[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MOR
From: |
SciFi |
Subject: |
Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)) |
Date: |
Wed, 23 Nov 2011 05:15:24 +0000 (UTC) |
User-agent: |
Pan/0.135 (Tomorrow I'll Wake Up and Scald Myself with Tea; GIT 7e49a9b (github.com/judgefudge/pan2/master); x86_64-apple-darwin10.8.0; gcc-4.2.1 (Apple build 5666 (dot 3)); 32-bit mode) |
Hi,
On Tue, 22 Nov 2011 05:15:52 +0000, Duncan partly wrote:
>
> SciFi posted on Tue, 22 Nov 2011 02:17:21 +0000 as excerpted:
> […]
>
>> Now, for GN:
>
>> : Certificate accepted: depth=0,
>> /serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE
>> /C=US
>> /O=news.giganews.com
>> /OU=GT53604560
>> /OU=See www.geotrust.com/resources/cps (c)10
>> /OU=Domain Control Validated - QuickSSL(R)
>> /CN=news.giganews.com
>
>> I _am_ letting your Pan2_SSL code store the
>> pem-filename as shown in the depth=0 CN string,
>> but the rest of your Pan2-SSL code is balking here.
>> I don't understand this.
>
> Without looking at the pan code or knowing much about GN's
> server-setup, do both the forward and reverse DNS match up
> with the given domain name? It's not giving you something
> like host1.news.giganews.com for a reverse lookup on the
> IP address, right?
>
> That's the first thing off the top of my head...
Well, at least here,
'dig' gives one (and only one) address for news.giganews.com
and 'dig -x' finds that same address back to the same name
with no others.
OTOH,
'dig' gives a whole bank of addresses
for the single domain-name of ssl.astraweb.com --
I'd say this is for "round robin" load balancing.
Then 'dig -x' for each of those addresses
does not necessarily resolve back properly,
as you have said.
But remember if I use the pem-filename 'ssl.astraweb.com',
then HM's code seems to work for all of AW's NNTPS sites.
So this particular point seems to be moot. ;)
I do need more discussion on this,
I just don't know why HM's code is not working with GN & Gmane.
As to other writings, esp'ly on using TLS,
I'm trying to cite relevant discussions from other groups/lists, too,
mainly what I read on the Tor groups here at Gmane,
for many reasons to include more SSL protocols inside Pan. ;)
I understand your explanations on why TLS might seem "insecure".
>> For Gmane:
>>>>>>
>> : Certificate accepted: depth=0,
>> /C=NO
>> /ST=Some-State
>> /L=Oslo
>> /O=Gmane
>> /CN=news.gmane.org/address@hidden
>
> [three times same depth=0 entry]
>
>> (yes the same line three-times)
>> I don't understand this, either,
>> I think this is some sort of "self-signed cert".
>
> Yes, it's a self-signed cert.
>
>> Anyway, your Pan2-SSL code is balking at this, too, here.
>> (Actually, I set stunnel to use the IP-number of
>> dough.gmane.org
>> which has been their secure NNTP server in the past
>> but might be taken-out at any time)
>
> Question: How many connections do you have gmane set for?
I only use One connection for Gmane.
There's no reason for more connections,
at least for Gmane. ;)
> […]
> As for gmane IP address, I use news.gmane.org regardless of
> whether I'm using SSL or not.
Earlier in this entire thread, I said
I have used HM's code with news.gmane.org
whether or not I have SSL-mode enabled or not
and the proper port-number 563 vs 119
[there are other port#s that will work,
mainly to skirt-around ISP traffic-shapers & such].
I went back to using the dough.gmane.org name-&-address
because I thought HM's pem-filename logic would cause it to work.
(As I said, nope, didn't help.)
This has been my #1 concern inside this thread
i.e. how HM's pan-ssl code is treating the stored pem-filenames
after I "discovered" how AW was able to work.
> […]
Anyway,
I'm back to making Pan use stunnel (v4.47 as of this writing)
with the openssl-cvs repo as of a few days ago.
(I don't know if using openssl-cvs repo is another "clue",
but I keep listing it as if it's one.
This way we would at least get their latest code.
BTW I don't trust the code provided by this fruity company
which currently says
> $ /usr/bin/openssl version
> OpenSSL 0.9.8r 8 Feb 2011
whereas my build says
> $ openssl version
> OpenSSL 1.1.0-dev xx XXX xxxx
built into /usr/local/ssl
which is used by stunnel, wget, etc., as well as HM's pan,
as evidenced by their logs here. ;)
Why won't this lousy fruit "officially" upgrade us to
using OpenSSL-1.x.x, I will never know.
But this is the main drive of my "non-fruit" projects
if there weren't other factors to blame
[read my footer below for clues].)
--
[
BTW if anyone is wondering why having secure sessions is a "must",
please go to:
<http://americancensorship.org/>
]
[
There's been more news-server shutdowns lately
such as the big one in Europe:
<http://news-service.com/>
The fight is becoming filthy now.
]
[
Also BTW,
the ISP here is starting to charge more for extra usage,
$10 per 50-GB
over their 150-GB/month limit.
Yes indeed I am seeking knowledge on whether a
class-action lawsuit is available for joining.
If anyone knows, please let me know.
(This _is_ taking a bite out of my non-fruit projects.)
]
[
And also the USGovmt is trying to take-over
all forms of communications.
Witness the "EAS Test" on Nov.9.
(a failure ATM IMO)
]
[
bottom line:
YOU *ALL* NEED TO WAKE UP
as to
WHAT's REALLY GOING ON
in this world
!!!!
]
- Re: [Pan-devel] at b2069b3 now -- I think I figured-out one little thing (Re: ANN: SSL Support)), (continued)
- Re: [Pan-devel] at b2069b3 now -- I think I figured-out one little thing (Re: ANN: SSL Support)), Heinrich Mueller, 2011/11/12
- [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), SciFi, 2011/11/16
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Heinrich Müller, 2011/11/18
- [Pan-devel] at GIT 7e49a9b still the same here, plus some research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), SciFi, 2011/11/18
- [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), SciFi, 2011/11/21
- Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Duncan, 2011/11/22
- Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Heinrich Mueller, 2011/11/22
- Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Duncan, 2011/11/22
- Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)),
SciFi <=
- Re: [Pan-devel] at GIT 7e49a9b still the same here, plus some research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Duncan, 2011/11/22
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), walt, 2011/11/19
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Duncan, 2011/11/20
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), walt, 2011/11/20
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Duncan, 2011/11/20
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Heinrich Müller, 2011/11/21
- Re: [Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support)), Heinrich Müller, 2011/11/23
- [Pan-devel] having compile problems with your GIT 566616f master (Re: ANN: SSL Support), SciFi, 2011/11/27
- Re: [Pan-devel] having compile problems with your GIT 566616f master (Re: ANN: SSL Support), Heinrich Müller, 2011/11/27
- Re: [Pan-devel] at bb11b8e now: no crash, but still no cigar (Re: ANN: SSL Support), Heinrich Müller, 2011/11/10