• binkps

    From Al@21:4/106 to Oli on Sun Mar 1 10:07:40 2020
    Hello Oli,

    I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors
    like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate key or?

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From g00r00@21:1/108 to Al on Mon Mar 2 02:09:11 2020
    I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate key or?

    Not sure this is the best place to discuss BINKD SSL tunneling, but the issue is likely that it requires a 2048 or higher bit key instead of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.

    --- Mystic BBS v1.12 A46 2020/03/01 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From g00r00@21:1/108 to Al on Mon Mar 2 02:14:37 2020
    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.

    It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need to step down the security level setting to 1 I think because it now defaults to 2
    which is a higher key bit.

    I don't really know how the command line openssl stuff works

    --- Mystic BBS v1.12 A46 2020/03/01 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From Al@21:4/106 to g00r00 on Sun Mar 1 11:22:40 2020
    Hello g00r00,

    Not sure this is the best place to discuss BINKD SSL tunneling,

    This is the only place that this is being talked about.

    I do connect with one of my links running binkd <-> binkd so I know it can work
    but more testing is needed between different mailers.

    There is no direct support for this in binkd ATM. I have a web server listening
    on port 24553 and passing the connection to my running binkd on port 24554 if the handshake passes.

    There is a ways to go for binkd if it will support binkps. If I can get a working model happening perhaps that will interest binkd developers.

    but the issue is likely that it requires a 2048 or higher bit key
    instead of 1024.

    I don't mind 1024 or 2048. For now I'd be happy if it'll work. If we can make it work then we can standardize the details as we go.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
    onto your openssl command.

    Thanks, I'll give this a go here in a few minites.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Al@21:4/106 to g00r00 on Sun Mar 1 12:18:12 2020
    Hello g00r00,

    It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need
    to step down the security level setting to 1 I think because it now defaults to 2 which is a higher key bit.

    -cipher "ALL:@SECLEVEL=0" did the trick, thanks. I'm going to try =1 and 2 also
    just to see what I get.

    I don't really know how the command line openssl stuff works

    Neither do I actually, I'm just bangin' away on my keyboard!

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to g00r00 on Mon Mar 2 10:45:57 2020
    On Mon, 2 Mar 2020 02:09:11 +0700
    "g00r00 -> Al" <0@108.1.21> wrote:

    I am unable to connect with Mystic and SBBS binkps nodes. I see
    a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate
    key or?

    Not sure this is the best place to discuss BINKD SSL tunneling, but
    the issue is likely that it requires a 2048 or higher bit key instead
    of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
    onto your openssl command.

    This has nothing to do with binkd ssl "tunneling". Is Mystic (and binkit) using
    a weak certificate by default? Nobody uses 1024 bit keys anymore.

    ---
    * Origin: REPLY (21:1/151)
  • From g00r00@21:1/108 to Oli on Mon Mar 2 17:48:07 2020
    This has nothing to do with binkd ssl "tunneling". Is Mystic (and
    binkit) using a weak certificate by default? Nobody uses 1024 bit keys anymore.

    Gee, I instantly knew the issue, explained it to Al and gave him a command
    line to get it working. Its almost like I'm not wrong and I understand what
    is going on.

    And its almost like you read through the messages and then came back with
    this garbage. Seriously, you need to stop with your nonsense here. The
    number of people who've told you about it now is literally in the double digits.

    --- Mystic BBS v1.12 A46 2020/03/02 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From Oli@21:1/151 to Oli on Mon Mar 2 11:48:03 2020
    On Mon, 2 Mar 2020 10:45:57 +0100
    "Oli -> g00r00" <0@151.1.21> wrote:

    On Mon, 2 Mar 2020 02:09:11 +0700
    "g00r00 -> Al" <0@108.1.21> wrote:

    I am unable to connect with Mystic and SBBS binkps nodes. I see
    a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate
    key or?

    Not sure this is the best place to discuss BINKD SSL tunneling,
    but the issue is likely that it requires a 2048 or higher bit
    key instead of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher
    "ADH:@SECLEVEL=0" onto your openssl command.

    This has nothing to do with binkd ssl "tunneling". Is Mystic (and
    binkit) using a weak certificate by default? Nobody uses 1024 bit
    keys anymore.

    I just read you already updated the default to 2048. Nice :)

    ---
    * Origin: REPLY (21:1/151)
  • From Oli@21:1/151 to g00r00 on Mon Mar 2 17:56:51 2020
    On Mon, 2 Mar 2020 17:48:07 +0700
    "g00r00 -> Oli" <0@108.1.21> wrote:

    This has nothing to do with binkd ssl "tunneling". Is Mystic
    (and binkit) using a weak certificate by default? Nobody uses
    1024 bit keys anymore.

    Gee, I instantly knew the issue, explained it to Al and gave him a
    command line to get it working. Its almost like I'm not wrong and I understand what is going on.

    We are running binkd with TLS for months now without any problems and now Mystics catched up and everyone should implement workarounds?

    Yeah, never any fault in your marvelous Mystic software, every other software is wrong, because the Guru is always right. Let's insult the messenger, if they
    report a problem...

    ---
    * Origin: REPLY (21:1/151)
  • From eggy@21:4/143 to All on Sun Mar 15 17:32:41 2020
    All,

    Now that I'm running Mystic A46, I'm trying to get a tunneled binkps session between my pi and mystic. I keep running into problems when using the following: "openssl s_client -quiet -cipher ALL:@SECLEVEL=1 -alpn binkp -connect"

    3069181968:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    My rpi has the following openssl version
    OpenSSL 1.1.1d 10 Sep 2019

    Any ideas what options I need to pass openssl s_client to get it to connect?

    matt // eggy
    Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
    fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

    --- Mystic BBS v1.12 A46 2020/03/15 (Linux/64)
    * Origin: Eggy BBS (21:4/143)
  • From alterego@21:2/116 to eggy on Mon Mar 16 09:38:02 2020
    Re: binkps
    By: eggy to All on Sun Mar 15 2020 05:32 pm

    Any ideas what options I need to pass openssl s_client to get it to connect?

    I just use this is an example to test:
    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon


    ... Go on, be yourself! There isn't anyone better qualified.
    --- SBBSecho 3.10-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From eggy@21:4/143 to alterego on Sun Mar 15 18:02:39 2020
    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon

    After poking around, even doing this test gives me the same result:
    openssl s_client -connect bbs.eggy.cc:24553
    CONNECTED(00000003)
    3069566992:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    Then I tried on my linux desktop and my desktop is able to connect.. After some further research.. I looked into /etc/ssl/opensl.cnf on my pi, it has this at the bottom:

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
    if I comment this out, it works.

    I would think using -cipher ALL:@SECLEVEL=1 would override this, but I
    guess its not working..

    Looks to be a security setting in ssl on my raspberry pi.

    matt // eggy
    Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
    fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

    --- Mystic BBS v1.12 A46 2020/03/15 (Linux/64)
    * Origin: Eggy BBS (21:4/143)
  • From Al@21:4/106 to eggy on Sun Mar 15 15:57:08 2020
    Hello eggy,

    Now that I'm running Mystic A46, I'm trying to get a tunneled binkps session between my pi and mystic. I keep running into problems when
    using the
    following: "openssl s_client -quiet -cipher ALL:@SECLEVEL=1 -alpn
    binkp -connect"

    After the -connect *H:*I might solve the problem. Here is the node line I was using to poll hub 4.

    node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c

    That is of course all on one line.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From eggy@21:4/143 to Al on Sun Mar 15 18:45:08 2020
    After the -connect *H:*I might solve the problem. Here is the node line
    I was using to poll hub 4.

    node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c

    This didn't seem to make a difference when I reenabled the security settings
    in my /etc/ssl/openssl.cnf.

    matt // eggy
    Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
    fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

    --- Mystic BBS v1.12 A46 2020/03/15 (Linux/64)
    * Origin: Eggy BBS (21:4/143)
  • From Alan Ianson@21:4/106.1 to eggy on Sun Mar 15 17:11:54 2020
    node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher
    ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c

    This didn't seem to make a difference when I reenabled the security settings in my /etc/ssl/openssl.cnf.

    Yep, That'll work if your link will accept SECLEVEL=1. I think your setup requires SECLEVEL=2.

    Our binkps implementations may not be up to SECLEVEL=2 yet.

    --- BBBS/Li6 v4.10 Toy-4
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From Oli@21:1/151 to eggy on Thu Mar 19 11:13:43 2020
    On Sun, 15 Mar 2020 18:02:39 -0500
    "eggy -> alterego" <0@143.4.21> wrote:

    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon

    After poking around, even doing this test gives me the same result:
    openssl s_client -connect bbs.eggy.cc:24553
    CONNECTED(00000003)
    3069566992:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    Then I tried on my linux desktop and my desktop is able to connect..
    After some further research.. I looked into /etc/ssl/opensl.cnf on my
    pi, it has this at the bottom:

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
    if I comment this out, it works.

    I would think using -cipher ALL:@SECLEVEL=1 would override this, but I guess its not working..

    Looks to be a security setting in ssl on my raspberry pi.

    It seems the Mystic tries to negotiate a TLS 1.1 connection, but MinProtocol = TLSv1.2 prevents it. This needs to be fixed on Mystic's side, TLS 1.1 is practically deprecated.

    ---
    * Origin: (21:1/151)