1. Forum
  2. FSXNet
  3. FSX MYS

  • binkps

    From Al@21:4/106 to Oli on Sunday, March 01, 2020 10:07:40
    Hello Oli,

    I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors
    like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate key or?

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From g00r00@21:1/108 to Al on Monday, March 02, 2020 02:09:10
    I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate key or?

    Not sure this is the best place to discuss BINKD SSL tunneling, but the issue is likely that it requires a 2048 or higher bit key instead of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.

    --- Mystic BBS v1.12 A46 2020/03/01 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From g00r00@21:1/108 to Al on Monday, March 02, 2020 02:14:36
    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.

    It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need to step down the security level setting to 1 I think because it now defaults to 2
    which is a higher key bit.

    I don't really know how the command line openssl stuff works

    --- Mystic BBS v1.12 A46 2020/03/01 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From Al@21:4/106 to g00r00 on Sunday, March 01, 2020 11:22:40
    Hello g00r00,

    Not sure this is the best place to discuss BINKD SSL tunneling,

    This is the only place that this is being talked about.

    I do connect with one of my links running binkd <-> binkd so I know it can work
    but more testing is needed between different mailers.

    There is no direct support for this in binkd ATM. I have a web server listening
    on port 24553 and passing the connection to my running binkd on port 24554 if the handshake passes.

    There is a ways to go for binkd if it will support binkps. If I can get a working model happening perhaps that will interest binkd developers.

    but the issue is likely that it requires a 2048 or higher bit key
    instead of 1024.

    I don't mind 1024 or 2048. For now I'd be happy if it'll work. If we can make it work then we can standardize the details as we go.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
    onto your openssl command.

    Thanks, I'll give this a go here in a few minites.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Al@21:4/106 to g00r00 on Sunday, March 01, 2020 12:18:12
    Hello g00r00,

    It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need
    to step down the security level setting to 1 I think because it now defaults to 2 which is a higher key bit.

    -cipher "ALL:@SECLEVEL=0" did the trick, thanks. I'm going to try =1 and 2 also
    just to see what I get.

    I don't really know how the command line openssl stuff works

    Neither do I actually, I'm just bangin' away on my keyboard!

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to g00r00 on Monday, March 02, 2020 10:45:56
    On Mon, 2 Mar 2020 02:09:11 +0700
    "g00r00 -> Al" <0@108.1.21> wrote:

    I am unable to connect with Mystic and SBBS binkps nodes. I see
    a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate
    key or?

    Not sure this is the best place to discuss BINKD SSL tunneling, but
    the issue is likely that it requires a 2048 or higher bit key instead
    of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
    onto your openssl command.

    This has nothing to do with binkd ssl "tunneling". Is Mystic (and binkit) using
    a weak certificate by default? Nobody uses 1024 bit keys anymore.

    ---
    * Origin: REPLY (21:1/151)
  • From g00r00@21:1/108 to Oli on Monday, March 02, 2020 17:48:06
    This has nothing to do with binkd ssl "tunneling". Is Mystic (and
    binkit) using a weak certificate by default? Nobody uses 1024 bit keys anymore.

    Gee, I instantly knew the issue, explained it to Al and gave him a command
    line to get it working. Its almost like I'm not wrong and I understand what
    is going on.

    And its almost like you read through the messages and then came back with
    this garbage. Seriously, you need to stop with your nonsense here. The
    number of people who've told you about it now is literally in the double digits.

    --- Mystic BBS v1.12 A46 2020/03/02 (Windows/64)
    * Origin: Sector 7 (21:1/108)
  • From Oli@21:1/151 to Oli on Monday, March 02, 2020 11:48:02
    On Mon, 2 Mar 2020 10:45:57 +0100
    "Oli -> g00r00" <0@151.1.21> wrote:

    On Mon, 2 Mar 2020 02:09:11 +0700
    "g00r00 -> Al" <0@108.1.21> wrote:

    I am unable to connect with Mystic and SBBS binkps nodes. I see
    a couple errors like this..

    verify error:num=66:EE certificate key too weak
    verify error:num=20:unable to get local issuer certificate
    verify error:num=21:unable to verify the first certificate

    Is there a way I can lower the requirements of the certificate
    key or?

    Not sure this is the best place to discuss BINKD SSL tunneling,
    but the issue is likely that it requires a 2048 or higher bit
    key instead of 1024.

    Try adding -cipher "ADH:@SECLEVEL=1" or -cipher
    "ADH:@SECLEVEL=0" onto your openssl command.

    This has nothing to do with binkd ssl "tunneling". Is Mystic (and
    binkit) using a weak certificate by default? Nobody uses 1024 bit
    keys anymore.

    I just read you already updated the default to 2048. Nice :)

    ---
    * Origin: REPLY (21:1/151)
  • From Oli@21:1/151 to g00r00 on Monday, March 02, 2020 17:56:50
    On Mon, 2 Mar 2020 17:48:07 +0700
    "g00r00 -> Oli" <0@108.1.21> wrote:

    This has nothing to do with binkd ssl "tunneling". Is Mystic
    (and binkit) using a weak certificate by default? Nobody uses
    1024 bit keys anymore.

    Gee, I instantly knew the issue, explained it to Al and gave him a
    command line to get it working. Its almost like I'm not wrong and I understand what is going on.

    We are running binkd with TLS for months now without any problems and now Mystics catched up and everyone should implement workarounds?

    Yeah, never any fault in your marvelous Mystic software, every other software is wrong, because the Guru is always right. Let's insult the messenger, if they
    report a problem...

    ---
    * Origin: REPLY (21:1/151)