Subj : Re: Secure Telnet
To   : fusion
From : Zip
Date : Sun Mar 28 2021 09:48 pm

Hello fusion!

On 26 Mar 2021, fusion said the following...
 fu> I got telnet over SSL working and thought I'd share the details since the
 fu> next official release of SyncTERM looks like it's going to support it.
 fu> For now we can use "stunnel" since the only BBS I've heard of that
 fu> supports it natively is BBBS.

Thanks for the tip! A nice addition to the connection options! :)

I thought I'd share some additional stunnel options that I'm giving a try here:

; CUSTOM: Allow binding to an IP address that is nonlocal or does not (yet) exist; see ip(7)
; NOTE: This might help if stunnel starts up before network interfaces are fully configured; in any case, it won't hurt
socket = a:IP_FREEBIND=yes

; CUSTOM: Only allow TLSv1.2 and higher
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

; CUSTOM: Only allow ciphers that are still considered secure (for TLSv1.2 and below)
; NOTE: Using OpenSSL 1.1.1d here, which has CAMELLIA
ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECD
H+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!E
XP:!PSK:!SRP:!DSS:!RC4:!SSLv3:!TLSv1:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA
256:!DHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA256-SHA256:!ECDHE-RSA-AES128-S
HA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLI
A256-SHA384

; CUSTOM: When choosing a cipher, use the server's preferences instead of the client preferences (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html)
options = CIPHER_SERVER_PREFERENCE

; CUSTOM: Disable TLS renegotiation to mitigate DoS attacks
renegotiation = no

; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

; CUSTOM: Delay DNS lookup for the connect option
delay = yes

And, for the actual service:

; NOTE: Set to > Mystic BBS configuration (mystic -cfg) --> Configuration --> General Settings --> Inactivity
TIMEOUTidle = 7210

Hopefully some of these can be useful.

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
 * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

.