1. Forum
  2. FSXNet
  3. FSX MYS

  • binkps

    From eggy@21:4/143 to All on Sun Mar 15 17:32:41 2020
    All,

    Now that I'm running Mystic A46, I'm trying to get a tunneled binkps session between my pi and mystic. I keep running into problems when using the following: "openssl s_client -quiet -cipher ALL:@SECLEVEL=1 -alpn binkp -connect"

    3069181968:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    My rpi has the following openssl version
    OpenSSL 1.1.1d 10 Sep 2019

    Any ideas what options I need to pass openssl s_client to get it to connect?

    matt // eggy
    Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
    fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

    --- Mystic BBS v1.12 A46 2020/03/15 (Linux/64)
    * Origin: Eggy BBS (21:4/143)
  • From alterego@21:2/116 to eggy on Mon Mar 16 09:38:02 2020
    Re: binkps
    By: eggy to All on Sun Mar 15 2020 05:32 pm

    Any ideas what options I need to pass openssl s_client to get it to connect?

    I just use this is an example to test:
    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon


    ... Go on, be yourself! There isn't anyone better qualified.
    --- SBBSecho 3.10-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From eggy@21:4/143 to alterego on Sun Mar 15 18:02:39 2020
    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon

    After poking around, even doing this test gives me the same result:
    openssl s_client -connect bbs.eggy.cc:24553
    CONNECTED(00000003)
    3069566992:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    Then I tried on my linux desktop and my desktop is able to connect.. After some further research.. I looked into /etc/ssl/opensl.cnf on my pi, it has this at the bottom:

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
    if I comment this out, it works.

    I would think using -cipher ALL:@SECLEVEL=1 would override this, but I
    guess its not working..

    Looks to be a security setting in ssl on my raspberry pi.

    matt // eggy
    Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
    fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

    --- Mystic BBS v1.12 A46 2020/03/15 (Linux/64)
    * Origin: Eggy BBS (21:4/143)
  • From Al@21:4/106 to eggy on Sun Mar 15 15:57:08 2020
    Hello eggy,

    Now that I'm running Mystic A46, I'm trying to get a tunneled binkps session between my pi and mystic. I keep running into problems when
    using the
    following: "openssl s_client -quiet -cipher ALL:@SECLEVEL=1 -alpn
    binkp -connect"

    After the -connect *H:*I might solve the problem. Here is the node line I was using to poll hub 4.

    node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c

    That is of course all on one line.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From eggy@21:4/143 to Al on Sun Mar 15 18:45:08 2020
    After the -connect *H:*I might solve the problem. Here is the node line
    I was using to poll hub 4.

    node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c

    This didn't seem to make a difference when I reenabled the security settings
    in my /etc/ssl/openssl.cnf.

    matt // eggy
    Eggy BBS | telnet://bbs.eggy.cc:2300 | ssh://bbs.eggy.cc:2222
    fsxNet (21:4/143) | SciNet (77:1/136) | FidoNet (1:220/50)

    --- Mystic BBS v1.12 A46 2020/03/15 (Linux/64)
    * Origin: Eggy BBS (21:4/143)
  • From Alan Ianson@21:4/106.1 to eggy on Sun Mar 15 17:11:54 2020
    node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher
    ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c

    This didn't seem to make a difference when I reenabled the security settings in my /etc/ssl/openssl.cnf.

    Yep, That'll work if your link will accept SECLEVEL=1. I think your setup requires SECLEVEL=2.

    Our binkps implementations may not be up to SECLEVEL=2 yet.

    --- BBBS/Li6 v4.10 Toy-4
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From Oli@21:1/151 to eggy on Thu Mar 19 11:13:43 2020
    On Sun, 15 Mar 2020 18:02:39 -0500
    "eggy -> alterego" <0@143.4.21> wrote:

    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon

    After poking around, even doing this test gives me the same result:
    openssl s_client -connect bbs.eggy.cc:24553
    CONNECTED(00000003)
    3069566992:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    Then I tried on my linux desktop and my desktop is able to connect..
    After some further research.. I looked into /etc/ssl/opensl.cnf on my
    pi, it has this at the bottom:

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
    if I comment this out, it works.

    I would think using -cipher ALL:@SECLEVEL=1 would override this, but I guess its not working..

    Looks to be a security setting in ssl on my raspberry pi.

    It seems the Mystic tries to negotiate a TLS 1.1 connection, but MinProtocol = TLSv1.2 prevents it. This needs to be fixed on Mystic's side, TLS 1.1 is practically deprecated.

    ---
    * Origin: (21:1/151)