Untrusted Certificate thundernews.com

[atillahun]

Both Secure.EU.thundernews.com and secure.us.thundernews.com are being blocked by Sabnzb v2.01 and are receiving a warning that the certificate being used is untrusted.


appelboor.com shows thundernews as being unsecure. Yet, when I check sslshopper.com, thundernews is secure. Does anyone know what's going on?

[sander]

https://www.sslshopper.com/ssl-checker. ... ws.com:563 gives a warning / exclamation mark saying "None of the common names in the certificate match the name that was entered (secure.eu.thundernews.com). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.". So: not good.

That matches the "OK OK NOK" (the third item being Not OK) as reported by Appelboor and SABnzbd.

Solutions / workaround:
- contact thundernews.com to solve it. The only correct way, but probably hard as thundernews.com might deny / not recognize the problem
- do no use SSL / NNTPS with thundernews.com. Not secure, but at least you know it (so: red pill)
- lower the checking level in SABnzbd. You will be fooling yourself with as SSL-setting as it's not secure (so: blue pill)
- choose a news provider that does SSL / NNTPS correctly. Check https://www.appelboor.com/newsservers/n ... h-SSL.html for OK OK OK (triple OK) ... there are more than enough.

EDIT

Another tool to check the security of a NNTPS server, is ... curl (available for Linux, Windows, MacOS):

Code: Select all

$ curl https://secure.us.thundernews.com:563/
curl: (51) SSL: no alternative certificate subject name matches target host name 'secure.us.thundernews.com'

So: not good.

[atillahun]

Is this something new with version 2.0? I never had a problem when I was using the older Sab software.

Would it help if I used a VPN?

Is it better for me to use the unsecured server us.thundernews.com or the secure server with the lower settings (blue pill). Will my internet provider be able to see what I'm doing.

I am running Sab on an old PC, which never leaves my home and is attached to the router via a CAT5 cable.

[sander]

Is this something new with version 2.0? I never had a problem when I was using the older Sab software.

Yes, as of SAB 2.0, SAB by default does not accept invalid SSL/TSL connections. Just like Chrome / Firefox doesn't accept that.

Would it help if I used a VPN?

Yes. But it makes it more difficult for you.

Is it better for me to use the unsecured server us.thundernews.com or the secure server with the lower settings (blue pill). Will my internet provider be able to see what I'm doing.

Ah, difficult dilemma. Red pill versus Blue pill. Probably SSL with lower settings.

I am running Sab on an old PC, which never leaves my home and is attached to the router via a CAT5 cable.

But apparently you want SSL / TLS so you do care about security that works. So why don't you contact Thundernews' helpdesk to let them correct their setup, or choose another News provider?

[atillahun]

I contacted Thundernews. They have 3 European servers and 2 American servers, that they don't show anywhere on their website, which have trusted certificates. I guess that they are lacking bandwidth and that's the reason Thundernews is keeping them hidden. Thanks for your help.

[sander]

I contacted Thundernews. They have 3 European servers and 2 American servers, that they don't show anywhere on their website, which have trusted certificates. I guess that they are lacking bandwidth and that's the reason Thundernews is keeping them hidden. Thanks for your help.

And those secret servers have correct certificates? If so, they are in the .thundernews.com domain, or in sslusenet...?

[atillahun]

The servers are in the sslusenet domain.

[sander]

The servers are in the sslusenet domain.

I assume the ones mentioned by https://www.appelboor.com/cgi-bin/check ... ernews.com , so

Code: Select all

 ams2.sslusenet.com
 de.sslusenet.com
 iad.sslusenet.com
 news.sslusenet.com
 nl.sslusenet.com
 us.sslusenet.com

Correct?

Did you have to change anything in your login name?

[atillahun]

I assume the ones mentioned by https://www.appelboor.com/cgi-bin/check ... ernews.com , so

CODE: SELECT ALL
ams2.sslusenet.com
de.sslusenet.com
iad.sslusenet.com
news.sslusenet.com
nl.sslusenet.com
us.sslusenet.com


Correct?

Did you have to change anything in your login name?

Those are the servers that they said I could use. I didn't have to change my login name. Is this safe?

[sander]

I assume the ones mentioned by https://www.appelboor.com/cgi-bin/check ... ernews.com , so

CODE: SELECT ALL
ams2.sslusenet.com
de.sslusenet.com
iad.sslusenet.com
news.sslusenet.com
nl.sslusenet.com
us.sslusenet.com


Correct?

Did you have to change anything in your login name?

Those are the servers that they said I could use. I didn't have to change my login name. Is this safe?

Yes, that's safe. But I can imagine it's cumbersome and/or strange for you. So it would still be best if thundernews would solve it on their side (instead of letting all users do special things on the user side).

Good to hear your login name did not change. Is there anything in your login name that makes clear it's a thundernews login? For example "tn" in there? Or in "thunder" of something like that?

[atillahun]

Yes, that's safe. But I can imagine it's cumbersome and/or strange for you. So it would still be best if thundernews would solve it on their side (instead of letting all users do special things on the user side).

Good to hear your login name did not change. Is there anything in your login name that makes clear it's a thundernews login? For example "tn" in there? Or in "thunder" of something like that?

The login has "tn" in it.

[airguy]

I am getting this on usenetserver.com. There are 2 server sets I can use:

news-us.usenetserver.com
Untrusted certificate error.

news-eu.usenetserver.com
Working fine, no errors.

I had to switch over to the eu server for the time being as I can't figure out why the us server is giving me this error.

Have checked both with https://www.appelboor.com/newsservers/check.html and also perused your list at https://www.appelboor.com/newsservers/n ... h-SSL.html. But when I test the server on Sabnzbd the us server always fails.

My login for each is the same username and pw.

Would like to use both servers, as usually get a little better speed as I am in the US.

I am running V2.1.0 right now, on WHS 2011.

Anyone else use usenetserver.com experiencing this?
I don't want to us it with SSL disable. Possible DNS Hijack?

[safihre]

What error do you get specifically? Does it list other domains?

[airguy]

What error do you get specifically? Does it list other domains?

Here is what I get:

[Errno 10061] Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors

Where would I see other domains? The Site checks out when tested on the SSL test sites I listed above. Just not in Sabnzbd. I don't understand why one of there server sets works fine and the other one gives untrusted certificate errors. Again, my login is the same for either one.

This has just started happening within the last few weeks. At first the error was intermittent. I would see them in the error warning panel from time to time, but downloads still were working. But they got worse, and now I can't connect to news-us.usenetserver.com unless I disable SSL totally, which I do not wish to do. In the meantime I am using news-eu.usenetserver.com which works fine, even in Strict.

[safihre]

So it's an intermittent error, that's very strange. Sander, do you have a clue how that could be?
We need to read out the certificate, can you run this command:

openssl s_client -connect news-us.usenetserver.com:563