SciFi posted on Tue, 22 Nov 2011 02:17:21 +0000 as excerpted: > Hi, > > In order to see how the various NNTP certs were coming down: > I redid my Pan configs to go thru stunnel > [and] print its log to the terminal.
> For AW: > : Certificate accepted: depth=0, > /O=*.astraweb.com > /OU=Domain Control Validated > /CN=*.astraweb.com > See those asterisks in the depth=0 names? > No wonder my "discovery" of the way your Pan2-SSL code > will work using a single ssl.foo pem-filename > for any of AW's ssl-<country>.foo servers. > (still just a hypothesis of mine ;) ) AFAIK you're correct -- that's how it's supposed to work. FWIW, such "global domain" certificates generally cost more, but they can be quite convenient for those who want a single cert covering all hosts in a domain, especially as they let a domain dynamically manage hosts without having to get new individual certificates. I meant to comment on this earlier, but didn't get the properly circular-shaped tuit until now . =;^\ > Now, for GN: > : Certificate accepted: depth=0, > /serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE > /C=US > /O=news.giganews.com > /OU=GT53604560 > /OU=See www.geotrust.com/resources/cps (c)10 > /OU=Domain Control Validated - QuickSSL(R) > /CN=news.giganews.com > I _am_ letting your Pan2_SSL code store the > pem-filename as shown in the depth=0 CN string, > but the rest of your Pan2-SSL code is balking here. > I don't understand this. Without looking at the pan code or knowing much about GN's server-setup, do both the forward and reverse DNS match up with the given domain name? It's not giving you something like host1.news.giganews.com for a reverse lookup on the IP address, right? That's the first thing off the top of my head... > For Gmane: >>>>> > : Certificate accepted: depth=0, > /C=NO > /ST=Some-State > /L=Oslo > /O=Gmane > /CN=news.gmane.org/emailAddress=la...@gnus.org [three times same depth=0 entry] > (yes the same line three-times) > I don't understand this, either, > I think this is some sort of "self-signed cert". Yes, it's a self-signed cert. > Anyway, your Pan2-SSL code is balking at this, too, here. > (Actually, I set stunnel to use the IP-number of > dough.gmane.org > which has been their secure NNTP server in the past > but might be taken-out at any time) Question: How many connections do you have gmane set for? With an earlier round of pan's SSL code, I noticed a double-popup, asking me to accept the same gmane cert twice. That was before I had worked out the directory no-execute problem I had and my first reaction was to reduce to a single connection, while troubleshooting. As I expected, that resulted in only a single popup. Of course when it still didn't work I remembered the no-execute umask and fixed that, (with HM since patching pan to check for at least user execute/enter permission on dirs, and fix it if necessary), but I've had no reason to up the connections since, and I'm still using just one, which works just fine for me, here. So check the number of connections and see if there's a connection (accidental play on words, but I like it! =:^). It may also be that it only happens on self-signed, possibly because pan expects more levels and doesn't get them, so somehow takes the certificates for multiple connections as if they were multiple levels. As I said, since I fixed my directory permissions, I've had no problems with gmane ssl on any of the updates I've run. Perhaps the single-connection has helped with that. As for gmane IP address, I use news.gmane.org regardless of whether I'm using SSL or not. The one thing I *HAVE* noticed, however, is that if I try to use port 119 with NNTPS/ssl or port 563 with normal NNTP/plain-text, IT WILL NOT WORK! Some of the commercial NSPs take SSL on the standard NNTP/119, but gmane's setup is apparently strict in that regard, and it ONLY takes plain text on 119 and SSL on 563. Might you have forgotten to change the port in tandem with switching the drop-down box between plain-text and TLS/SSL? @ HM: Would it be possible to have have a checkbox controlled option, presumably with it checked by default, to automatically choose the standard port based on connection mode? Having pan by default automatically select port 563 or 119 based on selected security mode is likely to be vastly less troublesome for users, who will otherwise invariably forget to switch the port number along with the security mode. But having the checkbox allows for users who use the same port either way. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-devel mailing list Pan-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-devel
