ssl yet.

It does. :)

I've got it set up and working between a few nodes already, and 2 of the hubs.


---

Black Panther(RCS)
Castle Rock BBS

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Castle Rock BBS - bbs.castlerockbbs.com (21:1/186)

Re: binkd ssl
By: Al to alter ego on Mon Mar 02 2020 04:32 pm

BTW, I have polled your node successfully, for the most part. There is some kind of issue perhaps because I poll alterant.leenooks.net:24456 but get dev.bbs.leenooks.net. I get a couple of errors about the certificate.

Yup, that's the right machine.

I'm sure the primary error you'd be getting is self signed cert. Since we arent
really using certificates for authentication/authorisation (and I doubt anybody would be), it shouldnt really be an issue.
...deon


... A diplomat is a man who thinks twice before saying nothing.
--- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello alter,

BTW, I have polled your node successfully, for the most part.
There is some kind of issue perhaps because I poll
alterant.leenooks.net:24456 but get dev.bbs.leenooks.net. I get a
couple of errors about the certificate.

Yup, that's the right machine.

I'm sure the primary error you'd be getting is self signed cert.

Self signed certs are not a problem. My openssl does tell me the certs are self
signed but has no problem with that.

Since we arent really using certificates for
authentication/authorisation (and I doubt anybody would be), it
shouldnt really be an issue.

Those certs are needed for TLS, even if self signed.

For some reason when I poll your node openssl complains about "unable to verify
the first certificate, verify return:1".

In spite of that I do get a successfull poll but it takes 2 minutes to get my prompt back after the session has completed. I don't know what it's waiting/hoping for but after 2 minutes it gives up and I am back at my prompt.

Is it possible you can get a self signed cert for alterant.leenooks.net somehow?

It's not a critical error but I would like my prompt back.. :)

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: binkd ssl
By: Al to alter ego on Mon Mar 02 2020 06:19 pm

Is it possible you can get a self signed cert for alterant.leenooks.net somehow?

I'm not sure that will fix the problem - but lets try it.

If you connect to bbs.leenooks.net:24553, that certificate has a CN=bbs.leenooks.net
...deon


... The four stages of man are: infancy, childhood, adolescence and obsolescen --- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello alter,

Is it possible you can get a self signed cert for
alterant.leenooks.net somehow?

I'm not sure that will fix the problem - but lets try it.

If you connect to bbs.leenooks.net:24553, that certificate has a CN=bbs.leenooks.net

ATM I'm getting a no address associated with hostname error.

Is that a new entry in DNS? In that case it might take a few hours to propagate.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: binkd ssl
By: Al to alter ego on Mon Mar 02 2020 09:54 pm

ATM I'm getting a no address associated with hostname error.

Ahh, sorry, my bad - its only used for MX.

(I cant associate a CNAME or A record, it causes other mail issues - which is why I removed it.)

If you are up for it, you can set your hosts file to use the same address as l.dlcm.co and test... (l.dlcm.co is my link address, which does change sometimes).

Otherwise, I'll work on getting a DNS resolvable address that matches the CN of
the cert that SBBS uses.
...deon


... A triangle which has an angle of 135 degrees is called an obscene triangle --- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On Mar 2nd 11:20 pm Al said...

node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL:@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 c

That's very helpful. Thanks Al.

For inbound how are you getting a certificate? Let's Encrypt or using self signed? I was wondering if something like Caddy could work. I'll have to test over the weekend.



--- ENiGMA 1/2 v0.0.11-beta (linux; arm; 12.16.1)
* Origin: sbb systems ~ (web https://bbs.sbbsystems.com | telnet bbs.sbbsystems.com:8888 | ssh bbs.sbbsystems.com:8889) (21:2/159)

Ha! Ok I'll shorten it :)

--- ENiGMA 1/2 v0.0.11-beta (linux; arm; 12.16.1)
* Origin: sbb systems ~ (web https://bbs.sbbsystems.com | telnet bbs.sbbsystems.com:8888 | ssh bbs.sbbsystems.com:8889) (21:2/159)

Hello pokeswithastick,

For inbound how are you getting a certificate? Let's Encrypt or using self signed?

I have a letsencypt cert for my website so I have been using that. A self signed cert will work just as well.

I was wondering if something like Caddy could work. I'll have to test
over the weekend.

I'm not sure what caddy is but it's quite easy to get a cert from letsencypt but you need to update it every three months.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Hello alter,

If you are up for it, you can set your hosts file to use the same
address as l.dlcm.co and test... (l.dlcm.co is my link address, which
does change sometimes).

I have done this and I'm still getting the same error. It now says dev.bbs.leenooks.net when I poll bbs.leenooks.net.

Otherwise, I'll work on getting a DNS resolvable address that matches
the CN of the cert that SBBS uses.

I'm not sure that is the cause of the problem although I do see verification errors. In spite of that the poll is passed to binkd and binkd completes the session. It says session closed, quiting... and then two minutes later I get my
prompt back.

I'm not sure what's really happening here.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

On Mon, 2 Mar 2020 22:57:47 +0000
"pokeswithastick -> All" wrote:

There's some discussions on the Mystic area about binkp over SSL.
Does anyone know if binkd support this or would I need to use
something like stunnel?

For outgoing connections you can use stunnel, but the -pipe option is easier and more flexible. You can use ncat or openssl. That is what I would use:

node 21:2/100@fsxnet -pipe "openssl s_client -quiet -connect *H:24553"
or
node 21:2/100@fsxnet -pipe "ncat --ssl *H 24553"

This can be put below the node line you already have for the node (and uses the
same password and options from the previous node line). There are several variations of this.

At the moment it seems hub2 has no binkps service listening on port 24553. Hub 1, 3 and 4 are using weak certificates that openssl refuses to use for good reasons. Al posted the workaround, but it really should be fixed on the Hubs' side. If you want to use weak encryption, there is already the binkp CRYPT option.


For incoming connections, there is stunnel, haproxy or nginx. I can post examples if needed. For testing you can also use something like

ncat -lk -p 24553 --ssl-cert=cert.pem --ssl-key=cert.pem --sh-exec "ncat --ssl localhost 24554"

---
* Origin: 🊠(21:1/151)

On 03 Mar 2020 at 12:06a, Al pondered and said...

I have done this and I'm still getting the same error. It now says dev.bbs.leenooks.net when I poll bbs.leenooks.net.

@PATH: 4/106 1/133 100

Heh, the mail still flows even if I take out HUB 4 for an update :)

--- Mystic BBS v1.12 A46 2020/02/29 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 03 Mar 2020 at 09:07a, Oli pondered and said...

At the moment it seems hub2 has no binkps service listening on port
24553.

NET 3 should now be reachable on 24553 for BinkP SSL

Hub 1, 3 and 4 are using weak certificates that openssl refuses
to use for good reasons. Al posted the workaround, but it really should
be fixed on the Hubs' side.

What needs to be fixed and how?

--- Mystic BBS v1.12 A46 2020/02/29 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

Re: binkd ssl
By: Al to alter ego on Tue Mar 03 2020 12:06 am

I have done this and I'm still getting the same error. It now says dev.bbs.leenooks.net when I poll bbs.leenooks.net.

I'm guessing you are still polling 24556 - which is a different host (IPv4 nat going on). If you poll 24553, it should get you bbs.leenooks.net:

###

openssl s_client -connect l.dlcm.co:24553

CONNECTED(00000003)
depth=0 C = ZZ, O = ALTERANT, CN = bbs.leenooks.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZZ, O = ALTERANT, CN = bbs.leenooks.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=ZZ/O=ALTERANT/CN=bbs.leenooks.net
i:/C=ZZ/O=ALTERANT/CN=bbs.leenooks.net
---
Server certificate
###
...deon


... But soft, what light through yonder tagline breaks?
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello Avon,

@PATH: 4/106 1/133 100

Heh, the mail still flows even if I take out HUB 4 for an update :)

Aside from 1/133 and 4/100 you might see stuff from 3/100 as well.. :)

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Hello alter,

I have done this and I'm still getting the same error. It now
says dev.bbs.leenooks.net when I poll bbs.leenooks.net.

I'm guessing you are still polling 24556 - which is a different host
(IPv4 nat going on). If you poll 24553, it should get you bbs.leenooks.net:

depth=0 C = ZZ, O = ALTERANT, CN = bbs.leenooks.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZZ, O = ALTERANT, CN = bbs.leenooks.net
verify error:num=21:unable to verify the first certificate
verify return:1

This is what I was hoping for but when I connect it seems to think i've connected to dev.bbs.leenooks.net.

When I poll your node I tend to get a bunch of pkt's and this info scolls off my screen. Lemme go check..

Yep, CN = dev.bbs.leenooks.net
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

Exactly what that means I don't know.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Hello alter,

I'm guessing you are still polling 24556 - which is a different host
(IPv4 nat going on). If you poll 24553, it should get you bbs.leenooks.net:

If I poll on port 24553 I get your main BBS I think and an error that there is no such aka, 21:3/100. If I poll 24556 I do get your fsxNet hub, 21:3/100.

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: binkd ssl
By: Al to alter ego on Tue Mar 03 2020 01:35 am

This is what I was hoping for but when I connect it seems to think i've connected to dev.bbs.leenooks.net.

Hmm, something is amiss...

IPv4:24553 is alterant (my bbs 2/116) - if you polled it, it would be unsecure (since your not defined on it), and so you shouldnt get any packets.

IPv4:24556 is Hub 3 - I see you poll it and get a bunch of stuff just fine - but yes the cert wont match the DNS name (alterant.leenooks.net - which resolves to the IPv4 address).

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
Exactly what that means I don't know.

That is normal, since the cert is self signed - this is just telling you that you cannot validate the certificate via a 3rd party (self signed).

###
[leenooks@ov-1-1 ~]$ openssl s_client -connect l.dlcm.co:24556 CONNECTED(00000003)
depth=0 C = ZZ, O = W7-1-1, CN = dev.bbs.leenooks.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZZ, O = W7-1-1, CN = dev.bbs.leenooks.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=ZZ/O=W7-1-1/CN=dev.bbs.leenooks.net
i:/C=ZZ/O=W7-1-1/CN=dev.bbs.leenooks.net
---
Server certificate
###

###
[leenooks@ov-1-1 ~]$ openssl s_client -connect l.dlcm.co:24553 CONNECTED(00000003)
depth=0 C = ZZ, O = ALTERANT, CN = bbs.leenooks.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZZ, O = ALTERANT, CN = bbs.leenooks.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=ZZ/O=ALTERANT/CN=bbs.leenooks.net
i:/C=ZZ/O=ALTERANT/CN=bbs.leenooks.net
---
Server certificate
###
...deon


... Superior ability breeds superior ambition. Spock, stardate 3141.9.
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On Tue, 3 Mar 2020 21:31:49 +1300
"Avon -> Oli" <0@101.1.21> wrote:

On 03 Mar 2020 at 09:07a, Oli pondered and said...

At the moment it seems hub2 has no binkps service listening on
port 24553.

NET 3 should now be reachable on 24553 for BinkP SSL

Hub 1, 3 and 4 are using weak certificates that openssl refuses
to use for good reasons. Al posted the workaround, but it
really should be fixed on the Hubs' side.

What needs to be fixed and how?

Try to delete the certificate. g00r00 wrote that new auto-generated certs should work, but I'm not sure the change is already in the version that is used
by the Hubs. You can also create a cert with the openssl command or get a letsencrypt cert.

---
* Origin: 🊠(21:1/151)

On Tue, 3 Mar 2020 07:36:48 +0000
"pokeswithastick -> Al" <0@0.0.0> wrote:

On Mar 2nd 11:20 pm Al said...

node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp
-cipher ALL:@SECLEVEL=1 -connect *H:*I"
bbs.castlerockbbs.com:24553 c

That's very helpful. Thanks Al.

For inbound how are you getting a certificate? Let's Encrypt or
using self signed?

self signed should work just fine.

I was wondering if something like Caddy could
work. I'll have to test over the weekend.

I haven't tested it, but there is a plugin available for Caddy:

https://caddyserver.com/v1/docs/net
https://github.com/pieterlouw/caddy-net

---
* Origin: 🊠(21:1/151)