LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-08-2017, 11:12 AM   #1
dedec0
Member
 
Registered: May 2007
Posts: 951

Rep: Reputation: 31
Question Thunderbird: Why am I unable to use SSL/TLS in Mozilla nntp server?


Program: Thunderbird 45
Server: news.mozilla.org
Connection: SSL/TLS
Port: 5 or 563 (tried both)

I have a few Mozilla NTTP groups in another machine - which I cannot access now to check how it does it.

When I ask Thunderbird to manage newsgroups, it waits for a few minutes, and then stops without showing anything.

Only without SSL/TLS, and in port 119, it worked. Today, is SSL with news.mozilla.org possible?

Last edited by dedec0; 11-08-2017 at 12:23 PM.
 
Old 11-08-2017, 12:02 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,814
Blog Entries: 15

Rep: Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661
Where are you coming from? Most things these days want TLSv1.1 or 1.2. Some older things (e.g. RHEL5/CentOS5) have no support for those versions of TLS (they end at TLS1.0). Mozilla Firefox is notorious for just not working when it finds something it doesn't like rather than letting you know and giving you the option to go around security issues it finds.

Sometimes you can modify the behavior and the Mozilla site tells you how to do that.

Personally I find it quite aggravating that Mozilla does this even though in general I prefer Firefox to all other browsers. They can't seem to understand that on occasion people are using 3rd party tools that can't be updated.
 
Old 11-08-2017, 12:21 PM   #3
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Red face

I am sorry. I forgot to say that I am using Thunderbird. And this one is not old at all, it is 45. I will edit the first post to add this.

To say it clear, I have Thunderbird configured to access Mozilla newsgroups in another machine, but far from me now. I want to access it here, now, but could not - could not, but just before I decided to make a post here about what I was doing wrong, I tried the "no ssl" detail, that solved it.

But maybe there is something to find, or there is a reason for it being like this. Can you use Mozilla nntp with secure connection in Thuderbird? If you can use that server with other SSL access (possibly with other programs), please say so.
 
Old 11-09-2017, 01:55 AM   #4
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,197

Rep: Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547
How do you connect to the Internet? Maybe port 563 is blocked by a firewall?
NNTP is quite archaic. SSL (on port 563) was defined much later, at a time forums started with (or switched to) https. Like this forum.
 
1 members found this post helpful.
Old 11-09-2017, 06:14 AM   #5
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MadeInGermany View Post
How do you connect to the Internet? Maybe port 563 is blocked by a firewall?
NNTP is quite archaic. SSL (on port 563) was defined much later, at a time forums started with (or switched to) https. Like this forum.
I have a common direct connection to the Internet, given to me by a paid ISP. It has no firewall in it, except those I choose to have or not configured in my modem.

Yes, NNTP is old - but it is good. It is better than fora or mailing lists, in my opinion. I like to use it. And I do not know details on how to do that, but Mozilla integrates its nntp groups with the mailing lists for each group.

The port 563 I mentioned was chosen by Thunderbid at some point of this account's configuration. I simply did not know 563 = SSL.
 
Old 11-10-2017, 07:12 AM   #6
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Question To solve this thread

To solve this thread should not be hard.

I am using Thunderbird 45.8.0 in Debian 9, so I imagine there is no problem with deprecated or old things.

The answer may be as simple as:

"Mozilla nttp, which is news.mozilla.org:119, does not connect through SSL/TLS"

But it can be:

"Thunderbird 45.8.0 does not do TLSv1.x , which is needed for the Mozilla server news.mozilla.org:x secure connections"

Although I imagine this is not the situation.

And it can be something wrong with me, although I have no clue of what that would be.

Or it can be something else! You say.

Can you do:

nntp: news.mozilla.org + secure connection

?

Which port? Which connection version? Anything else good to mention?

Last edited by dedec0; 11-10-2017 at 07:22 AM.
 
Old 11-10-2017, 09:11 AM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,814
Blog Entries: 15

Rep: Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661
Quote:
Originally Posted by dedec0 View Post
I am using Thunderbird 45.8.0 in Debian 9, so I imagine there is no problem with deprecated or old things.
It isn't so much that the nntp command you are using would have changed but rather that the sites you are trying access via nntp have changed.

RFC 8143 makes it clear nntp sites should enforce TLS and by extrapolation of current standards that means TLSv1.1 or higher:
https://tools.ietf.org/html/rfc8143

I don't use nntp and am not going to install it just to test but can say I found first with https (which relies on openssl) and later ftps (which relies on gnutls) issues that were clearly due to the fact that the tools didn't support TLSv1.1 or higher. On RHEL5 that meant I could no longer connect to sites requiring TLSv1.1 or higher because openssl and curl (and likely gnutls) could not do TLSv1.1 or higher. On RHEL6 it meant I had to install updates for openssl and curl to reach https sites and update gnutls to reach ftps sites. Given all that and the above RFC it seems highly likely to me you'd have to have nntp (and openssl or gnutls) that support TLSv1.1 and higher to reach news sites.
 
2 members found this post helpful.
Old 11-10-2017, 10:42 AM   #8
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Thank you, MensaWater. How can I test the secure connections news.mozilla.org support?

I found a thread that mentioned nmap, I installed it to check. But it did not work so much, I think. It should have shown something like:

Code:
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
And what I have is:

Code:
$ nmap --script ssl-enum-ciphers -p 119 news.mozilla.org

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 14:39 -02
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.14s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
PORT    STATE SERVICE
119/tcp open  nntp

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

$ nmap --script ssl-enum-ciphers -p 5 news.mozilla.org

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 14:39 -02
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.14s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
PORT  STATE    SERVICE
5/tcp filtered rje

Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds

$ nmap --script ssl-enum-ciphers -p 563 news.mozilla.org

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 14:39 -02
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.14s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
PORT    STATE    SERVICE
563/tcp filtered snews

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

$ nmap --script ssl-enum-ciphers -p 443 news.mozilla.org

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 14:39 -02
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.14s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
PORT    STATE    SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.00 seconds

$
 
Old 11-10-2017, 11:58 AM   #9
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,814
Blog Entries: 15

Rep: Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661
On checking I see the defined (presumably non-encrypted) port for nntp is 119. The encrypted port for nntps is 563.

On testing with netcat I was able to attach to news.mozilla.org on port 119 but not on port 563.

nc -vw2 news.mozilla.org 119
Connection to news.mozilla.org 119 port [tcp/nntp] succeeded!

nc -vw2 news.mozilla.org 563
nc: connect to news.mozilla.org port 563 (tcp) timed out: Operation now in progress

On running nmap it shows only 3 (insecure) ports open:
nmap -P0 news.mozilla.org

Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-10 12:56 EST
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.0023s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
Not shown: 969 filtered ports, 28 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
119/tcp open nntp

This all suggests that instead of them forcing you to do TLSv1.1 or higher they aren't even allowing secure connections at all.

Checking another news server, news.usenetserver.com, one can see they're allowing both secure and insecure ports:
nmap -P0 news.usenetserver.com

Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-10 12:59 EST
Nmap scan report for news.usenetserver.com (69.16.179.27)
Host is up (0.026s latency).
Other addresses for news.usenetserver.com (not scanned): 69.16.179.26
rDNS record for 69.16.179.27: news.iad.usenetserver.com
Not shown: 989 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
119/tcp open nntp
443/tcp open https
563/tcp open snews
993/tcp open imaps
3128/tcp open squid-http
8000/tcp open http-alt
8080/tcp open http-proxy
9000/tcp open cslistener
9090/tcp open zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

Going back to your original title it appears if you want to do secure connections to get your new feeds you'll need to pick something other than Mozilla's news server. This is a bit surprising given how often they've been forcing browser users to do things the way THEY think is secure without allowing override as they did in the past.

Last edited by MensaWater; 11-10-2017 at 12:03 PM.
 
2 members found this post helpful.
Old 11-10-2017, 01:33 PM   #10
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Thank you again for this very detailed post. I find it strange that 'nc' command give different output here than what you showed:

Code:
$ nc -vw2 news.mozilla.org 119
news.mozilla.giganews.com [216.166.97.169] 119 (nntp) open
200 news.mozilla.org

$  # it terminated ~3 minutes later, a few seconds after I hit ctrl+d
The output of my nmap is a bit different too. What could be a reason for the port 80 not being shown here? I ran it two times. The first, I hit enter a few times and it print progress info, ending ~25 minutes later. The second time, I let it finish alone, it took ~30 minutes. Look:

Code:
16:52:59 [ 130] me@debian: ~
$ nmap -P0 news.mozilla.org

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 16:52 -02
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.14s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
Not shown: 998 filtered ports
PORT    STATE SERVICE
23/tcp  open  telnet
119/tcp open  nntp

Nmap done: 1 IP address (1 host up) scanned in 1762.08 seconds
17:22:21 [  0] me@debian: ~
$
 
Old 11-10-2017, 02:47 PM   #11
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,814
Blog Entries: 15

Rep: Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661
The netcat thing deals with different versions apparently. In the earlier version I used the "-w" specifies time out regardless. In newer versions -w is only a timeout for how long it will wait for a connection. In those newer versions using '-i" specifies idle timeout so using "nc -vi2" would be the way to make it automatically drop on idle connections after 2 seconds. On the newer version I see:
nc -vi2 news.mozilla.org 119
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 216.166.97.169:119.
200 news.mozilla.org
Ncat: Idle timeout expired (2000 ms)

However, on that newer server the newer nmap gives same ports as the older one:
nmap -P0 news.mozilla.org

Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-10 15:43 EST
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.0033s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
Not shown: 969 filtered ports, 28 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
119/tcp open nntp

Nmap done: 1 IP address (1 host up) scanned in 4.30 seconds

Given that I can see port 80 and you can't it means something is blocking your view of port 80. This is probably your outbound firewall or Proxy server. Some sites do block traffic based on geolocation (e.g. they might block Russian IPs) but usually if they're doing that it is for all ports not just for port 80 though it is possible.
 
Old 11-10-2017, 04:16 PM   #12
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
The nmap version you show is 6.40, mine were installed today and it is 7.40. I like your output better! I will try to remove and replace nmap with that older version.

I *think* I have no active firewall in my computer or in my modem. And probably neither in my ISP. This is getting a bit too offtopic for this thread, but how can I clearly now where the blocking is?

A silly first try, I typed "news.mozilla.org:80" in Firefox. It does not answer immediatelly, but after some minutes it showed just this:

Code:
200 news.mozilla.org
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
500 syntax error or unknown command
503 time out
This is not a page, I think, because nothing was shown when I asked to see its source code. It opens the source tab, but empty and with the rotating progress indicator. Does this mean that Firefox knows that :80 exists, but no answer is received?

I am not in Russia. I in Brasil, South America.

Last edited by dedec0; 11-10-2017 at 06:54 PM.
 
Old 11-10-2017, 06:50 PM   #13
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004
I think in the nmap command the problem is -P0 vs -PO.
 
1 members found this post helpful.
Old 11-10-2017, 07:17 PM   #14
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by AwesomeMachine View Post
I think in the nmap command the problem is -P0 vs -PO.
Nice comment! Thank you.

I used only zeroes in all commands I did. And I usually see the difference between them, since many years ago when I read something about bad aspects of some fonts. Further, I usually select and paste commands suggested here, an action easy and fast.

And with -PO (letter o), I would have received this error:

Code:
$ nmap -PO news.mozilla.org
Sorry, IPProto Ping (-PO) only works if you are root (because we need to read raw responses off the wire)
QUITTING!
 
Old 11-10-2017, 08:30 PM   #15
dedec0
Member
 
Registered: May 2007
Posts: 951

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by AwesomeMachine View Post
I think in the nmap command the problem is -P0 vs -PO.
After your post, I did a few tests. In one of them, I used a command that was not used yet. But it worked, it showed port 80! See below.

nmap is a strange command, and it has a manpage difficult to read and search things in.

All reading this thread, look at this command output:

Code:
22:57:51 [ 130] me@deb: ~
$ nmap -P0 news.mozilla.org -PO

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 22:58 -02
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.30% done; ETC: 23:08 (0:09:46 remaining)
Stats: 0:05:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 29.85% done; ETC: 23:17 (0:13:40 remaining)
Stats: 0:07:52 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 39.80% done; ETC: 23:17 (0:11:55 remaining)
Stats: 0:09:40 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 48.05% done; ETC: 23:18 (0:10:28 remaining)
Stats: 0:15:44 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 65.50% done; ETC: 23:22 (0:08:18 remaining)
Nmap scan report for news.mozilla.org (216.166.97.169)
Host is up (0.14s latency).
rDNS record for 216.166.97.169: news.mozilla.giganews.com
Not shown: 997 filtered ports
PORT    STATE SERVICE
23/tcp  open  telnet
80/tcp  open  http
119/tcp open  nntp

Nmap done: 1 IP address (1 host up) scanned in 1703.14 seconds
23:26:26 [  0] me@deb: ~
$
Port 80 is there, but I did nothing to see or change my firewall settings, neither in browser, system and ISP. Strange things...
 
  


Reply

Tags
thunderbird nttp mozilla


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Configure Mail Server SSL/TLS Use Postfix,Courier IMAP And POP3 dharmatkj Linux - Server 1 06-28-2017 12:20 PM
AIX LDAP client authenticate against Linux Openldap server over TLS/SSL gnu699 AIX 4 01-16-2016 07:04 AM
unable to connect to ftp server(pure-ftpd) with ssl/tls enabled rtz Linux - Networking 2 11-24-2014 03:21 PM
[SSL/TLS] Error connecting to secure SMTP server littlebigman Linux - Security 2 09-18-2014 09:26 AM
SSL vs. TLS X11 Linux - Security 8 12-17-2002 03:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration