Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support))

[Duncan]

SciFi posted on Tue, 22 Nov 2011 02:17:21 +0000 as excerpted:

> Hi,
> 
> In order to see how the various NNTP certs were coming down:
> I redid my Pan configs to go thru stunnel
> [and] print its log to the terminal.

> For AW:

> : Certificate accepted: depth=0, 
> /O=*.astraweb.com
> /OU=Domain Control Validated
> /CN=*.astraweb.com

> See those asterisks in the depth=0 names?
> No wonder my "discovery" of the way your Pan2-SSL code
> will work using a single ssl.foo pem-filename
> for any of AW's ssl-<country>.foo servers.
> (still just a hypothesis of mine ;) )

AFAIK you're correct -- that's how it's supposed to work.  FWIW,
such "global domain" certificates generally cost more, but they
can be quite convenient for those who want a single cert covering
all hosts in a domain, especially as they let a domain dynamically
manage hosts without having to get new individual certificates.

I meant to comment on this earlier, but didn't get the properly
circular-shaped tuit until now . =;^\

> Now, for GN:

> : Certificate accepted: depth=0, 
> /serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE
> /C=US
> /O=news.giganews.com
> /OU=GT53604560
> /OU=See www.geotrust.com/resources/cps (c)10
> /OU=Domain Control Validated - QuickSSL(R)
> /CN=news.giganews.com

> I _am_ letting your Pan2_SSL code store the
> pem-filename as shown in the depth=0 CN string,
> but the rest of your Pan2-SSL code is balking here.
> I don't understand this.

Without looking at the pan code or knowing much about GN's
server-setup, do both the forward and reverse DNS match up
with the given domain name?  It's not giving you something
like host1.news.giganews.com for a reverse lookup on the
IP address, right?

That's the first thing off the top of my head...

> For Gmane:
>>>>>
> : Certificate accepted: depth=0,
> /C=NO
> /ST=Some-State
> /L=Oslo
> /O=Gmane
> /CN=news.gmane.org/address@hidden

[three times same depth=0 entry]

> (yes the same line three-times)
> I don't understand this, either,
> I think this is some sort of "self-signed cert".

Yes, it's a self-signed cert.

> Anyway, your Pan2-SSL code is balking at this, too, here.
> (Actually, I set stunnel to use the IP-number of
> dough.gmane.org
> which has been their secure NNTP server in the past
> but might be taken-out at any time)

Question: How many connections do you have gmane set for?
With an earlier round of pan's SSL code, I noticed a
double-popup, asking me to accept the same gmane cert twice.
That was before I had worked out the directory no-execute
problem I had and my first reaction was to reduce to a single
connection, while troubleshooting.  As I expected, that
resulted in only a single popup.

Of course when it still didn't work I remembered the no-execute
umask and fixed that, (with HM since patching pan to check for
at least user execute/enter permission on dirs, and fix it if
necessary), but I've had no reason to up the connections since,
and I'm still using just one, which works just fine for me, here.

So check the number of connections and see if there's a connection
(accidental play on words, but I like it! =:^).

It may also be that it only happens on self-signed, possibly because
pan expects more levels and doesn't get them, so somehow takes
the certificates for multiple connections as if they were
multiple levels.

As I said, since I fixed my directory permissions, I've had no
problems with gmane ssl on any of the updates I've run.  Perhaps
the single-connection has helped with that.

As for gmane IP address, I use news.gmane.org regardless of
whether I'm using SSL or not.

The one thing I *HAVE* noticed, however, is that if I try to
use port 119 with NNTPS/ssl or port 563 with normal NNTP/plain-text,
IT WILL NOT WORK!  Some of the commercial NSPs take SSL on the
standard NNTP/119, but gmane's setup is apparently strict in
that regard, and it ONLY takes plain text on 119 and SSL on 563.

Might you have forgotten to change the port in tandem with
switching the drop-down box between plain-text and TLS/SSL?

@ HM:  Would it be possible to have have a checkbox controlled
option, presumably with it checked by default, to automatically
choose the standard port based on connection mode?

Having pan by default automatically select port 563 or 119 based
on selected security mode is likely to be vastly less troublesome
for users, who will otherwise invariably forget to switch the port
number along with the security mode.  But having the checkbox
allows for users who use the same port either way.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman