Hello Avon,

I have 153/757 and 21:4/106 listening over TLS for binkps. :)

I have successfully polled 153/757 from 153/757.2, I haven't yet managed a successfull outbound poll but I have more nodes to test against so I think I'll
just move on to some of that and get back to 153/757.2

All the node and nodelist details are the same, just the port is 24553. See Oli's post to me earlier today in the BINKD area to see how he's done it.

Anyone interested feel free to poll against my node if you'd like to test.

The Rusty MailBox
1:153/757 and 21:4/106
trmb.ca binkp on port 24554 and binkps on port 24553

Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

On 24 Dec 2019 at 07:49p, Al pondered and said...

Hello Avon,

I have 153/757 and 21:4/106 listening over TLS for binkps. :)

well done you :)

I have successfully polled 153/757 from 153/757.2, I haven't yet managed
a successfull outbound poll but I have more nodes to test against so I think I'll just move on to some of that and get back to 153/757.2

All the node and nodelist details are the same, just the port is 24553. See Oli's post to me earlier today in the BINKD area to see how he's
done it.

Can you forward that here so we have a record.

I'm debating on what to put my focus on next playing with all of this, of
which I am very interested in getting working... or doing some work on NET 2
to move it along from it's current setup..

You're running a Linux system right? Might I need to move to that OS first before I can really play with all of this?

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

All the node and nodelist details are the same, just the port
is 24553. See Oli's post to me earlier today in the BINKD area
to see how he's done it.

Can you forward that here so we have a record.

Yep, I'll extract it and post it here in a few minutes.

I'm debating on what to put my focus on next playing with all of
this, of which I am very interested in getting working... or doing
some work on NET 2 to move it along from it's current setup..

That will need focus if you do that, I'd just do that if that's what you want/need to do. I am only getting started and we can get to this when
time is available.

You're running a Linux system right? Might I need to move to that
OS first before I can really play with all of this?

Yes, I already had all the stuff I needed installed so it was simple for
me to do. I'd imagine it's just as easy to do on Windows but the commands
and what not might be different. It would be a good thing if we could
figure out how to do that on Windows or Linux.

Ttyl :-),
Al

--- MagickaBBS v0.13alpha (Linux/x86_64)
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Hello Avon,

All the node and nodelist details are the same, just the port is
24553. See Oli's post to me earlier today in the BINKD area to
see how he's done it.

Can you forward that here so we have a record.

This is Oli's post..


=== Cut ===
= BINKD (1:153/757) ===========================================================
Msg : 211 of 215 Rcv
From : Oli 2:280/464.47 Tue 24 Dec 19 16:21
To : Alan Ianson
Subj : BINKP over TLS ===============================================================================

I posted several messages with different options how to do it (in
fidonet and fsxnet). If you have some specific questions, I'm
happy to help.

I saw some posts by you and others but I got lost in the ports,
stunnels and proxy's.

Can you give me an example to..

A. Have binkd listen on port 24553 for binkps/TLS?

e.g. with nginx (change the path to a valid cert / key pair)

nginx.conf:

stream {
server {
listen 24553 ssl;
ssl_certificate /etc/haproxy/ssl/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/haproxy/ssl/ssl-cert-key-snakeoil.pem;
proxy_pass 127.0.0.1:24554;
}
}

B. Poll a binkps node listening for binkps/TLS polls?

binkd.cfg:

node 1:153/757.2 -pipe "openssl s_client -quiet -alpn binkp -connect *H:*I" equinoxbbs.ddns.net:24555


+ Origin: kakistocracy (2:280/464.47)

=== Cut ===


Ttyl :-),
Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: binkps
By: Al to Avon on Tue Dec 24 2019 07:49 pm

I have 153/757 and 21:4/106 listening over TLS for binkps. :)

Me too - 24553 for 21:2/116 and the other nets I'm in...
...deon


... After two days in hospital, I took a turn for the nurse.
--- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello Al,

nginx.conf:

From that setup where You use nginx for the stream proxy of ssl binkps I
would have a small comment. That's the trouble when You connect with more
than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You connect with
more than one node You got the Duplicate I.P. message. I'm uncertain if this cannot be configured otherwise. But there a solution on how to connect with more than one node at once.

The Mystic BBS can be configured to listen on multiple ports with the BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558. Then You can have 5 concurrent connections from the proxy server. The nginx can
load-balance and this is how it could be done:

stream {
upstream binkps {
server 127.0.0.1:24554 max_conns=1;
server 127.0.0.1:24555 max_conns=1;
server 127.0.0.1:24556 max_conns=1;
server 127.0.0.1:24557 max_conns=1;
server 127.0.0.1:24558 max_conns=1;
}
server {
listen 29543 ssl;
proxy_pass binkps;
ssl_certificate /etc/nginx/ssl/snake-oil.crt;
ssl_certificate_key /etc/nginx/ssl/snake-oil.key;
ssl_password_file /etc/nginx/ssl/password-file.txt;
ssl_preread on;
}
}

That will actually provide possibility of 5 concurrent connections from the nodes. The ssl_password_file parameter gives the file where the password for the certificate is stored.

In the upstream list of server the max_conns prevents load balancing of more than one client at once to the given binkp server.

Probably there is an easier solution. But this is what worked for me.

BTW: The solution can be to use stunnel as You wrote in that case the
following configuration can be used:

/etc/stunnel/stunnel.conf
[binkps]
accept = 29543
connect = 24554
cert = /etc/stunnel/stunnel.pem
protocol = proxy

However it still retains the shortcoming of just only one concurrent session from the node. The other is rejected with the BUSY message.

What I would really like to explore is the HAPROXY. However most of the solutions are made for http and https protocols. Therefore if You would like
to forward the real ip address it can be achieved only in that protocols.

I tried the configuration of nginx with the proxy option as follows:

listen 29543 ssl proxy_protocol;

and then

proxy_protocol on;

This works just for a moment when the client connects via the proxy to the BINKP. Just when the real ip address is forwarded then ... what I guess the BINKP server responds to the real ip ... but that's not accessible because
the connection is established from within the nginx... and then the response goes elsewhere. If one would use http then the directive

proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;

could be used. But that's not this case because the headers cannot be
modified when in the stream tcp nginx proxy mode.

That's about it. Correct me if I'm wrong.

Best regards

|08Shinobi <.Phenom.>
|08
|08BBS Toolbox https://bbst.neocities.org

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Infoline BBS (21:1/153)

Hello shinobi,

Long time no hear, I hope all is well with you.

The Mystic BBS can be configured to listen on multiple ports with the BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558. Then You can have 5 concurrent connections from the proxy server. The nginx can load-balance and this is how it could be done:

In my case I am using binkd. nginx is listening on port 24553 and if the tls handshake is successful it passes the connection to my running binkd on the standard port.

That's not what I would call the right way to do it.

That's about it. Correct me if I'm wrong.

I think that's all right. All this network stuff is way above my pay grade quite frankly. ;)

If it wasn't for Oli's help I wouldn't have been able to connect the dots.

It is my hope that the binkd developers will sit around a table at some point and discuss what is needed to make this happen in binkd itself in a similar way
to how Mystic and Synchronet (BinkIT) handle these tls connections themselves.

Ttyl :-),
Al

--- GoldED+/LNX
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: Re: binkps
By: shinobi to Al on Fri Apr 10 2020 11:15 am

than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You

Can you put localhost in a whitelist of some sort?
...deon


... Professionals build the Titanic, amateurs built the Ark.
--- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Al wrote (2020-04-10):

The Mystic BBS can be configured to listen on multiple ports with
the BINKP server. That means what could be done is to setup several
BINKP server listening on localhost. E.g. 24554, 24555, 24556,
24557, 24558. Then You can have 5 concurrent connections from the
proxy server. The nginx can load-balance and this is how it could
be done:

In my case I am using binkd. nginx is listening on port 24553 and if the tls handshake is successful it passes the connection to my running binkd
on the standard port.

That's not what I would call the right way to do it.

It's also not the wrong way to do it and it has some advantages (and a few disadvantages). I'm doing this with https and xmpps as well, even if the servers support TLS by themselves.

TLS support in binkd would be nice, but for incoming connections I would still use nginx or haproxy for TLS termination.

---
* Origin: (21:3/102)

Re: binkps
By: Oli to Al on Sat Apr 11 2020 10:50 am

That's not what I would call the right way to do it.

It's also not the wrong way to do it and it has some advantages (and a few

disadvantages). I'm doing this with https and xmpps as

well, even if the servers support TLS by themselves.

I think Al was refering to getting around a mystic loophole, where multi connections from the same IP address are problematic (since all connections via
nginx are via the nginx host's IP address).

I wonder if setting 127.0.0.1 (or the nginx host's ip address) in a whitelist of some sort would get around this issue?
...deon


... There are always alternatives. Spock, The Galileo Seven, stardate 2822.3. --- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

shinobi wrote (2020-04-10):

Hello Al,

nginx.conf:

From that setup where You use nginx for the stream proxy of ssl binkps I would have a small comment. That's the trouble when You connect with more than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You
connect with more than one node You got the Duplicate I.P. message. I'm uncertain if this cannot be configured otherwise. But there a solution on how to connect with more than one node at once.

The Mystic BBS can be configured to listen on multiple ports with the
BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558.
Then You can have 5 concurrent connections from the proxy server. The
nginx can load-balance and this is how it could be done:

you could also tell nginx to use different IPs for the connection. I haven't tried it and I cannot provide a configuration example, but I think it's doable

proxy_bind 127.0.0.2;
....
proxy_bind 127.0.0.3;
....
proxy_bind 127.0.0.4;


You can also try to running it as a transparent proxy.

https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#ip-transparency

---
* Origin: (21:3/102)

On Saturday, April 11th Oli muttered...

TLS support in binkd would be nice, but for incoming connections I would still use nginx or haproxy for TLS termination.

+1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer reviewed in terms of security. Various BBS packages are not. I had to enable some older cipher suites and lessen security just to allow some paritcular BBS terminals to connect to my b
...just kind of jumping in here. What did the "binkps" proto end up looking like? Just bink proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)





--

NuSkooler
Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic

--- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

NuSkooler wrote (2020-04-11):

On Saturday, April 11th Oli muttered...

TLS support in binkd would be nice, but for incoming connections I
would still use nginx or haproxy for TLS termination.

+1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer reviewed in terms of security. Various BBS packages are not. I had to enable some older cipher suites and lessen security just to allow some paritcular BBS terminals to connect to my b

A Mystic hub truncated the line again ...

..just kind of jumping in
here. What did the "binkps" proto end up looking like? Just bink proxied over TLS?

Yes, but besides that we haven't agreed on anything. If I had to define it, it would most likely like this:

- must support TLS 1.3
- client must not send an unencrypted hostname (SNI) without prior agreement
- it shouldn't rely on CAs. Pinned certs with TOFU, DANE or nodelist flag

I'd like to get this set up (I'll be TLS terminating with Caddy
personally)

I haven't used Caddy as a TCP proxy, only nginx, haproxy and stunnel. Would be nice, if you could try it with binkp.

---
* Origin: (21:3/102)

Hello NuSkooler,

What did the "binkps" proto end up looking like? Just bink
proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)

There is no binkps proto, at least such a thing hasn't happened yet.

In my own pondering I think CRAM-MD5 and crypt could be removed if a binkps proto ever did come to be but that is for binkps developers to look at and decide on.

I have not heard anything from the binkd developers about any of this. Maybe they are not interested or maybe there is no one on the binkd team to bring this forward.

It would be a good thing if they were part of all this but I am not seeing them.

Ttyl :-),
Al

--- GoldED+/LNX
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: Re: binkps
By: alterego to shinobi on Sat Apr 11 2020 08:10 am

Can you put localhost in a whitelist of some sort?

I gues why not
127.0.0.1
192.168.0.65 (so to speak)

How about anyone else?

Just a thought...





Havok

... Not one hundred percent efficient, of course.but nothing ever is.

---
■ Synchronet ■ Gray Matter BBS | graymatterbbs.com:2332
* Origin: fsxNet FTN<>QWK Gateway (21:4/10)

Re: RE: binkps
By: NuSkooler to Oli on Sat Apr 11 2020 12:56 pm

here. What did the "binkps" proto end up looking like? Just bink proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)

Yup, my implementation on Hub 3 is via nginx - so caddy should be OK to do the same thing.

On my node 2/116, its with binkit, and I think DM just put in a TLS call before
running the main binkit code.

If you need help, yell out. You can poll Hub 3 or me if need to test :)
...deon


... There are always alternatives. Spock, The Galileo Seven, stardate 2822.3. --- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)