Does anyone have instructions how to set up Xnews 2006 with stunnel
using windows 10? The sites I find on Google are out of date or
come with a malware warning from my ISP software.

Thank You,

Hey

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 30 Jan 2022, Hey <[email protected]d> wrote in news.software.readers:

Does anyone have instructions how to set up Xnews 2006 with stunnel
using windows 10? The sites I find on Google are out of date or
come with a malware warning from my ISP software.

Stunnel's basic usage hasn't changed in many years, and Xnews stopped
being developed about 15 years ago, so even out-of-date instructions
are probably still valid.

I use that combination. I install Stunnel from
<https://www.stunnel.org/> and set it up as a system service. I then
replace the default stunnel.conf file (make a backup of it - it may
have some useful comments in it) with my custom one (for eternal-
september):

[eternal-september-news]
; connect to individual.net NNTPS for Xnews
client = yes
accept = 562
connect = news.eternal-september.org:563


Then I set up my server in Xnews like this:

Server name: 127.0.0.1 (or localhost)
Port number: 562
Username and Password, of course.
I don't bother with the SMTP server - don't use that feature.


The Port Number is arbitrary, but it has to be otherwise unused on your computer and must agree with the Accept line in stunnel.conf.

I may have glossed over some details. Is that enough to get you going?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 1/30/2022 9:06 PM, Nil wrote:

The Port Number is arbitrary, but it has to be otherwise unused on your computer and must agree with the Accept line in stunnel.conf.

To add to that advice, I've had problems with the port number getting used
long after I've assigned it (like many days, weeks or even months later).

What I do to avoid collisions (since I don't know what uses the port),
I make the port arbitrarily large - and always above 1024 for sure.

Looking at my own stunnel config, here's mine for Ray Banana's server.
; From: Wolfgang M. Weyand [wolfgang at eternal-september.org]
; Address: Berliner Strasse 26 D-61348 Bad Homburg v.d.H. ICQ 335794777
; Status: http://www.eternal-september.org/serverstatus.php
; Register: http://www.eternal-september.org/RegisterNewsAccount.php
[nntp-esep]
client = yes
accept = 127.0.0.1:12345
connect = news.eternal-september.org:563
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.eternal-september.org
OCSPaia = yes

In your newsreader you can set the server:port to the "accept" line.

I really do not know what most of those lines do (maybe you can tell me)
but those are what Ray Banana provided me a long time ago (years ago).

In the newsreader if you have an SSL box, I don't set SSL there
but I'm not sure if that works for everyone on every newsreader or not.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 30 Jan 2022, knuttle <[email protected]> wrote in news.software.readers:

On 1/30/2022 9:06 PM, Nil wrote:

The Port Number is arbitrary, but it has to be otherwise unused
on your computer and must agree with the Accept line in
stunnel.conf.

To add to that advice, I've had problems with the port number
getting used long after I've assigned it (like many days, weeks or
even months later).

What I do to avoid collisions (since I don't know what uses the
port), I make the port arbitrarily large - and always above 1024
for sure.

Looking at my own stunnel config, here's mine for Ray Banana's
server.
; From: Wolfgang M. Weyand [wolfgang at eternal-september.org]
; Address: Berliner Strasse 26 D-61348 Bad Homburg v.d.H. ICQ
335794777 ; Status:
http://www.eternal-september.org/serverstatus.php ; Register:
http://www.eternal-september.org/RegisterNewsAccount.php
[nntp-esep] client = yes
accept = 127.0.0.1:12345
connect = news.eternal-september.org:563
verifyChain = yes
CAfile = ca-certs.pem
checkHost = news.eternal-september.org
OCSPaia = yes

In your newsreader you can set the server:port to the "accept"
line.

I really do not know what most of those lines do (maybe you can
tell me) but those are what Ray Banana provided me a long time ago
(years ago).

In the newsreader if you have an SSL box, I don't set SSL there
but I'm not sure if that works for everyone on every newsreader or
not.

Here are descriptions of those lines according the the stunnel
documentation. I don't really understand their implication, but I guess
it has to do with verifying that the e-s host is trusted. I've been
operating just fine without them for several years, but I'm using your
settings now and they work well, too. It maybe even connects faster,
but that might be my imagination.

==============

verifyChain = yes | no
verify the peer certificate chain starting from the root CA

For server certificate verification it is essential to also require
a specific certificate with checkHost or checkIP.

The self-signed root CA certificate needs to be stored either in
the file specified with CAfile, or in the directory specified with
CApath.

default: no

-----------

CAfile = CA_FILE
Certificate Authority file

This file contains multiple CA certificates, to be used with the verifyChain and verifyPeer options.

-----------

checkHost = HOST
host of the peer certificate subject

Multiple checkHost options are allowed in a single service section. Certificates are accepted if no subject checks were specified, or the
host name of the peer certificate matches any of the hosts specified
with checkHost.

This option requires OpenSSL 1.0.2 or later.

-----------

OCSPaia = yes | no
validate certificates with their AIA OCSP responders

This option enables stunnel to validate certificates with the list
of OCSP responder URLs retrieved from their AIA (Authority Information
Access) extension.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)