After graciously getting some help from Steve Gibson over at
news.grc.com, I finally have inn2 running on macOS. All functions,
including user auth, work on port 119. It has been ./configured with
the following options:

--with-perl --with-openssl=/usr/local/opt/openssl --with-sqlite3
--with-canlock --prefix=/Users/news --with-news-user=news
--with-news-group=nntp --with-news-master=newsmaster

I had to force the openssl location as it detects macOS's built-in
libressl which has no headers available in the operating system. I have
both openssl@1.1.1 and openssl@3.x installed.

The trouble began when I followed the instructions and ran nnrpd with:
../bin/nnrpd -D -c ./etc/readers.conf -p 563 -S

Then, openssl s_client -connect news.dialup.cafe:563 to test the
connection. It connects properly with SSL/TLS and allows me to send
authinfo user/authinfo pass commands.

Relevant inn.conf settings:
#tlscafile:
tlscapath: /Users/news/etc/certs
tlscertfile: /Users/news/etc/certs/fullchain.pem
tlskeyfile: /Users/news/etc/certs/privkey.pem
#tlsciphers:
#tlsciphers13:
tlscompression: false
#tlseccurve:
tlspreferserverciphers: true
tlsprotocols: [ TLSv1.2 TLSv1.3 ]

fullchain and privkey.pem were generated by certbot, and then copied
over manually to the /Users/news/etc/certs folder, as the "news"
account does not have permission to access /etc/letsencrypt/live/
The certs files have the proper permissions settings, following the
recommendations from the install guide.

And yet, when I try to connect using a newsreader like Unison or
Thunderbird, it just hangs on connecting. No errors are generated by
the client (that I've seen). The only error report I see on the server
from macOS console is:

default 14:28:07.841314 -0600 nnrpd 192.168.1.74 (192.168.1.74) connect
- port 563
default 14:28:28.004603 -0600 nnrpd 192.168.1.74 failure to negotiate
TLS session

There are no visible errors recorded to /news/logs/.

I've tested the server's SSL/TLS configuration on port 563 using
testssl.sh (https://testssl.sh/) and it comes back with a 97% (A+)
rating.

Can anyone take a guess at what might be going on here?

Thank you for your time - this has been three days of pulling my hair out! :)
vga256

On Thu, 29 Jun 2023 14:31:46 -0600
vga256 <vga@vga256.com> wrote:

<snip>

> Can anyone take a guess at what might be going on here?
>
> Thank you for your time - this has been three days of pulling my hair
> out! :) vga256

My advice: wipe MacOS and install Debian stable. Then run:

$> apt-get install inn2 openssl

After you install inn2 on debian stable you will need to manually
restart inn2 to recover from a installation error then it will run
fine. Then you can do all the normal config as found in the online
directions and it should all work.

I ditched inn2 and I switched to RocksolidLight:

https://github.com/novabbs/rocksolid-light

I have zero regrets after making the switch.

Demo site (code maintainer): https://novabbs.org/rocksolid/index.php

Retro Guy also has a nice dark retro theme included in the distribution.

Demo site (testing project): https://sybershock.com/forum

If you had fiddled around for 3 days with RocksolidLight, you'd likely
be an expert in its internals. It is laid out rather simple and easy to
hack since it is php. I still could kick myself for not having tried it
sooner.

You can get help with RocksolidLight here:

https://novabbs.org/rocksolid/thread.php?group=rocksolid.nodes.help

--
SugarBug | https://sybershock.com

Hi vga256,

> Then, openssl s_client -connect news.dialup.cafe:563 to test the
> connection. It connects properly with SSL/TLS and allows me to send
> authinfo user/authinfo pass commands.

That sounds good then.

> And yet, when I try to connect using a newsreader like Unison or
> Thunderbird, it just hangs on connecting. No errors are generated by the
> client (that I've seen).

Couldn't the problem come from the fact that the server certificate
should be added to your certificate store?
Also, you have to set network.security.ports.banned.override to 563 in
the configuration editor of Thunderbird.

Do you manage to connect to other news servers with your Thunderbird?
(for instance mine at news.trigofacile.com on port 563)

Is your server accessible from the Internet so that we could try to
connect to it?

--
Julien ÉLIE

« Sème du bonheur dans le champ du voisin, tu seras surpris de constater
ce que le vent fera produire au tien. » (Juliette Saint Gelais)

> Couldn't the problem come from the fact that the server certificate
> should be added to your certificate store?
> Also, you have to set network.security.ports.banned.override to 563 in
> the configuration editor of Thunderbird.
>
> Do you manage to connect to other news servers with your Thunderbird?
> (for instance mine at news.trigofacile.com on port 563)

I've had no problems connecting to any other servers running SSL on
563, including eternal-september and GRC.

> Is your server accessible from the Internet so that we could try to
> connect to it?

Sadly, it is not.

Thanks anyway!
vga

Hi vga256,

>> Do you manage to connect to other news servers with your Thunderbird?
>> (for instance mine at news.trigofacile.com on port 563)
>
> I've had no problems connecting to any other servers running SSL on 563,
> including eternal-september and GRC.

OK.
As you say you have 3 different TLS libraries installed (built-in
libressl, OpenSSL 1.1.1 and OpenSSL 3.x), are you sure they isn't any
conflict at run time? That is to say has INN actually been built with
the headers corresponding to the library that will be used?

Maybe both --with-openssl-include and --with-openssl-lib options should
be used?

--
Julien ÉLIE

« Sème du bonheur dans le champ du voisin, tu seras surpris de constater
ce que le vent fera produire au tien. » (Juliette Saint Gelais)

vga256 <vga@vga256.com> writes:
> And yet, when I try to connect using a newsreader like Unison or
> Thunderbird, it just hangs on connecting. No errors are generated by
> the client (that I've seen). The only error report I see on the server
> from macOS console is:
>
> default 14:28:07.841314 -0600 nnrpd 192.168.1.74 (192.168.1.74)
> connect - port 563
> default 14:28:28.004603 -0600 nnrpd 192.168.1.74 failure to
> negotiate TLS session
>
> There are no visible errors recorded to /news/logs/.
>
> I've tested the server's SSL/TLS configuration on port 563 using
> testssl.sh (https://testssl.sh/) and it comes back with a 97% (A+)
> rating.
>
> Can anyone take a guess at what might be going on here?

You need better logs. My current best guess for getting them is that you
could recompile nnrpd with tls_loglevel (see nnrpd/tls.c) set to a
higher value - while I’ve not tried this it looks like it might cause
OpenSSL’s internal logging to be sent to nnrpd’s log output.

Julien, would it be worth adding an inn.conf setting to let this value
be controlled without recompilation?

--
https://www.greenend.org.uk/rjk/

Hi Richard,

> You need better logs. My current best guess for getting them is that you
> could recompile nnrpd with tls_loglevel (see nnrpd/tls.c) set to a
> higher value - while I’ve not tried this it looks like it might cause
> OpenSSL’s internal logging to be sent to nnrpd’s log output.

Yes indeed, and it works fine (I tested it in 2021 when adding support
for OpenSSL 3).

> Julien, would it be worth adding an inn.conf setting to let this value
> be controlled without recompilation?

:-)
I wondered at the time I tested it, and just kept it unconfigurable as I
never heard of someone asking for debugging TLS output.
But yes, it's easily doable if it appears there's a need.
Would a tlsloglevel parameter in inn.conf suit you? (set to 0 by default)

--
Julien ÉLIE

« – J'ai horreur de tirer des chefs sans provisions !
– Et moi, je ne peux pas encaisser les chefs aux porteurs. » (Astérix)

Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> writes:
> Hi Richard,
>> Julien, would it be worth adding an inn.conf setting to let this value
>> be controlled without recompilation?
>
> :-)
> I wondered at the time I tested it, and just kept it unconfigurable as
> I never heard of someone asking for debugging TLS output.
> But yes, it's easily doable if it appears there's a need.
> Would a tlsloglevel parameter in inn.conf suit you? (set to 0 by default)

That seems sensible.

--
https://www.greenend.org.uk/rjk/

Although this is extremely embarrassing, I'd just like to post an update:

I found the problem with my SSL/TLS woes: I was using the wrong cert
from my /letsencrypt/live folders D:
I forgot that months ago I set up a new certificate for
news.mydomain.com, and was using the mydomain.com certificate with
inn2, instead of the news.mydomain.com cert.

Thanks all for the advice.

vga.

On 2023-06-29 21:33:28 +0000, Syber Shock said:
> https://github.com/novabbs/rocksolid-light
>
> I have zero regrets after making the switch.
>
> Demo site (code maintainer): https://novabbs.org/rocksolid/index.php
>
> Retro Guy also has a nice dark retro theme included in the distribution.
>
> Demo site (testing project): https://sybershock.com/forum
>
> If you had fiddled around for 3 days with RocksolidLight, you'd likely
> be an expert in its internals. It is laid out rather simple and easy to
> hack since it is php. I still could kick myself for not having tried it
> sooner.
>
> You can get help with RocksolidLight here:
>
> https://novabbs.org/rocksolid/thread.php?group=rocksolid.nodes.help

Great recommend - checked it out and ported the source & installer to
macOS. Looks like it will suit my needs perfectly.

Thanks,
vga.