1. Forum
  2. fsxNet
  3. FSX MYS

  • binkps

    From Al@21:4/106 to Oli on Sun Mar 1 10:07:40 2020
    Hello Oli,

    I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors
    like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate key or?

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From g00r00@21:1/108 to Al on Mon Mar 2 02:09:10 2020
    I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate key or?

    Not sure this is the best place to discuss BINKD SSL tunneling, but the issue is likely that it requires a 2048 or higher bit key instead of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.

    --- Mystic BBS v1.12 A46 2020/03/01 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From g00r00@21:1/108 to Al on Mon Mar 2 02:14:36 2020
    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.

    It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need to step down the security level setting to 1 I think because it now defaults to 2
    which is a higher key bit.

    I don't really know how the command line openssl stuff works

    --- Mystic BBS v1.12 A46 2020/03/01 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From Al@21:4/106 to g00r00 on Sun Mar 1 11:22:40 2020
    Hello g00r00,

    Not sure this is the best place to discuss BINKD SSL tunneling,

    This is the only place that this is being talked about.

    I do connect with one of my links running binkd <-> binkd so I know it can work
    but more testing is needed between different mailers.

    There is no direct support for this in binkd ATM. I have a web server listening
    on port 24553 and passing the connection to my running binkd on port 24554 if the handshake passes.

    There is a ways to go for binkd if it will support binkps. If I can get a working model happening perhaps that will interest binkd developers.

    but the issue is likely that it requires a 2048 or higher bit key
    instead of 1024.

    I don't mind 1024 or 2048. For now I'd be happy if it'll work. If we can make it work then we can standardize the details as we go.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
    onto your openssl command.

    Thanks, I'll give this a go here in a few minites.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Al@21:4/106 to g00r00 on Sun Mar 1 12:18:12 2020
    Hello g00r00,

    It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need
    to step down the security level setting to 1 I think because it now defaults to 2 which is a higher key bit.

    -cipher "ALL:@SECLEVEL=0" did the trick, thanks. I'm going to try =1 and 2 also
    just to see what I get.

    I don't really know how the command line openssl stuff works

    Neither do I actually, I'm just bangin' away on my keyboard!

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to g00r00 on Mon Mar 2 10:45:56 2020
    On Mon, 2 Mar 2020 02:09:11 +0700
    "g00r00 -> Al" <0@108.1.21> wrote:

    I am unable to connect with Mystic and SBBS binkps nodes. I see
    a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate
    key or?

    Not sure this is the best place to discuss BINKD SSL tunneling, but
    the issue is likely that it requires a 2048 or higher bit key instead
    of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
    onto your openssl command.

    This has nothing to do with binkd ssl "tunneling". Is Mystic (and binkit) using
    a weak certificate by default? Nobody uses 1024 bit keys anymore.

    ---
    * Origin: REPLY (21:1/151)
  • From g00r00@21:1/108 to Oli on Mon Mar 2 17:48:06 2020
    This has nothing to do with binkd ssl "tunneling". Is Mystic (and
    binkit) using a weak certificate by default? Nobody uses 1024 bit keys anymore.

    Gee, I instantly knew the issue, explained it to Al and gave him a command
    line to get it working. Its almost like I'm not wrong and I understand what
    is going on.

    And its almost like you read through the messages and then came back with
    this garbage. Seriously, you need to stop with your nonsense here. The
    number of people who've told you about it now is literally in the double digits.

    --- Mystic BBS v1.12 A46 2020/03/02 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From Oli@21:1/151 to Oli on Mon Mar 2 11:48:02 2020
    On Mon, 2 Mar 2020 10:45:57 +0100
    "Oli -> g00r00" <0@151.1.21> wrote:

    On Mon, 2 Mar 2020 02:09:11 +0700
    "g00r00 -> Al" <0@108.1.21> wrote:

    I am unable to connect with Mystic and SBBS binkps nodes. I see
    a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate
    key or?

    Not sure this is the best place to discuss BINKD SSL tunneling,
    but the issue is likely that it requires a 2048 or higher bit
    key instead of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher
    "ADH:@SECLEVEL=0" onto your openssl command.

    This has nothing to do with binkd ssl "tunneling". Is Mystic (and
    binkit) using a weak certificate by default? Nobody uses 1024 bit
    keys anymore.

    I just read you already updated the default to 2048. Nice :)

    ---
    * Origin: REPLY (21:1/151)
  • From Oli@21:1/151 to g00r00 on Mon Mar 2 17:56:50 2020
    On Mon, 2 Mar 2020 17:48:07 +0700
    "g00r00 -> Oli" <0@108.1.21> wrote:

    This has nothing to do with binkd ssl "tunneling". Is Mystic
    (and binkit) using a weak certificate by default? Nobody uses
    1024 bit keys anymore.

    Gee, I instantly knew the issue, explained it to Al and gave him a
    command line to get it working. Its almost like I'm not wrong and I understand what is going on.

    We are running binkd with TLS for months now without any problems and now Mystics catched up and everyone should implement workarounds?

    Yeah, never any fault in your marvelous Mystic software, every other software is wrong, because the Guru is always right. Let's insult the messenger, if they
    report a problem...

    ---
    * Origin: REPLY (21:1/151)
  • From Oli@21:1/151 to eggy on Thu Mar 19 11:13:42 2020
    On Sun, 15 Mar 2020 18:02:39 -0500
    "eggy -> alterego" <0@143.4.21> wrote:

    openssl s_client -connect bbs.castlerockbbs.com:24553
    ...deon

    After poking around, even doing this test gives me the same result:
    openssl s_client -connect bbs.eggy.cc:24553
    CONNECTED(00000003)
    3069566992:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

    Then I tried on my linux desktop and my desktop is able to connect..
    After some further research.. I looked into /etc/ssl/opensl.cnf on my
    pi, it has this at the bottom:

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
    if I comment this out, it works.

    I would think using -cipher ALL:@SECLEVEL=1 would override this, but I guess its not working..

    Looks to be a security setting in ssl on my raspberry pi.

    It seems the Mystic tries to negotiate a TLS 1.1 connection, but MinProtocol = TLSv1.2 prevents it. This needs to be fixed on Mystic's side, TLS 1.1 is practically deprecated.

    ---
    * Origin: (21:1/151)