[Pan-users] Need help debugging pan + gnutls-3.x.x

[walt]

(First, for you git freaks, Petr Kovar just made some welcome changes
to "configure.in", but don't forget to re-run "autogen.sh" followed by
running the newly generated "configure" script before recompiling pan,
or you won't see his latest changes.  Thanks Petr :)

I'm still having some very confusing problems from upgrading gnutls-2
to gnutls-3 and I'm wondering if anyone else can reproduce them.

Heinrich never intended pan to use gnutls-2, but I've been using it
ever since he added the gnutls support many moons ago and it's been
working perfectly -- until I upgraded to gnutls-3. (The version he
used from the beginning.)

I have two for-pay nntp accounts (both dirt cheap, of course ;) but
pan will accept only one of those servers when using nntps on port
563 *and* gnutls-3.x.x. (Both accounts work correctly when I use
gnutls-2.x.x.)

The one that works "correctly" with gnutls-3 is news.us.usenet-news.net
(seems to be a readnews.com reseller).

The server that works correctly (no quote marks) with gnutls-2 but
fails with gnutls-3 is news.budgetnews.net (the server cert is issued
to hitnews.eu, and gnutls-2 issues a warning about the mismatched names,
but pan accepts the cert anyway, as it should).

Pan's gnutls-3 behavior with the broken server is really quite bizarre
IMO, and I'm having trouble debugging the problem.

Just for starters, pan makes multiple nntps connections to the broken
server but won't actually use any of them, and keeps making new nntps
connections every 10-15 seconds or so as a result (netstat shows them
as open sockets connected to port 563 of the news server).

Second bizarre behavior is the way pan saves the cert for the "working"
server:  pan stores a cert file containing exactly 6 bytes, like this:

# hexdump -C news.us.usenet-news.net.pem
00000000  e8 ea b9 28 a1 7f                                 |...(..|
00000006

In spite of this bizarre cert, pan makes a working nntps connection to
that server every time and doesn't complain about anything.

Third bizarre behavior of pan+gnutls-3 is that the "broken" server is
not *always* broken, but works intermittently, sometimes for days at a
time, and then breaks again for reasons I can't understand.  I just
started pan again at 17:30 PST and it connected perfectly to the 'broken'
server and stored its 6-byte cert file right beside the 'working' server's
6-byte cert file, like this:

#hexdump -C news.budgetnews.net.pem
00000000  78 aa 0b f9 f7 7f                                 |x.....|
00000006

Did the start of a new day in UTC time make the critical difference?

I need new eyeballs to look at this problem and give me new ideas,
because I'm completely stumped :(