Incorrect or missing information? SABnzbd and SSL/TLS security
Usenet (aka Newsservers) offers SSL/TLS security. It’s called NNTPS, or NNTP with SSL. Just like HTTPS, it has two functions:
- Are you really talking to the server you want to talk to.
- Others can’t see what is being sent between client and server. So others can’t see 1) your login credentials and 2) what you’re downloading.
Currently there are still a lot of non-secure newsservers. The default setting of SABnzbd for existing servers is therefore not very strict. You can set it to
Strict yourself in the Advanced settings on the Servers page. When you add a new server in SABnzbd 2.0.0+ it will be set to
Strict by default.
You can completely turn off SABnzbd’s security checking, but then your connection does not offer you the security of the two functions above.
Online newsserver SSL/TLS check
Q: I get this error message “untrusted certificate”. What is going on? What can I do?
Failed to connect: Server news.someserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)]
A: Your newsserver does not have valid certificates to verify it’s identity. The certificates are self-signed and cannot be verified by a trusted authority or they are malicious.
You can do different things:
- Easy but not secure: Make the problem go away by not using SSL (untick SSL).
- Easy but not secure: Ignore the problem, and instruct SABnzbd to ignore the problem: in SABnzbd’s Server-settings, under Advanced, set
Disabled. You have now an insecure SSL connection.
WARNING Disabeling this check allows anyone to redirect and intercept your traffic using any certificate! It is comparable to not using SSL at all.
Hard, but secure: Check on our Newsservers with SSL/TLS overview (and/or online newsserver SSL/TLS check above) the SSL/TLS-status of your newsserver.
If the test or the overview shows an error message such as
OK NOK NOKor
NOK NOK NOK, the problem is on the side of the newsserver. You can ask the newsserver provider to solve that problem. That could be a hard path; the provider could deny they have a problem.
If that site says
OK OK OKor
OK OK NOK, the problem is on your own site (read: your computer/NAS): incorrect certificates, a virusscanner doing strange things, or something else. That is not something SABnzbd cannot solve for you. And it is OS-dependent how to solve that.
Q: I get this error message “hostname … doesn’t match”
Failed to connect: Server news.someserver.com uses an untrusted certificate [hostname 'news.someserver.com' doesn't match either of '*.othersite.com', 'othersite.com']
A: your newsserver provider has some level of SSL, but the setup is not fully correct: they are using the certificates that do not belong to the hostname you’re using. That is not correct.
You can do different things:
- Easy and half/half-secure: in SABnzbd’s Server-settings, under Advanced, set
Minimal. Then try again.
WARNING Disabeling this check allows anyone to redirect and intercept your traffic using any valid certificate! It is comparable to not using SSL at all.
- You can ask the newsserver provider to solve the problem. That could be a hard path; the provider could deny they have a problem.
Q: Which Newsserver provider should I choose & use?
A: Choose one with triple OK on our Newsservers with SSL/TLS overview
Q: I am a newsserver provider, what can I do?
That depends on how your newsserver is set up:
- If you are a (Highwinds, Xennanews, etc) reseller, contact your wholesale provider (Highwinds, Xennanews, etc) to solve this. You will most likely need to provide a certificate to your provider
- If you are hosting your own newsserver, contact your newsserver administrator
NZB / RSS Index site problems
NZB / RSS Index sites are HTTPS sites. HTTPS/SSL/TLS problems on the server side are now (2017) uncommon because web browsers have been rejecting incorrect SSL/TLS setup for some time now.
Q: I get a certificate error trying to read a RSS or NZB
Failed to retrieve RSS from https://nzbindex.nl/rss/?q=bla&sort=agedesc&max=25: hostname u'nzbindex.nl' doesn't match either of 'www.nzbindex.com', 'nzbindex.com'
A: Open the same URL in your Chrome web browser on the same machine, and on another machine. If Chrome complains too, you know the problem is on the server side.
Thinks you can do:
- Check if there is another URL that is secure. For example: nzbindex.COM is secure.
- Contact the site owner and tell him about the problem.
- Turn off
HTTPS certificate verificationin SABnzbd.
If Chrome does not complain, the problem might be on your side. That is not something SABnzbd cannot solve for you. And it is OS-dependent how to solve that.
Tools to test SSL/TLS news servers and websites
SSLlabs (only HTTPS checking): https://www.ssllabs.com/ssltest/analyze.html?d=api.oznzb.com&latest
gnutls-cli -p 563 newsreader.eweka.nl
- Python (2.7.9 or higher)
python -c "import urllib2; response = urllib2.urlopen('https://api.oznzb.com/') "