I got telnet over SSL working and thought I'd share the details since the
next official release of SyncTERM looks like it's going to support it. For
now we can use "stunnel" since the only BBS I've heard of that supports it natively is BBBS.

Unfortunately there isn't an official 32-bit release anymore (and a lot of us are on 32-bit for the dos support!) but luckily this nice fellow here
compiled and packaged up a 32-bit version for us:

https://github.com/josealf/stunnel-win32

I used the file "stunnel-testing-win32-installer.exe"

After install, you will be asked to create a certificate for the SSL connections. If you haven't done so before, it asks you a series of questions:

Country (US, NZ, etc)
State
City or Province
Organization (I used the BBS name without "BBS" on the end)
Organization Unit: BBS
Common Name, domain, etc: throw in something like sslbbs.synchro.net or whatever you use for your bbs
Email: yep.

For Windows 7 and up, you won't have permission to directly edit the config file since it's in the "C:\Program Files" folder. You can either start up a command prompt as administrator and edit there, or copy it, edit it, and replace it with Windows Explorer (it should ask for authorization and show
the little shield or whatever.)

The config file has quite a few examples, but to make this easy, you can
simply delete all but one and modify it:

[bbs]
accept = 992
connect = 23
cert = stunnel.pem

Note that since stunnel redirects connections from port 992 to port 23, they will show up as if they're connected locally! If your BBS features anti-connection-spam (like Mystic) you should make sure 127.0.0.1 is included in the whitelisted IP addresses file. You will have to match timestamps with the stunnel log if you need to find a specific user..

Open port 992 on your firewall and you should be all set :)

In SyncTERM, you will have to edit your connection (F2) and change the connection type to "TelnetS". As previously mentioned, it should be included
in the NEXT release of SyncTERM, so for now you will have to use the test versions linked at the very bottom of the SyncTERM web page.

Hopefully someone finds this useful and it gets more widely adopted directly
in BBS software!

-------------------------------------------------------------------------------

For security minded folk: it doesn't look like certificate verification is common even in the clients that have had this feature for a long time.. mostly mainframe stuff. You can however use openssl to view the server's certificate information with:

openssl s_client -connect mysuperbbs.com:992

If you want to get a legitimate certificate, LetsEncrypt is free, and is
fairly easy to automate updates for with Windows' task scheduler. In which
case openssl should show:

verify return:1

at each step as it walks the certificate chain.

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi

On 26 Mar 2021, fusion said the following...

I got telnet over SSL working and thought I'd share the details since the

well, i had hoped it would allow me to edit this slightly instead of a direct-forward but .. d'oh. i also have posted this on DOVE-Net previously. thought it might be handy for somebody ;)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

Re: Secure Telnet
By: fusion to All on Fri Mar 26 2021 04:19 pm

I got telnet over SSL working and thought I'd share the details since the next official release of SyncTERM looks like it's going to support it. For now we can use "stunnel" since the only BBS I've heard of that supports it natively is BBBS.

I noticed a new telnets option in SyncTERM 1.2a recently so I gave your BBS a call with telnets. It seemed to work well and I was able to connect and see your login screen.

I'm a little short on time ATM or I'd log in proper for a visit but I will likely do that at some point.

But anyway, I just had a quick look but it seemed to work at cfbbs.net.. :)

Ttyl :-),
Al

... A camel is a horse planned by committee.
--- SBBSecho 3.14-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)

On 28 Mar 2021, Al said the following...

But anyway, I just had a quick look but it seemed to work at cfbbs.net..

right on. yeah i suppose it'd be a bit silly to make a writeup for it and
then not use it myself :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

fusion around Friday, March 26th...

In SyncTERM, you will have to edit your connection (F2) and change the connection type to "TelnetS". As previously mentioned, it should be included in the NEXT release of SyncTERM, so for now you will have to use the test versions linked at the very bottom of the SyncTERM web page.

What's the rationale behind using TelnetS over SSH? As far as I'm aware the RFC never made it out of draft whereas of course SSH is widely adopted.



--
|08 ■ |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 ■ |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 ■ |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

Hello Al!

On 28 Mar 2021, Al said the following...

I noticed a new telnets option in SyncTERM 1.2a recently so I gave your BBS a call with telnets. It seemed to work well and I was able to
connect and see your login screen.

If you have time, could you please try scbbs.nsupdate.info:50992 (custom port), too? Just to see if you get to the login screen...

I haven't gotten around to upgrading my SyncTERM on Windows to 1.2 yet, but I'm hoping to do so soon.

Many thanks in advance!

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

Hello fusion!

On 26 Mar 2021, fusion said the following...

I got telnet over SSL working and thought I'd share the details since the next official release of SyncTERM looks like it's going to support it.
For now we can use "stunnel" since the only BBS I've heard of that supports it natively is BBBS.

Thanks for the tip! A nice addition to the connection options! :)

I thought I'd share some additional stunnel options that I'm giving a try here:

; CUSTOM: Allow binding to an IP address that is nonlocal or does not (yet) exist; see ip(7)
; NOTE: This might help if stunnel starts up before network interfaces are fully configured; in any case, it won't hurt
socket = a:IP_FREEBIND=yes

; CUSTOM: Only allow TLSv1.2 and higher
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

; CUSTOM: Only allow ciphers that are still considered secure (for TLSv1.2 and below)
; NOTE: Using OpenSSL 1.1.1d here, which has CAMELLIA
ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECD
H+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!E XP:!PSK:!SRP:!DSS:!RC4:!SSLv3:!TLSv1:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA 256:!DHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA256-SHA256:!ECDHE-RSA-AES128-S HA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLI A256-SHA384

; CUSTOM: When choosing a cipher, use the server's preferences instead of the client preferences (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html)
options = CIPHER_SERVER_PREFERENCE

; CUSTOM: Disable TLS renegotiation to mitigate DoS attacks
renegotiation = no

; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

; CUSTOM: Delay DNS lookup for the connect option
delay = yes

And, for the actual service:

; NOTE: Set to > Mystic BBS configuration (mystic -cfg) --> Configuration --> General Settings --> Inactivity
TIMEOUTidle = 7210

Hopefully some of these can be useful.

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

On 28 Mar 2021, NuSkooler said the following...

What's the rationale behind using TelnetS over SSH? As far as I'm aware the RFC never made it out of draft whereas of course SSH is widely adopted.

i'm not quite as fond of how ssh handles the login for a bbs. apparently the next syncterm also includes a username/passwordless ssh login so bbses that ignore incorrect login info can just go about their business (user won't need to know to put in bbs/bbs, or even that they might need to put in a bs
password to create an account over ssh instead) so i'm sure that'll be a plus too.

not really a huge deal by any stretch. but i'm not hurting for cpu cycles ;)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

On 28 Mar 2021, Zip said the following...

; CUSTOM: Only allow ciphers that are still considered secure (for
TLSv1.2 and below)

Hopefully some of these can be useful.

awesome. yeah i'm guessing syncterm uses cryptlib like synchronet does. hopefully it doesn't get back that list of restrictions and bail out lol.
i'll give it a shot here when i'm not bbsing from my phone..

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

Re: Re: Secure Telnet
By: Zip to Al on Sun Mar 28 2021 09:39 pm

If you have time, could you please try scbbs.nsupdate.info:50992 (custom port), too? Just to see if you get to the login screen...

Yep, your BBS answers and looks good.

I haven't gotten around to upgrading my SyncTERM on Windows to 1.2 yet, but I'm hoping to do so soon.

Looks good here on my linux64 box.. :)

Ttyl :-),
Al

... Cursor: An expert in four-letter words
--- SBBSecho 3.14-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)

Re: RE: Secure Telnet
By: NuSkooler to fusion on Sun Mar 28 2021 12:09 pm

What's the rationale behind using TelnetS over SSH?

I don't think there is a good reason to use telnets over ssh. There is a reason to use telnets over telnet.

As far as I'm aware the RFC never made it out of draft whereas of course SSH is widely adopted.

I never knew telnets never moved beyond the draft stage and I don't know why that is. Duece's reason for adding telnets was to support BBSs that use it if I read his comment right.

When I ran debian many years ago there was a telnet-ssl package you could install. If that package is still there (I'm not sure) it could make telnets easier to install and use.

Ttyl :-),
Al

... Should I or shouldn't I?... Too late, I did!
--- SBBSecho 3.14-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)

On 28 Mar 2021, Al said the following...

I never knew telnets never moved beyond the draft stage and I don't know why that is. Duece's reason for adding telnets was to support BBSs that use it if I read his comment right.

well, unless we talk about starttls, which requires actual protocol handling
in the "child" protocol, there isn't really much to it. the rfc would be
quite boring really. "1) establish ssl connection. 2) carry out telnet connection over it". that's the only difference between https/http,
imaps/imap, etc. too.

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

Hello fusion!

On 28 Mar 2021, fusion said the following...

; CUSTOM: Only allow ciphers that are still considered secure (for TLSv1.2 and below)

Hopefully some of these can be useful.

awesome. yeah i'm guessing syncterm uses cryptlib like synchronet does. hopefully it doesn't get back that list of restrictions and bail out lol.

Just heard from Al that he tested it and it appears to work. :-)

I guess this means that SyncTERM uses a modern version of cryptlib (not requiring CBC ciphers) which would otherwise cause the connection to fail...

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

Hello Al!

On 28 Mar 2021, Al said the following...

If you have time, could you please try scbbs.nsupdate.info:50992 (cus port), too? Just to see if you get to the login screen...

Yep, your BBS answers and looks good.

Thanks a lot! It is much appreciated!

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

Re: Re: Secure Telnet
By: Zip to fusion on Mon Mar 29 2021 12:25 pm

I guess this means that SyncTERM uses a modern version of cryptlib (not requiring CBC ciphers) which would otherwise cause the connection to fail...

We patch/configure cryptlib to choose the ciphersuite preferences/requirements. --
digital man

Synchronet "Real Fact" #30:
The COM I/O routines for Synchronet for DOS were written in ASM by Steve Deppe. Norco, CA WX: 72.0�F, 38.0% humidity, 6 mph NNE wind, 0.00 inches rain/24hrs --- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (21:1/183)

Re: Re: Secure Telnet
By: fusion to Al on Mon Mar 29 2021 02:49 am

well, unless we talk about starttls, which requires actual protocol handling in the "child" protocol, there isn't really much to it.

We probably want to avoid starttls don't we?

the rfc would be quite boring really. "1) establish ssl connection. 2) carry out telnet connection over it". that's the only difference between https/http, imaps/imap, etc. too.

I am not really up on things network generally, especially the security side of things.

The only thing I know id that I prefer to be secure than insecure.

Ttyl :-),
Al

... $$$ not found -- A)bort, R)efinance, D)eclare bankruptcy
--- SBBSecho 3.14-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)

Re: Re: Secure Telnet
By: Zip to fusion on Mon Mar 29 2021 12:25 pm

I guess this means that SyncTERM uses a modern version of cryptlib (not requiring CBC ciphers) which would otherwise cause the connection to fail...

I don't know Deuce well, in fact I don't see him around much anymore but he is heavily involved with Synchronet to this day. I see his commits in the Synchronet programming area regularly.

I don't think he would feel badly if folks took his work and incorporated it into their own projects. It's open source and folks just need to give credit where credit is due.

I've always thought it would be great if there was a place where people could get the stuff they need to be secure and the synchronet project might be a good place to do that.

Probably want to get Deuce's OK to do that but I think he'd be pleased. He might even be willing to work on a generally available repo for that so other BBS projects have a place to goto for that and don't have to reinvent it all.

Ttyl :-),
Al

... Bug free, cheap, on time, works. Pick two.
--- SBBSecho 3.14-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)

Hello Digital Man!

On 29 Mar 2021, Digital Man said the following...

We patch/configure cryptlib to choose the ciphersuite preferences/requirements.

Sounds great! :)

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)