[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Gmane with Gnus first timer
|
From: |
Maxim Cournoyer |
|
Subject: |
Gmane with Gnus first timer |
|
Date: |
Wed, 27 Sep 2017 11:12:38 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Hello Gnusers!
I've started experimenting with Gmane[1], and it seems very useful at
easily navigating archived mailing lists!
I thought I'd share some of the details for NNTP neophytes like me; I
had the good fortune to be helped on the IRC #gnus channel by
sixbitslacker, who shared important bits of their config as well as
the Gmane's X.509 certificate necessary for proper TLS authentication.
* Gnus configuration
The first thing I did was adding a select method to my Gnus
configuration. I already had a `gnus-select-method' defined with my
email server, so I used `gnus-secondary-select-methods' for Gmane:
--8<---------------cut here---------------start------------->8---
;; To be put in your ~/.gnus.el or similar.
(setq gnus-secondary-select-methods
'((nntp "gmane"
(nntp-address "news.gmane.org"))))
--8<---------------cut here---------------end--------------->8---
* Gmane TLS certificate
I then started Gnus. I was greeted with a warning that said:
--8<---------------cut here---------------start------------->8---
Certificate information
Issued by: news.gmane.org
Issued to: Gmane
Hostname: news.gmane.org
Public key: RSA, signature: RSA-SHA1
Protocol: TLS1.2, key: RSA, cipher: AES-256-GCM, mac: AEAD
Security level: Low
Valid: From 2015-01-13 to 2018-01-12
The TLS connection to news.gmane.org:nntp is insecure for the
following reasons:
certificate signer was not found (self-signed)
certificate was signed with an insecure algorithm
the certificate was signed by an unknown and therefore unstrusted authority
certificate could not be verified
--8<---------------cut here---------------end--------------->8---
While we can't do anything about the weak SHA1 signature, we can at
least fix the other warnings by trusting the self-signed certificate
that Gmane is using.
To do so, we must first retrieve the X.509 certificate that Gmane
uses. The OpenSSL package provides a mean to do so (credits to
sixbitslacker):
openssl s_client -starttls smtp -connect news.gmane.org:119
Amongst the output you should find the server certificate, which is:
--8<---------------cut here---------------start------------->8---
-----BEGIN CERTIFICATE-----
MIICwjCCAiugAwIBAgIJAJOYYw06tv/WMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
BAYTAk5PMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQKEwVHbWFuZTEXMBUG
A1UEAxMObmV3cy5nbWFuZS5vcmcwHhcNMTUwMTEzMjExMzQ2WhcNMTgwMTEyMjEx
MzQ2WjBLMQswCQYDVQQGEwJOTzETMBEGA1UECBMKU29tZS1TdGF0ZTEOMAwGA1UE
ChMFR21hbmUxFzAVBgNVBAMTDm5ld3MuZ21hbmUub3JnMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDK4MBGhSVg3O/L0U7ME7D4kmiPShwxmu6NZzQ5UsBV3S5H
qzPBEaInGUqX0IJX2pGVMKTGOmy+Sz0aJYcKQJdJ1Zq9LAtUOk7gflxX4z4wrcng
9bRz1z8D3/KJFyTrELZyEC8DkKEwbO4LxO3QrfxNXOkpuVZ0eUlP/AwVGN9D+QID
AQABo4GtMIGqMB0GA1UdDgQWBBRCnZpe5p9+0CKQoFm/RVzp/EmUTzB7BgNVHSME
dDBygBRCnZpe5p9+0CKQoFm/RVzp/EmUT6FPpE0wSzELMAkGA1UEBhMCTk8xEzAR
BgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAoTBUdtYW5lMRcwFQYDVQQDEw5uZXdz
LmdtYW5lLm9yZ4IJAJOYYw06tv/WMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAQgcrfK9IN7DfqIGVwuhHZRBskbcTyD0oh11zUrr1s44sEq4pWT/ht42C
Cpn4g+mCCOLewLT+MAHxs7Acxbkxd+lQyRVWknVLHNQL48dUrQX9QCEZVcLHcZmL
w2mmmDMfRgLNKdNDO60BMtK/EGGaaYmLY+B4EzQtSVGRZfANXLg=
-----END CERTIFICATE-----
--8<---------------cut here---------------end--------------->8---
Save this file somewhere, say, to "~/.gnutls/gmane.pem". Now we must
configure Emacs to trust this certificate. One easy way is to add this
line to your ~/.emacs file:
(add-to-list 'gnutls-trustfile "~/.gnutls/gmane.pem")
Another other options to make it globally trusted would be to place the
file under /etc/
Eval this line (C-M-x or C-x C-e on that s-exp) and restart Gnus. The
only remaining warning should be the one about the weak SHA1 signature:
When I did, Emacs still complained that the server was deemed insecure
because the "certificate signer was not found (self-signed)". I am not
sure why it persists warning me about a self-signed certificate after
I've explicitly given it my trust, nor do I know why the weak SHA1 issue
is not raised anymore... But anyway, I consider our due diligence done,
so at this point you may choose "Always" when presented the security
prompt.
* Browsing lists with Gmane
You should now be in the plain old *Group* buffer, with nothing new in
it. To actually navigate the mailing lists archived by Gmane, you may
press the '^' key to show a list of the known servers. It should contain
an entry for the newly added news.gmane.org news server, such as:
{nntp:gmane} (opened)
Finally, by clicking (on typing RET) on that gmane entry, you should now
have access to a huge collection of archived mailing lists (31682 at the
time of writing), which can be comfortably browsed in a Gnusy way. You
can also subscribe using 'u', to show some of these in your *Group*
buffer.
* Posting to a Gmane
Instead of sending an email with 'm', you can now send an article (the
equivalent in the world of news) with the 'a' key. This long text is my
first attempt at doing so; if you received it, it's because it worked!
Happy hacking,
Maxim
[1] http://gmane.org
- Gmane with Gnus first timer,
Maxim Cournoyer <=