In August 2009, the newsgroup server was upgraded to support encrypted connections (using SSL/TLS) and denies unencrypted newsreader connections. The most popular newsreaders on news.cs.illinois.edu support SSL in their application, and so adding this security model only meant a small configuration change for most users. 1
Newsreader applications that do not natively support SSL can still be used with news.cs.illinois.edu through the use of an additional application called stunnel. stunnel acts as a proxy that negotiates the SSL part of the connection and provides the unencrypted content back to the newsreader.2
stunnel is available for unix/Linux, Windows, MacOS. See the Links section below.
Here's what Dave did to configure stunnel on RedHat Linux to connect to news.cs.illinois.edu
For stunnel 4.x, the following stunnel configuration file worked for me. I put it in my home directory and named it nntps.conf
sudo stunnel ~/nntps.conf
There's no output; it should just return you to a shell prompt.
ps -ef | grep stunnel
should show that the stunnel process is running in the background.
If you don't have root access on the system, say from a lab system, you can still use stunnel but change the config file to accept (listen) on a higher port, like 10119. Non-root users cannot bind to the traditional nntp port, 119.
telnet localhost 119
should bring up the "InterNetNews NNRP server INN" banner. Type 'quit' to close the connection.
Now that stunnel is configured and running, you'll need to update/configure your newsreader to connect to the the stunnel link instead of new.cs.illinois.edu However you configure your favorite newsreader, set the NNTP server to localhost and the port to either 119, or whatever you set the port to above.
Keep the configuration option in your newsreader for user authentication. SSL/stunnel doesn't replace the user auth - it just makes sure it's passed over a secure channel.
At this point, your newsreader should be connected and you should be able to login and use newsgroups. When you're done, you can kill the stunnel process, or leave it there until the next time you want to connect.
- http://stunnel.mirt.net/ - stunnel official site (4.x branch)
- http://stunnel.org/ - stunnel UNofficial site (3.x branch)
- http://en.wikipedia.org/wiki/Stunnel - stunnel's Wikipedia page
|1||This was not the case in 2003, when the CS Newsgroup Service started. Neither the server nor the clients then supported SSL, which is why we originally went with unencrypted communication and a throw-away, news-only password. It's nice to see the newsreaders (and server) get more security conscious over the last few years.|
|2||stunnel is commonly thought and documented as a server-side tool to turn a non-encrypted service, like imap, into an encrypted imaps without changing your IMAP software. stunnel can also be used from the client end, and that's how we're using it here.|