NNTPS via port 563

Julien ÉLIE julien at trigofacile.com
Sat Aug 15 19:01:49 UTC 2015

Hi Paul,

Could you please try:
     openssl s_client -connect your-server:563
and tell whether it works?
That is to say you get the 200 or 201 reply from the server.  You can 
then type QUIT to close the NNTP session.

You can also test the command with my news server if you want to compare 
the results:
     openssl s_client -connect news.trigofacile.com:563

> I then connected using Thunderbird and can see the message
> Timestamp: 15/08/2015 10:16:37 p.m.
> Error: xxx.xxx.xxx.xxx:563 uses an invalid security certificate. (I
> have removed the local IP)
> The certificate does not come from a trusted source.
> The certificate is only valid for news.bbs.geek.nz
> (Error code: mozilla_pkix_error_ca_cert_used_as_end_entity)

Isn't the local IP the one of news.bbs.geek.nz? :)

The error might be linked to that change that occurred in Mozilla 
software last year:

Also have a look at that thread about Thunderbird:

> I can also see in syslog news nnrpd say ‘startttls TLSv1.2 with
> cipher XXXXX (removed the numbers) (256/256 bits) no authentication
> Then it look like my client is connecting on port 119

There's something wrong in the configuration of the client, then. 
Because the second line of news.notice should mention port 563:

Aug 15 19:32:17 news nnrpd[24110]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits) no authentication
Aug 15 19:32:17 news nnrpd[24110]: denver.dinauz.org ( 
connect - port 563

> I figured I needed to set up port 563 first before I sorted out some
> kind of authentication via user name / password for user logins
> (does anyone use username/password auth over plain port 119
> thesedays?)

The transmission of username/password should be encrypted, you're right.
Yet, not everybody follows that best practice!

Julien ÉLIE

« Quelle folie, Ô Astérix, que de t'être venu fourrer dans la
   gueule de la louve romaine. » (Astérix)

More information about the inn-workers mailing list