• NET 1 + NET 2 SSL Polling

    From Avon@21:1/101 to All on Sat Mar 14 21:23:55 2020
    Using v1.12 A46 Windows/32 Compiled 2020/03/12 04:19:30

    NET 1 and 4 have been polling each other using BinkP SSL without issues (at least as far as we can tell :) for a number of days now.

    Tonight I have set NET 1 and NET 2 to start using BinkP SSL both ways between those two HUBs also.

    Hopefully all will be well there too. NET 2 is using the Windows/64 build.

    --- Mystic BBS v1.12 A46 2020/03/12 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From Oli@21:1/151 to Avon on Sat Mar 14 09:37:20 2020
    On Sat, 14 Mar 2020 21:23:55 +1300
    "Avon -> All" <0@101.1.21> wrote:

    Using v1.12 A46 Windows/32 Compiled 2020/03/12 04:19:30

    NET 1 and 4 have been polling each other using BinkP SSL without
    issues (at least as far as we can tell :) for a number of days now.

    Tonight I have set NET 1 and NET 2 to start using BinkP SSL both ways between those two HUBs also.

    The problems are still there:

    + 09:33 [16339] outgoing session with agency.bbs.nz:24553
    depth=0 CN = agency.bbs.nz
    verify error:num=66:EE certificate key too weak
    verify return:1
    depth=0 CN = agency.bbs.nz
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = agency.bbs.nz
    verify return:1
    1995841552:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
    ? 09:33 [16339] recv: connection closed by foreign host
    + 09:33 [16339] done (to 21:1/100@fsxnet, failed, S/R: 0/0 (0/0 bytes))

    ---
    * Origin: (21:1/151)
  • From Avon@21:1/101 to Oli on Sat Mar 14 22:02:55 2020

    NET 1 and 4 have been polling each other using BinkP SSL without issues (at least as far as we can tell :) for a number of days now.

    The problems are still there:

    + 09:33 [16339] outgoing session with agency.bbs.nz:24553
    depth=0 CN = agency.bbs.nz
    verify error:num=66:EE certificate key too weak
    verify return:1
    depth=0 CN = agency.bbs.nz
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = agency.bbs.nz
    verify return:1
    1995841552:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
    ? 09:33 [16339] recv: connection closed by foreign host
    + 09:33 [16339] done (to 21:1/100@fsxnet, failed, S/R: 0/0 (0/0 bytes))

    So to understand this, you're saying the software your using to poll the HUB
    on 24553 thinks the cert key is too weak? What's the tool you are using to
    poll Oli, and why does it say it's weak? Just seeking to understand this thanks...

    --- Mystic BBS v1.12 A46 2020/03/12 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From Avon@21:1/101 to Oli on Sat Mar 14 22:10:12 2020
    On 14 Mar 2020 at 09:37a, Oli pondered and said...

    NET 1 and 4 have been polling each other using BinkP SSL without issues (at least as far as we can tell :) for a number of days no

    The problems are still there:

    + 09:33 [16339] outgoing session with agency.bbs.nz:24553
    depth=0 CN = agency.bbs.nz
    verify error:num=66:EE certificate key too weak

    Just as a follow up I polled 4/100 from 1/100 at 4/100 logs show

    + 2020.03.14 03:06:21 BINKP > Connect on slot 1/20 SSL (219.89.83.33)
    + 2020.03.14 03:06:21 BINKP 1-HostName 219-89-83-33.adsl.xtra.co.nz
    + 2020.03.14 03:06:21 BINKP 1-Country New Zealand (NZ)
    + 2020.03.14 03:06:23 BINKP 1-System fsxHUB Risa [NET1]
    + 2020.03.14 03:06:23 BINKP 1-SysOp Avon
    + 2020.03.14 03:06:23 BINKP 1-Info TIME Sat, 14 Mar 2020 22:06:04 +1300
    + 2020.03.14 03:06:23 BINKP 1-Mailer Mystic/1.12A46 binkp/1.0
    + 2020.03.14 03:06:23 BINKP 1-Info BUILD 2020/03/12 04:19:41 Windows/32
    + 2020.03.14 03:06:23 BINKP 1-Authenticating 21:1/100@fsxnet by CRAM-MD5
    + 2020.03.14 03:06:23 BINKP 1-Queued 0 files for 21:1/100@fsxnet
    + 2020.03.14 03:06:23 BINKP 1-Remote Queue: 1 files 1,108 bytes
    + 2020.03.14 03:06:23 BINKP 1-Receiving: fffd0000.sa1 (1,108 bytes)
    + 2020.03.14 03:06:24 BINKP 1-Session ended (0 sent, 1 rcvd, 0 skip)

    and from 1/100 the outbound shows.

    + 2020.03.14 22:06:04 6-Connected by IPV4 SSL to 184.155.113.241
    + 2020.03.14 22:06:04 6-System fsxHUB Niba [NET4]
    + 2020.03.14 22:06:04 6-SysOp Black Panther
    + 2020.03.14 22:06:04 6-Info TIME Sat, 14 Mar 2020 03:06:21 -0600
    + 2020.03.14 22:06:04 6-Mailer Mystic/1.12A46 binkp/1.0
    + 2020.03.14 22:06:04 6-Info BUILD 2020/03/12 04:19:41 Windows/32
    + 2020.03.14 22:06:06 6-Sending: fffd0000.sa1 (1,108 bytes)
    + 2020.03.14 22:06:06 6-Remote Queue: 0 files 0 bytes
    + 2020.03.14 22:06:07 6-Session ended (1 sent, 0 rcvd, 0 skip)

    So something seems to be working fine :)

    --- Mystic BBS v1.12 A46 2020/03/12 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From Black Panther@21:1/186 to Avon on Sat Mar 14 12:11:08 2020
    On 14 Mar 2020, Avon said the following...

    Using v1.12 A46 Windows/32 Compiled 2020/03/12 04:19:30

    You beat me in getting this upgrade set up on Hub 4... ;)

    NET 1 and 4 have been polling each other using BinkP SSL without issues (at least as far as we can tell :) for a number of days now.

    I haven't seen any issues on this end. I don't even see the ssl.log file
    being created, which is a good thing.


    ---

    Black Panther(RCS)
    Castle Rock BBS

    --- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
    * Origin: Castle Rock BBS - bbs.castlerockbbs.com - (21:1/186)
  • From Oli@21:1/151 to Black Panther on Sat Mar 14 20:06:50 2020
    On Sat, 14 Mar 2020 12:11:08 -0600
    "Black Panther -> Avon" <0@186.1.21> wrote:

    On 14 Mar 2020, Avon said the following...

    Using v1.12 A46 Windows/32 Compiled 2020/03/12 04:19:30

    You beat me in getting this upgrade set up on Hub 4... ;)

    NET 1 and 4 have been polling each other using BinkP SSL
    without issues (at least as far as we can tell :) for a number
    of days now.

    I haven't seen any issues on this end. I don't even see the ssl.log
    file being created, which is a good thing.

    same problem:

    + 20:05 [26035] call to 21:4/100@fsxnet
    + 20:05 [26035] External command 'openssl s_client -quiet -connect bbs.castlerockbbs.com:24553' started, pid 26036
    20:05 [26035] connected
    + 20:05 [26035] outgoing session with bbs.castlerockbbs.com:24560
    depth=0 CN = bbs.castlerockbbs.com
    verify error:num=66:EE certificate key too weak
    verify return:1
    depth=0 CN = bbs.castlerockbbs.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = bbs.castlerockbbs.com
    verify return:1
    1995780112:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
    ? 20:05 [26035] recv: connection closed by foreign host
    + 20:05 [26035] done (to 21:4/100@fsxnet, failed, S/R: 0/0 (0/0 bytes))
    20:05 [26035] session closed, quitting...

    ---
    * Origin: (21:1/151)
  • From alterego@21:2/116 to Oli on Sun Mar 15 10:51:06 2020
    Re: NET 1 + NET 2 SSL Polling
    By: Oli to Black Panther on Sat Mar 14 2020 08:06 pm

    same problem:
    + 20:05 [26035] call to 21:4/100@fsxnet
    + 20:05 [26035] External command 'openssl s_client -quiet -connect bbs.castlerockbbs.com:24553' started, pid 26036
    verify error:num=66:EE certificate key too weak

    Out of curiosity, I tried from my MAC and linux, and didnt get the "too weak" error message:

    [deon@d-1-1 ~]$ openssl s_client -connect bbs.castlerockbbs.com:24553 CONNECTED(00000003)
    depth=0 CN = bbs.castlerockbbs.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = bbs.castlerockbbs.com
    verify return:1
    ---
    Certificate chain
    0 s:/CN=bbs.castlerockbbs.com
    i:/CN=bbs.castlerockbbs.com
    ---
    ...deon


    ... I either want less corruption, or more chance to participate in it.
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From Oli@21:1/151 to alterego on Sun Mar 15 08:41:23 2020
    On Sun, 15 Mar 2020 10:51:06 +1100
    "alterego -> Oli" <0@116.2.21> wrote:

    Re: NET 1 + NET 2 SSL Polling
    By: Oli to Black Panther on Sat Mar 14 2020 08:06 pm

    same problem:
    + 20:05 [26035] call to 21:4/100@fsxnet
    + 20:05 [26035] External command 'openssl s_client -quiet
    -connect bbs.castlerockbbs.com:24553' started, pid 26036
    verify error:num=66:EE certificate key too weak

    Out of curiosity, I tried from my MAC and linux, and didnt get the
    "too weak" error message:

    [deon@d-1-1 ~]$ openssl s_client -connect bbs.castlerockbbs.com:24553 CONNECTED(00000003)
    depth=0 CN = bbs.castlerockbbs.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = bbs.castlerockbbs.com
    verify return:1
    ---
    Certificate chain
    0 s:/CN=bbs.castlerockbbs.com
    i:/CN=bbs.castlerockbbs.com
    ---

    Which openssl version and linux distro are you running?

    Even if it works for some combinations, it is still deprecated crypto with interoperability issues.

    + 08:39 [30388] outgoing session with w7-1-1.ipv6.leenooks.net:24553
    depth=0 C = ZZ, O = W7-1-1, CN = dev.bbs.leenooks.net
    verify error:num=66:EE certificate key too weak
    verify return:1
    depth=0 C = ZZ, O = W7-1-1, CN = dev.bbs.leenooks.net
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = ZZ, O = W7-1-1, CN = dev.bbs.leenooks.net
    verify error:num=21:unable to verify the first certificate
    verify return:1
    1996378128:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:

    I don't have any TLS problems with my fidonet uplink. Why not just fix the weak
    certificate?

    ---
    * Origin: (21:1/151)