Hi,
I am running your GIT 6ffb80b of Pan now. I have also 'cvs-up'd the openssl repo as of 'today'. Compiled & installed it from a 'clean'd state. Its 'test's seem to run okay. But -- Nothing has changed here w/r/t Pan: My AW-only setup seems to be the only one working in SSL mode (with the "discovered" pem-file-naming I mentioned previously). I still can't get Gmane in SSL mode working, not even with Pan creating the ssl_certs subdir from scratch. After "applying" (accepting) the Gmane cert with that pop-up, it also has a (new) pop-up showing an error storing that cert and the event-log records this error, too, as before. Same thing with my GN -- still no-worky. I did find a way to get the GN+AW mix working half-way, i.e. the AW half does take the (same) SSL cert, while the GN cert has an error (similar to Gmane mentioned above). So I have the GN+AW mix with GN - primary w/ plaintext mode AW - fallback w/ secured mode running together in one Pan setup. ;p And as before, I *never* know if the SSL mode is really-Really-REALLY *secure*. ;p BTW as an independent test, I follow the wget bzr repo and have it using openssl mode also instead of its (new) default of gnutls. Seems to work fine with e.g. https sites etc. So Here's my latest idea with this Pan-SSL dilemma: The thing about AW is that we must use a _different_ hostname together with port 563 in order to get their SSL service. When the Pan PEM file matches the _basic_ hostname for AW SSL (not with ssl-us.foo and ssl-eu.foo etc in the PEM filenames, but the basic ssl.foo name does seem to be accepted by _all_ of those other servers), things seem to be working (but alas again are we *really* in "truly secure" mode). As for Gmane and GN, both of their FAQs indicate that we use the _same_ hostnames as their "regular" servers but simply change to use port 563 to get their SSL services (e.g. news.foo both for plaintext and for secure modes). Letting the Pan PEM files match these hostnames seem to _prevent_ Pan going into SSL mode with them. It's funny that it is these two companies that are not working very well with your Pan-SSL code. Coincidence? Bottom line here is that I don't have _any_ idea what-else the Pan PEM files should be named for these servers, nor if there are any-other ssl-mode server-names they use, the names chosen by your code do seem to be at least part of the problem in these particular circumstances. But I could be far-far-far-off … however it is the only picture I can imagine ATM. I suppose I could run some tests but please provide exact detailed instructions? _______________________________________________ Pan-devel mailing list Pan-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-devel
