I am running Agent 8 on an up-to-date Windows 10.
Intermittently, the following happens:
a damaged message was received from Newshosting
(DecryptMessage:80090030)
At which point, the thread reporting the problem drops out,
It's transient because I can restart the task (via get bodies for
marked messages) and the body will usually download successfully.
I'm mostly downloading from binary groups, so I would prefer to leave
Agent running while I get on with other things. If I tell agent to
use a secure connection, the download tasks will inevitably fail, so
currently I'm running Agent unsecured.
I presume it's to do with SSL / TLS. How can I tell which versions
Agent currently runs on, and how do I change it?
I asked Newshosting. They regard Agent as an unapproved app, know
little about it, and suggest I use their own downloader which I have
found clunky. It doen't remember what I downloaded last week, for
instance.
Can anyone help?
Many thanks, S

On Sat, 30 Apr 2022 09:34:14 +0100, someone@a.computer.somewhere wrote:

> I am running Agent 8 on an up-to-date Windows 10.
> Intermittently, the following happens:
> a damaged message was received from Newshosting
> (DecryptMessage:80090030)
> At which point, the thread reporting the problem drops out,
> It's transient because I can restart the task (via get bodies for
> marked messages) and the body will usually download successfully.
> I'm mostly downloading from binary groups, so I would prefer to leave
> Agent running while I get on with other things. If I tell agent to
> use a secure connection, the download tasks will inevitably fail, so
> currently I'm running Agent unsecured.
> I presume it's to do with SSL / TLS. How can I tell which versions
> Agent currently runs on, and how do I change it?
> I asked Newshosting. They regard Agent as an unapproved app, know
> little about it, and suggest I use their own downloader which I have
> found clunky. It doen't remember what I downloaded last week, for
> instance.
> Can anyone help?
> Many thanks, S

Agent uses the Windows SSL/TLS libraries. Agent cannot use a
version of SSL/TLS which your Windows does not use.

However, use in Windows does not guarantee Agent will use it.

1) To see which versions of SSL/TLS your Windows uses

Go to
Control Panel >> Internet Options >> Advanced
scroll down to the 'Security' section
and look for these settings:
[ ] Use SSL 3.0
[x] Use TLS 1.0
[x] Use TLS 1.1
[x] Use TLS 1.2
[ ] Use TLS 1.3 (experimental)

A version of SSL/TLS must be both listed and check-marked
for Windows to use it.

2) To tell which versions Agent currently runs on

If you have not changed the AGENT.INI setting 'AllowedSSLProtocols=0'
then it is the SSL/TLS protocols only up to TLS 1.0 which are
check-marked in 1) above, but not TLS 1.1, TLS 1.2, nor TLS 1.3.

3) To change which versions Agent currently runs on

You can add TLS 1.1, TLS 1.2, and TLS 1.3, provided
they are both listed and check-marked in 1) above,
by changing the AGENT.INI setting 'AllowedSSLProtocols'.
See this post from January:
<https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/mJmtMSUqp6M>
<https://alt.usenet.offline-reader.forte-agent.narkive.com/35h3yv8s/notice-agent-and-ssl>
<news:p8hpuglnb0tot2oot3ob7m8n1k940kfgcl@4ax.com>

The Newshosting servers all support TLS 1.0 according to my tests.
news-us.newshosting.com
news-nl.newshosting.com
news-de.newshosting.com
And Agent will run TLS 1.0 -- unless it is un-checked in 1) above.
So I suspect that this might not be your problem.

Another possibility might be that the problem relates to your AV
intercepting the connection between Agent and the news server.

____
FOOTNOTE

The new value for 'AllowedSSLProtocols' is a sum of these
values from the grbitEnabledProtocols field of Microsoft's
SCHANNEL_CRED structure:
SP_PROT_SSL3_CLIENT
SP_PROT_TLS1_CLIENT
SP_PROT_TLS1_1_CLIENT
SP_PROT_TLS1_2_CLIENT
SP_PROT_TLS1_3_CLIENT
REF: <https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred>

--
Kind regards
Ralph

Werig sceal se wiþ winde roweþ. 🌬🚣

On Sat, 30 Apr 2022 22:29:58 +1200, Ralph Fox <-rf-nz-@-.invalid>
wrote:

>On Sat, 30 Apr 2022 09:34:14 +0100, someone@a.computer.somewhere wrote:
>
>> I am running Agent 8 on an up-to-date Windows 10.
>> Intermittently, the following happens:
>> a damaged message was received from Newshosting
>> (DecryptMessage:80090030)
>> At which point, the thread reporting the problem drops out,
>> It's transient because I can restart the task (via get bodies for
>> marked messages) and the body will usually download successfully.
>> I'm mostly downloading from binary groups, so I would prefer to leave
>> Agent running while I get on with other things. If I tell agent to
>> use a secure connection, the download tasks will inevitably fail, so
>> currently I'm running Agent unsecured.
>> I presume it's to do with SSL / TLS. How can I tell which versions
>> Agent currently runs on, and how do I change it?
>> I asked Newshosting. They regard Agent as an unapproved app, know
>> little about it, and suggest I use their own downloader which I have
>> found clunky. It doen't remember what I downloaded last week, for
>> instance.
>> Can anyone help?
>> Many thanks, S
>
>
>Agent uses the Windows SSL/TLS libraries. Agent cannot use a
>version of SSL/TLS which your Windows does not use.
>
>However, use in Windows does not guarantee Agent will use it.
>
> 1) To see which versions of SSL/TLS your Windows uses
>
> Go to
> Control Panel >> Internet Options >> Advanced
> scroll down to the 'Security' section
> and look for these settings:
> [ ] Use SSL 3.0
> [x] Use TLS 1.0
> [x] Use TLS 1.1
> [x] Use TLS 1.2
> [ ] Use TLS 1.3 (experimental)
>
> A version of SSL/TLS must be both listed and check-marked
> for Windows to use it.
>
>
> 2) To tell which versions Agent currently runs on
>
> If you have not changed the AGENT.INI setting 'AllowedSSLProtocols=0'
> then it is the SSL/TLS protocols only up to TLS 1.0 which are
> check-marked in 1) above, but not TLS 1.1, TLS 1.2, nor TLS 1.3.
>
>
> 3) To change which versions Agent currently runs on
>
> You can add TLS 1.1, TLS 1.2, and TLS 1.3, provided
> they are both listed and check-marked in 1) above,
> by changing the AGENT.INI setting 'AllowedSSLProtocols'.
> See this post from January:
> <https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/mJmtMSUqp6M>
> <https://alt.usenet.offline-reader.forte-agent.narkive.com/35h3yv8s/notice-agent-and-ssl>
> <news:p8hpuglnb0tot2oot3ob7m8n1k940kfgcl@4ax.com>
>
>
>The Newshosting servers all support TLS 1.0 according to my tests.
> news-us.newshosting.com
> news-nl.newshosting.com
> news-de.newshosting.com
>And Agent will run TLS 1.0 -- unless it is un-checked in 1) above.
>So I suspect that this might not be your problem.
>
>Another possibility might be that the problem relates to your AV
>intercepting the connection between Agent and the news server.
>
>
>____
>FOOTNOTE
>
>The new value for 'AllowedSSLProtocols' is a sum of these
>values from the grbitEnabledProtocols field of Microsoft's
>SCHANNEL_CRED structure:
> SP_PROT_SSL3_CLIENT
> SP_PROT_TLS1_CLIENT
> SP_PROT_TLS1_1_CLIENT
> SP_PROT_TLS1_2_CLIENT
> SP_PROT_TLS1_3_CLIENT
>REF: <https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred>

Note also that TLS 1.0 and 1.1 have been deprecated and are destined
to be disabled at operating system level. Depending on the servers,
TLS 1.0 and 1.1 may already be unavailable.

https://docs.microsoft.com/en-us/lifecycle/announcements/transport-layer-security-1x-disablement

You may wish to keep TLS 1.1 enabled on your computer until the end of
2022. I don't know if Microsoft will push this policy change to home
users or not but I do know many IT departments are already making
these policy changes on their networks.

Apps will typically ask for TLS without specifying the required
version and the OS is presumably going to provide the highest version
it can but when apps ask for a specific version they need to be able
to handle cases where the version they ask for isn't available.

On Sat, 30 Apr 2022 10:37:16 -0700, Geoff wrote:

> Apps will typically ask for TLS without specifying the required
> version and the OS is presumably going to provide the highest version
> it can

The OS will not provide Agent anything higher than TLS 1.0, unless you
edit the AGENT.INI setting 'AllowedSSLProtocols' to make Agent specify
versions.

As discovered in the October 2019 thread linked below...
<https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/EciWIqwx54s>
<https://alt.usenet.offline-reader.forte-agent.narkive.com/ziI6fiB1>

--
Regards
Ralph

"Ne sorga, snotor guma! Selre bið æghwæm, þæt he his freond wrece, þonne he fela murne."
-- Beowulf.

On Sun, 01 May 2022 09:23:22 +1200, Ralph Fox <-rf-nz-@-.invalid>
wrote:

>On Sat, 30 Apr 2022 10:37:16 -0700, Geoff wrote:
>
>> Apps will typically ask for TLS without specifying the required
>> version and the OS is presumably going to provide the highest version
>> it can
>
>The OS will not provide Agent anything higher than TLS 1.0, unless you
>edit the AGENT.INI setting 'AllowedSSLProtocols' to make Agent specify
>versions.
>
>As discovered in the October 2019 thread linked below...
> <https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/EciWIqwx54s>
> <https://alt.usenet.offline-reader.forte-agent.narkive.com/ziI6fiB1>

I have disabled TLS 1.0 long ago and modified the AGENT.INI and I'm
probably going to disable TLS 1.1 later this year. I just sniffed my
wire and Agent on Windows 10 Pro and gmail.com is using TLS 1.2 and I
suspect that's their minimum standard now. Since TLS 1.0 and 1.1 have
been announced as deficient by Microsoft, Google and Apple since about
2018, it makes sense that TLS 1.2 is now the default for the major
sites like Gmail.

In other words, the client doesn't have a choice anymore. The server
will demand TLS 1.2 and the client must either accept that or declare
it can't accept that protocol and fail the connection. If the OP were
unable to secure the server connection it would fail completely at the
setup of the connection.

But I don't think the OP's problem has anything to do with TLS. He's
stated he's getting "DecryptMessage:80090030" error and that doesn't
appear to be coming from the protocol stack. It sounds more like a
decryption error decrypting a packed/encrypted and corrupted binary
message from his news server.