newsgroups stunnel instructions

Skip to end of metadata
Go to start of metadata

In August 2009, the newsgroup server was upgraded to support encrypted connections (using SSL/TLS) and denies unencrypted newsreader connections. The most popular newsreaders on news.cs.illinois.edu support SSL in their application, and so adding this security model only meant a small configuration change for most users. 1

Newsreader applications that do not natively support SSL can still be used with news.cs.illinois.edu through the use of an additional application called stunnel. stunnel acts as a proxy that negotiates the SSL part of the connection and provides the unencrypted content back to the newsreader.2

stunnel is available for unix/Linux, Windows, MacOS. See the Links section below.

The process

Here's what Dave did to configure stunnel on RedHat Linux to connect to news.cs.illinois.edu

Configure stunnel to work with news.cs.illinois.edu

For stunnel 4.x, the following stunnel configuration file worked for me. I put it in my home directory and named it nntps.conf

Start the stunnel process

Run this:

sudo stunnel ~/nntps.conf

There's no output; it should just return you to a shell prompt.

ps -ef | grep stunnel

should show that the stunnel process is running in the background.

If you don't have root access on the system, say from a lab system, you can still use stunnel but change the config file to accept (listen) on a higher port, like 10119. Non-root users cannot bind to the traditional nntp port, 119.

Test the tunnel

telnet localhost 119

should bring up the "InterNetNews NNRP server INN" banner. Type 'quit' to close the connection.

Configure your newsreader

Now that stunnel is configured and running, you'll need to update/configure your newsreader to connect to the the stunnel link instead of new.cs.illinois.edu However you configure your favorite newsreader, set the NNTP server to localhost and the port to either 119, or whatever you set the port to above.

Keep the configuration option in your newsreader for user authentication. SSL/stunnel doesn't replace the user auth - it just makes sure it's passed over a secure channel.

At this point, your newsreader should be connected and you should be able to login and use newsgroups. When you're done, you can kill the stunnel process, or leave it there until the next time you want to connect.

Links


Footnotes
Ref Notes
1 This was not the case in 2003, when the CS Newsgroup Service started. Neither the server nor the clients then supported SSL, which is why we originally went with unencrypted communication and a throw-away, news-only password. It's nice to see the newsreaders (and server) get more security conscious over the last few years.
2 stunnel is commonly thought and documented as a server-side tool to turn a non-encrypted service, like imap, into an encrypted imaps without changing your IMAP software. stunnel can also be used from the client end, and that's how we're using it here.
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.