'Unable to start SSL' errors suddenly (6.91 RC3 Build 5585)?

This is the place to help test and discuss Version 6 Beta releases.

'Unable to start SSL' errors suddenly (6.91 RC3 Build 5585)?

Postby euroweb » Wed Oct 09, 2024 5:55 pm

Background:
I have been using Newsbin for a long time without any server connection issues.
I have also been using this new 6.91 RC3 Build 5855 version without issues for a little while.

Issue:
Yesterday suddenly I started getting SSL errors constantly.
Error message in Newsbin Pro:

ERROR (News Server name masked)SSL Lib returned error: 0xffffffffffffdaa0
ERROR Downloader: Socket Exception NEWS SERVER ERROR Unable to start SSL to news server Error: SSL Negotiation Failed, Host: (News Server name masked)


Some of the steps tried to resolve the issue so far without success:
1) Rebooted PC
2) I have tried disabling my internet security software firewall and real-time protection.
3) I reinstalled Newsbin Pro (however did NOT let it delete settings files NOR delete the registry settings though).
4) Checked that the usenet provider's certificate is valid (on their end at least).


Any suggestions would be much appreciated!
Any certs to check on my end?
Going to try to replicate the issue on a different computer when I get a chance.
euroweb
Occasional Contributor
Occasional Contributor
 
Posts: 17
Joined: Mon Jun 26, 2023 8:04 am

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby euroweb » Wed Oct 09, 2024 6:25 pm

Edit seems it was my Internet Security software after all!

Been using Newsbin Pro for ages as well as the same internet security software.
Seems the security software implemented some new security features a few days ago / recently.

Let me see if I can set some custom rules in the internet security software to get it to work with Newsbin Pro, without compromising my overall security.

I allowed traffic through Newsbin Pro, but the SSL errors persist.
So it looks like the SSL issue may be due to some other newly changed / added protection in the app.
euroweb
Occasional Contributor
Occasional Contributor
 
Posts: 17
Joined: Mon Jun 26, 2023 8:04 am

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Quade » Wed Oct 09, 2024 8:10 pm

Some security packages try to "man in the middle" SSL connections to monitor the contents. I don't know if yours is doing that but it's possible.

Newsbin is basically downloading text from the news server. They get converted to files inside Newsbin.

I'd look for "SSL Security" options. See if you can tell it to ignore Newbin's connections to the server.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 45003
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby euroweb » Wed Oct 09, 2024 11:39 pm

Quade wrote:Some security packages try to "man in the middle" SSL connections to monitor the contents. I don't know if yours is doing that but it's possible.

Newsbin is basically downloading text from the news server. They get converted to files inside Newsbin.

I'd look for "SSL Security" options. See if you can tell it to ignore Newbin's connections to the server.


Thanks Quade!

I found two SSL settings (interestingly they are listed under 'Wifi Security' category within the internet security suite). The PC on which I am using Newsbin Pro 99% of the time is a LAN connection.
Anyway, I disabled the detection / blocking of both ('SSL man-in-the-middle attacks' and SSL strip attacks').
The issue persists.

Also tried some other changes, but the security suite has too many different settings to experiment with.
    There is 'Antivirus' section with 7 additional independent settings
    Then 4 more settings without a category.
    Then there is 'Exploit Prevention' with 7 additional independent settings
    Firewall settings has a bunch of settings.
    Intrusion Prevention has 7 more settings.
    Traffic Rules alone contains say 35 - 40 independent settings (too large to bother counting one by one)
.

Also several of the above categories have separate instances with their own settings under the 'Computer', 'Network' and 'Web' sections, so multiply some of the above settings counts by 3!
I also did not even include other categories within the security, such as 'browser protection' and 'ransomware protection' which presumably/ hopefully do not apply to stand-alone applications (that do not run within a web site [in a container]).

Ironically even after I disabled the security suite app's auto protect and firewall temporarily, some features remained active and the SSL errors still occurred.
So I had to uninstall it (quicker than manually undoing a few hundred settings to disable every protection) to get SSL to work.

I am in a dilemma since:
I want to stick with Newsbin Pro since it is MUCH faster at downloading (caps out my close to 1.4 Gbps connection) than the more recent competitors (one highly popular competitor topped out at say 40% of Newsbin Pro's speed!)...
However, I also like my current security suite (literally just renewed it at a great price) given the numerous included advanced features that Windows Defender and even paid competitors lack.
Other security suites are more expensive ironically * and , even when on sale (for more than mine still), do not support more than 5 devices, whereas I need at least 10 devices protected (hence I get the 10 device version).

* The security suite I use has a similar MSRP to some competitors but I always wait for sales and get it for up to a 75% discount. Also, as noted, it supports 10 devices on a single license key whereas competitors may support only 5 or 10.

Anyway, looks like there is no easy solution without compromising on the level of protection which defeats the purpose of the security suite.
I was hoping allow connections at the app level would work, but it no longer does.

As noted, never had this issue till the security suite added some very recent protection features or changed the way some work. The other reason could be an undetected defect as it is quite new and I have not had any other issues yet with other internet apps, so it may only be impacting a limited set of users.


I have been using different AV products over the years and this one tests well, is an all-in-one solution, light on resources and is a good deal deal when on sale, even more so since it supports up to 10 devices.

If anyone has any suggestions. As I said, if I could somehow set custom rules in the security suite for Newsbin Pro to get it to work that would be great, but that seems unlikely: When NB pro started up, the suite asked if I wanted to allow certain traffics, I set it to allow all temporarily and even then I got the SSL errors, so another part of the suite is causing an issue with SSL connections.
Even after disabling R/T protection and firewall, something blocked the SSL connections, until I uninstalled the security suite.
euroweb
Occasional Contributor
Occasional Contributor
 
Posts: 17
Joined: Mon Jun 26, 2023 8:04 am

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Quade » Thu Oct 10, 2024 12:21 pm

Can you make it just ignore Newsbin altogether?

It's more important to monitor the download and unrar folders than Newsbin itself. Unlike Torrents, Newsbin just talks to your news server so, it's not like some outsider can poison the connection.

How about disabling SSL and see if it works? The security software might be a wild goose chase. One user reported the other day he couldn't connection to Astraweb anymore. He was looking for a different server.

I haven't verified his report. I just suggested he try Usenetserver.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 45003
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby euroweb » Thu Oct 10, 2024 5:06 pm

Quade wrote:Can you make it just ignore Newsbin altogether?

It's more important to monitor the download and unrar folders than Newsbin itself. Unlike Torrents, Newsbin just talks to your news server so, it's not like some outsider can poison the connection.

How about disabling SSL and see if it works? The security software might be a wild goose chase. One user reported the other day he couldn't connection to Astraweb anymore. He was looking for a different server.

I haven't verified his report. I just suggested he try Usenetserver.



Thanks! Understood about monitoring the (content in the) download and unrar folders beign more critical.
Let me check if I can make the security software ignore Newsbin (there may be a way - I had considered that angle but it is not clearly documented).

I suspect disabling SSL would work, but I prefer to use SSL.
The reason I am calling out the security software as the culprit, is that right after I uninstalled it (and, until I reinstalled it, let Windows Defender temporarily partially protect me since it is more limited), Newsbin worked immediately again (as it used to) with the same news server selected and SSL enabled (no change to any Newsbin settings at all).

Will report back after I get a chance to play around with it.
Thanks again.
euroweb
Occasional Contributor
Occasional Contributor
 
Posts: 17
Joined: Mon Jun 26, 2023 8:04 am

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby blenky » Sat Oct 12, 2024 6:37 pm

I'm having same issue with my Norton antivirus. I've turned off SSL and it works fine.

Can't find any settings that I can configure to stop SSL connection errors.
blenky
Occasional Contributor
Occasional Contributor
 
Posts: 38
Joined: Fri Apr 23, 2004 3:40 pm

Registered Newsbin User since: 04/22/04

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Quade » Sat Oct 12, 2024 10:40 pm

https://support.norton.com/sp/en/us/hom ... s/v6958602

Supposedly this is how you tell Norton to allow out programs it wants to block. I don't know if this is useful or not.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 45003
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby blenky » Sun Oct 13, 2024 8:26 pm

Quade wrote:https://support.norton.com/sp/en/us/home/current/solutions/v6958602

Supposedly this is how you tell Norton to allow out programs it wants to block. I don't know if this is useful or not.


Thanks, but tried all that. The program is not blocked - it's an issue with trying to use SSL. I may try Norton and see if they have a solution

Also tried NZBGet - same issue.
blenky
Occasional Contributor
Occasional Contributor
 
Posts: 38
Joined: Fri Apr 23, 2004 3:40 pm

Registered Newsbin User since: 04/22/04

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Quade » Sun Oct 13, 2024 11:32 pm

Sounds like a bug then.

I only use the built in security stuff Microsoft supplies. That and taking manual control of the built in firewall lets me lock my machine down pretty well.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 45003
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Stan » Mon Oct 14, 2024 7:13 am

Other than the possibility of maybe trying different ports, the next best thing is to contact the support of the security programs you are using.
Tell them right out you use a program that uses SSL and on what port(s), you're getting issues unless you either disable their security program or uninstall it.
And ask what you need to change in their security software to get things back to working.
Any PAID for security software has some way to contact support, many can be contacted through email and some have in addition a forum you can try.
You can possibly take a few minutes to check with your news provider what other ports to try, then go from there.
There really is not a huge list of SSL ports this is a list from one provider (563, 80, 81, 9119)

I had one security program I was trying, and it not only stopped some other programs, but I specifically remember it blocking PLEX and after a few days of looking into it, I found the security software was blocking specific ports. I had to completely disable that option, as I did not feel like then figuring out how to allow some of the blocked ports.

Most people use the default antivirus and firewall with Win10 and Win11, but I too found it was not catching everything. I used to use years again MalwareBytes, so I went back to them.
The only thing I tell most people is to turn off the Web Protection option, this feature just seemed to want to block too many websites and in knowing how good MalwareBytes real time active protection stops anything that possibly is an issue, I am safe with Web Protection off.

Sadly, overtime, people are finding out Windows does not stop specific things. When I ran MalwareBytes I was shocked at all the Trojans and backdoors and miners that it found that even after running Window's FULL COMPLETE scan did not find. I had then MalwareBytes clean my system reboot and to be extra secure from then on ran another full scan in MalwareBytes to make sure system is clean.
There is a pay version and fully functioning free version of MalwareBytes so it's worth a look. They both get the full updates of definitions.

If you don't want a program that installs but tends to be more of a problem as each day you want to scan you have to download it again is free version of drweb.

I used to use Norton seemed to get to where 50% of my own personal programs and data were flagged as virus, yet no other program did. And I know I created the stuff, so how was it containing a virus. In my use of other programs, other than the one, I not really noticed them blocking ports or SSL. So not sure now why Norton would start, but always worth trying other programs.
Stan
Occasional Contributor
Occasional Contributor
 
Posts: 43
Joined: Wed Jun 21, 2017 12:18 am

Registered Newsbin User since: 03/10/17

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby blenky » Thu Oct 17, 2024 1:52 pm

I managed to find a solution. I started experimenting in Norton and temporarily switched off one feature, test and move on to next. Eventually I found that by turning off Email Protection under 'Security > Advanced > Computer' the problem went away.

I noticed that the error in NZBGet was

ERROR TLS certificate verification failed for news.eweka.nl: self signed certificate in certificate chain. For more info visit http://nzbget.net/certificate-verification
blenky
Occasional Contributor
Occasional Contributor
 
Posts: 38
Joined: Fri Apr 23, 2004 3:40 pm

Registered Newsbin User since: 04/22/04

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Quade » Fri Oct 18, 2024 12:02 am

That sounds like what I first suggested. That they were doing a "man in the middle" interception so they could see what's inside the SSL connection.

It's good that you found a solution.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 45003
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby euroweb » Sun Oct 20, 2024 11:08 am

blenky wrote:I managed to find a solution. I started experimenting in Norton and temporarily switched off one feature, test and move on to next. Eventually I found that by turning off Email Protection under 'Security > Advanced > Computer' the problem went away.

I noticed that the error in NZBGet was

ERROR TLS certificate verification failed for news.eweka.nl: self signed certificate in certificate chain. For more info visit http://nzbget.net/certificate-verification


I was unable to play around with this last week for several reasons, but I am back now and figured I would check this thread again and saw your workaround.
Thanks a lot for this! This workaround worked for me too (with the NEW Norton which is where the issue started).

Obviously not ideal since I would prefer to keep email protection enabled at all times, but at least for now I am able to use Newsbin again which is great news!
I always scrutinize all my email senders (always on alert for phishing etc. and and I never click on links or open attachments unless they come from known senders) and I have Norton set to scan downloads anyway). I also always check hyperlinks' actual URLs (not the hyperlink's display text) and check domain names before clicking on any link.
Some of the email scams are getting much more sophisticated these days.
Also email spoofing, which has been around since (at least the 1990's at the consumer / general public level), seems to be becoming more prevalent in my experience.

All that said, it is interesting that email security setting would affect a non-email application. Obviously without access to Norton's source code, who knows what the interaction is from Newsbin that Norton is blocking via 'email security' settings.

Thanks again for finding this easy workaround!
euroweb
Occasional Contributor
Occasional Contributor
 
Posts: 17
Joined: Mon Jun 26, 2023 8:04 am

Re: 'Unable to start SSL' errors suddenly (6.91 RC3 Build 55

Postby Quade » Mon Oct 21, 2024 11:27 am

Usenet is essentially a massive shared mail server. Originally usenet and email had more in common than not. It's was designed as the first "forum" like thing where people would post using email and people would respond. It was only later that it was pressed into file sharing service. Files posted to usenet are essentially "attachments". Because the maximum size of each message was under 1 Mbyte, the files had to be broken up into multiple emails.

When I first started playing with it, a good company connection to the internet was 56 Kbps and the web didn't exist yet. I worked for a company. One of the engineers had a side project running the biggest usenet server on the internet at the time. All posting could be serviced at less than 1.5 Mbps. I don't know how much storage he had. Maybe 100 megs.

I found a tool that would let you download posts to a disk drive and convert them to files. I thought I could do it better and make it work in real time. That was back when Windows didn't even have a TCP stack. You had to add one to it to let it access the internet.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 45003
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97


Return to Newsbin Version 6 Beta Support

Who is online

Users browsing this forum: No registered users and 6 guests