# Newsreader/usenet client + stunnel question.



## neurosis (Sep 26, 2011)

I have read through a few howto's on this subject. I have no experience with stunnel and want to make sure that I am on the right track. 


I have been looking at this HowTo because it looks like the easiest method to get what I am looking for. The one thing that I do not see in here is information regarding stunnel.pem or a path to it in the config. 

Using the method shown in the howto above, am I to assume that I do not need to create this file (when I installed stunnel it did not have this file).


----------



## honk (Sep 28, 2011)

From http://www.stunnel.org/?page=howto#authentication:

"_...If you are only using stunnel in client mode (i.e. it connects to an SSL server, it does not act as an SSL server) then you most likely do not need to present a valid certificate at all, and can skip this chapter entirely..._"

I guess you authenticate yourself against the news server with username/password. In this case the news server will present you _his_ certificate (which is stored on the server in a file similar to stunnel.pem). Therefore you don't need a .pem file on your (the client-) side.

What you definitely want is a verification of the certificate the server offers to you (this should ensure that you are talking to the server an not to someone else in the middle). This is described in chapter "How does stunnel check certificates?". Option verify=2 or 3 is what you want.

Hope that helps.


----------



## neurosis (Sep 28, 2011)

Yes honk. I read through that last night.   It did help (kind of). 



> If you are only using stunnel in client mode (i.e. it connects to an SSL server, it does not act as an SSL server) then you most likely do not need to present a *valid* certificate at all, and can skip this chapter entirely. Just use the pem that that comes with the distribution. It is most likely not asked for by the remote end, nor verified.
> 
> If you use stunnel in client mode and the remote SSL server does require client/peer certificates, then you do need one, and should read the instructions below.



I took that to mean that I more than likely "should" create one as I am not sure if the remote ssl server requires? 

I managed to remove the install as I installed via package, and re-installed using ports. The port install included a tool to create this pem automatically so I now have that covered. Now my problem is even when following the instructions of that how-to exactly, I cant get stunnel to start. (Im a newb)  

I have it running debug = 7 and and running it in foreground and it bombs when trying to create the pid file. I am trying a very basic config as shown on their faq so am not attempting to chroot yet and all of the information that have found so far on this pid file error have been related to chroot. Im a little stalled again.



```
setuid = stunnel
setgid = stunnel


debug = 7
client = yes
foreground = yes
;foreground = no
pid = /stunnel.pid


[news]
accept = 8675
connect = ssl.newshost.com:563
```


----------



## honk (Sep 28, 2011)

PID files should be written under /var/run and not directly in /. I would create an own directory and set proper permissions so that the user which invokes stunnel is able to write that file.

Example:

`# mkdir /var/run/stunnel`
`# chown stunnel:stunnel /var/run/stunnel`
`# chmod 755 /var/run/stunnel`


----------



## neurosis (Sep 28, 2011)

Yes.    that is my next task.  I tried to start without giving the /stunnel.pid and it displayed the path that it was trying to write to. It was 


```
2011.09.27 18:07:48 LOG3[91245]: Cannot create pid file /var/tmp/run/stunnel/stunnel.pid
```

So now I figured that I would have to create the directory with the correct permissions. You have saved me a bit of trouble though I think. I really appreciate it! I will test it in a few minutes and let you know how it is going so far.


----------



## neurosis (Sep 29, 2011)

ok! its up and running!  My problem the whole time was the directory permissions.  The HowTo says to chmod 0622 but that would not allow the .pid file to be created. I am not sure why.  I changed the permission to 700 and it worked just fine.  Is there an explanation for this? 

Regardless, it is up and running fine!


----------

