Hi,
Ok I think I might've figured-out one little thing. Please bear with me here, this takes some 'splainin'. ;) I got your GIT b2069b3 level running here. With my aw-only setup, I found all certs/pems from ssl-eu and ssl-us were the very same text matching byte-for-byte. Now here's the odd thing. Something to do with the file-names stored in $PAN_HOME/ssl_certs and associated matters I think. If I use the pem-file-names based on the server e.g. ssl-eu.astraweb.com.pem , Pan gets confused somehow and gives the event-log msgs about having errors storing them etc. For example, from an empty subdir there, we only get the cert for ssl-eu (my fallback) with a file _named_ ssl-eu.astraweb.com.pem stored there, but we never get the cert for ssl-us (my primary) and Pan apparently blacklists both primary & fallback with things seemingly clogged-up 'til ya reset etc. The other day I was using their "main" ssl server named ssl.astraweb.com and the cert's pem-filename based on it. (Again this file matched byte-for-byte with ssl-eu and ssl-us.) This began the trick I just-now discovered. If I use their "main" name on the pem file, e.g. ssl.astraweb.com.pem , and put only that file in $PAN_HOME/ssl_certs , Pan seems to use _that_ _same_ cert for _both_ ssl-eu and ssl-us. (In fact we never would see the "Apply/Accept" panel in this case.) And apparently we are then in a true-secure mode for _both_ of their nodes. (But again I never know if we "really" are secure; we really do need to have a sure-fire test for that, somehow, to let the Pan-user know beyond any doubt.) It might be that the pem file needs to match the "officially registered" names for the certs. And for Pan keep track of that gook, somehow. ;) I have yet to figure this out for gn and gmane, and my "mixed" gn+aw setup, but I think this is the crux of the matter at least as present with your b2069b3 code. Does this make any sort of sense at all? (honestly asking) _______________________________________________ Pan-devel mailing list Pan-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-devel
