Hi,
On Tue, 22 Nov 2011 05:15:52 +0000, Duncan partly wrote: > > SciFi posted on Tue, 22 Nov 2011 02:17:21 +0000 as excerpted: > […] > >> Now, for GN: > >> : Certificate accepted: depth=0, >> /serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE >> /C=US >> /O=news.giganews.com >> /OU=GT53604560 >> /OU=See www.geotrust.com/resources/cps (c)10 >> /OU=Domain Control Validated - QuickSSL(R) >> /CN=news.giganews.com > >> I _am_ letting your Pan2_SSL code store the >> pem-filename as shown in the depth=0 CN string, >> but the rest of your Pan2-SSL code is balking here. >> I don't understand this. > > Without looking at the pan code or knowing much about GN's > server-setup, do both the forward and reverse DNS match up > with the given domain name? It's not giving you something > like host1.news.giganews.com for a reverse lookup on the > IP address, right? > > That's the first thing off the top of my head... Well, at least here, 'dig' gives one (and only one) address for news.giganews.com and 'dig -x' finds that same address back to the same name with no others. OTOH, 'dig' gives a whole bank of addresses for the single domain-name of ssl.astraweb.com -- I'd say this is for "round robin" load balancing. Then 'dig -x' for each of those addresses does not necessarily resolve back properly, as you have said. But remember if I use the pem-filename 'ssl.astraweb.com', then HM's code seems to work for all of AW's NNTPS sites. So this particular point seems to be moot. ;) I do need more discussion on this, I just don't know why HM's code is not working with GN & Gmane. As to other writings, esp'ly on using TLS, I'm trying to cite relevant discussions from other groups/lists, too, mainly what I read on the Tor groups here at Gmane, for many reasons to include more SSL protocols inside Pan. ;) I understand your explanations on why TLS might seem "insecure". >> For Gmane: >>>>>> >> : Certificate accepted: depth=0, >> /C=NO >> /ST=Some-State >> /L=Oslo >> /O=Gmane >> /CN=news.gmane.org/emailAddress=la...@gnus.org > > [three times same depth=0 entry] > >> (yes the same line three-times) >> I don't understand this, either, >> I think this is some sort of "self-signed cert". > > Yes, it's a self-signed cert. > >> Anyway, your Pan2-SSL code is balking at this, too, here. >> (Actually, I set stunnel to use the IP-number of >> dough.gmane.org >> which has been their secure NNTP server in the past >> but might be taken-out at any time) > > Question: How many connections do you have gmane set for? I only use One connection for Gmane. There's no reason for more connections, at least for Gmane. ;) > […] > As for gmane IP address, I use news.gmane.org regardless of > whether I'm using SSL or not. Earlier in this entire thread, I said I have used HM's code with news.gmane.org whether or not I have SSL-mode enabled or not and the proper port-number 563 vs 119 [there are other port#s that will work, mainly to skirt-around ISP traffic-shapers & such]. I went back to using the dough.gmane.org name-&-address because I thought HM's pem-filename logic would cause it to work. (As I said, nope, didn't help.) This has been my #1 concern inside this thread i.e. how HM's pan-ssl code is treating the stored pem-filenames after I "discovered" how AW was able to work. > […] Anyway, I'm back to making Pan use stunnel (v4.47 as of this writing) with the openssl-cvs repo as of a few days ago. (I don't know if using openssl-cvs repo is another "clue", but I keep listing it as if it's one. This way we would at least get their latest code. BTW I don't trust the code provided by this fruity company which currently says > $ /usr/bin/openssl version > OpenSSL 0.9.8r 8 Feb 2011 whereas my build says > $ openssl version > OpenSSL 1.1.0-dev xx XXX xxxx built into /usr/local/ssl which is used by stunnel, wget, etc., as well as HM's pan, as evidenced by their logs here. ;) Why won't this lousy fruit "officially" upgrade us to using OpenSSL-1.x.x, I will never know. But this is the main drive of my "non-fruit" projects if there weren't other factors to blame [read my footer below for clues].) -- [ BTW if anyone is wondering why having secure sessions is a "must", please go to: <http://americancensorship.org/> ] [ There's been more news-server shutdowns lately such as the big one in Europe: <http://news-service.com/> The fight is becoming filthy now. ] [ Also BTW, the ISP here is starting to charge more for extra usage, $10 per 50-GB over their 150-GB/month limit. Yes indeed I am seeking knowledge on whether a class-action lawsuit is available for joining. If anyone knows, please let me know. (This _is_ taking a bite out of my non-fruit projects.) ] [ And also the USGovmt is trying to take-over all forms of communications. Witness the "EAS Test" on Nov.9. (a failure ATM IMO) ] [ bottom line: YOU *ALL* NEED TO WAKE UP as to WHAT's REALLY GOING ON in this world !!!! ] _______________________________________________ Pan-devel mailing list Pan-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-devel
