Incorrect or missing information? SABnzbd and SSL/TLS security
Usenet (aka News servers) offers SSL/TLS security. It’s called NNTPS, or NNTP with SSL. Just like HTTPS, it has two functions:
- Confirm you really are talking to the server you want to talk to.
- Encrypts communications between client and server so others can’t see information like your login credentials and what you are downloading.
When you add a new server and enable SSL its
Certificate verification setting will be set to
Strict by default which enforces both functions described above.
There are still a lot of non-secure news servers around. Therefore, the default setting for existing servers is only
Minimal. You can set it to
Strict yourself in the Advanced settings on the Servers page.
You can completely turn-off SABnzbd’s security checks and encryption, but you won’t have the security described above.
Online news server SSL/TLS check
News server problems
Q: I get this error message “untrusted certificate”. What can I do?
Failed to connect: Server news.someserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)]
A: Your news server does not have valid certificates to verify its identity. The certificates are self-signed and cannot be verified by a trusted authority or they are malicious.
- Easy but not secure: Don’t use SSL (untick SSL).
- Easy but less secure: Tell SABnzbd to ignore the problem: in SABnzbd’s Server-settings, under Advanced, set
WARNING Disabling this check allows anyone to redirect and intercept your traffic using any certificate! It is comparable to not using SSL at all.
Hard but secure: Test the status of your news server online (above) or check out the News servers with SSL/TLS overview.
If the test (or overview) shows an error message such as ‘
OK NOK NOK’ or ‘
NOK NOK NOK’, the problem is on the side of the news server. You can ask the news server provider to fix this. But, they could deny there is a problem.
If the test says ‘
OK OK OK’ or ‘
OK OK NOK’, then the problem is local (i.e. your computer/NAS): incorrect certificates, a virusscanner doing strange things, or something else. This is not something SABnzbd can solve for you. And the solutions are OS-dependent.
Q: I get this error message “hostname … doesn’t match”
Failed to connect: Server news.someserver.com uses an untrusted certificate [hostname 'news.someserver.com' doesn't match either of '*.othersite.com', 'othersite.com']
A: Your news server provider has some level of SSL, but their setup is not correct: they are using certificates that do not belong to the hostname you’re using.
- Easy and half/half-secure: in SABnzbd’s Server-settings, under Advanced, set
Minimal. Then try again.
WARNING Disabling this check allows anyone to redirect and intercept your traffic using any valid certificate! It is comparable to not using SSL at all.
- You can ask the news server provider to fix this. But, they could deny there is a problem.
Q: Which News server provider should I choose?
A: Choose one with ‘
OK OK OK’ on our News servers with SSL/TLS overview
Q: I am a news server provider, what can I do?
A: That depends on your circumstances:
- If you are a (Highwinds, Xennanews, etc) reseller, contact your wholesale provider (Highwinds, Xennanews, etc) to solve this. You will most likely need to provide a certificate to your provider.
- If you are hosting your own news server, contact your administrator.
NZB / RSS Index site problems
NZB / RSS Index sites are HTTPS sites. HTTPS/SSL/TLS problems on the server side are (in 2017) uncommon because web browsers have been rejecting incorrect SSL/TLS setups for some time.
Q: I get a certificate error trying to read a RSS or NZB
Failed to retrieve RSS from https://nzbindex.nl/rss/?q=bla&sort=agedesc&max=25: hostname u'nzbindex.nl' doesn't match either of 'www.nzbindex.com', 'nzbindex.com'
A: Open the same URL in your Chrome web browser on the same machine, and on another machine. If Chrome complains too, you know the problem is on the server side.
- Check if there is another URL that is secure. For example: nzbindex.COM is secure.
- Contact the site owner and inform them of the problem.
- Turn off
HTTPS certificate verificationin SABnzbd.
If Chrome does not complain, the problem might be on your side. This is not something SABnzbd can solve for you. And the solutions are OS-dependent.
Tools to test SSL/TLS news servers and websites
SSLlabs (only HTTPS checking): https://www.ssllabs.com/ssltest/analyze.html?d=api.oznzb.com&latest
gnutls-cli -p 563 newsreader.eweka.nl
- Python (2.7.9 or higher)
python -c "import urllib2; response = urllib2.urlopen('https://api.oznzb.com/') "