[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] Need help debugging pan + gnutls-3.x.x
From: |
Duncan |
Subject: |
Re: [Pan-users] Need help debugging pan + gnutls-3.x.x |
Date: |
Tue, 11 Dec 2012 10:45:33 +0000 (UTC) |
User-agent: |
Pan/0.140 (Chocolate Salty Balls; GIT e9e5ddf /usr/src/portage/src/egit-src/pan2) |
Duncan posted on Mon, 10 Dec 2012 19:52:14 +0000 as excerpted:
> walt posted on Mon, 10 Dec 2012 05:49:12 -0800 as excerpted:
>
>> On 12/08/2012 05:49 PM, walt wrote:
>>>
>>> Third bizarre behavior of pan+gnutls-3 is that the "broken" server is
>>> not *always* broken, but works intermittently, sometimes for days at a
>>> time, and then breaks again for reasons I can't understand. I just
>>> started pan again at 17:30 PST and it connected perfectly to the
>>> 'broken' server and stored its 6-byte cert file right beside the
>>> 'working' server's 6-byte cert file, like this:
>>
>> Yesterday the 'broken' server started and stopped working at least five
>> times, and did it again this morning. I still don't understand why
>> this happens but at least I do have another possible clue:
>>
>> When I set pan to *not* trust the server's cert, two different things
>> may happen. First, when the server is broken, pan never presents me
>> with the cert for my approval, i.e. it seems to me that gnutls-3 is not
>> actually fetching/reading the cert and therefore can't ask me to
>> approve it.
>>
>> Second, when the server suddenly starts working again, pan actually
>> does present me with the cert for approval, and in fact it presents it
>> two and sometimes three times, so I have to click away the dialog box
>> more than once. After that, pan works perfectly again for some
>> unpredictable period of time before the server 'breaks' again.
>>
>> To add to my confusion, I can use gnutls-cli-debug -p 563 to examine
>> the server's cert perfectly whether the server is 'broken' or not.
>> That seems to imply that something in pan is changing rather than
>> something in the server, doesn't it?
>>
>> I remain mystified :(
>
> I've been going to look into this myself (I've been running gnutls 3.x
> for quite some time but switched back to plain text when pan's secure
> code was still churning, and I need to try it again anyway), but I've
> not had the time as I'm working full time again. =:^) Also, I forgot
> after your first mail, so this one reminded me.
Seems I had switched back to nttps and had forgotten about it, so I was
actually using it when I wrote that. =:^)
> From your previous post, the short cert files are probably just hashes,
> giving pan just enough info to know whether it has accepted the cert yet
> or not. Reading the source may confirm that one way or the other.
FWIW, I checked and my (working) *.pem file is 6-bytes too. So that
would appear to be normal.
FWIW if you wish to compare same-server, my only active server is gmane,
here. news.gmane.org, standard ports (119/nntp or 563/nntps). Your
(walt's) headers say you're posting with thunderbird, so probably direct,
not via gmane. The gmane cert is self-issued, nothing fancy, but it
works.
> The broken/working/broken bit MAY be the NSP's server, serving different
> certs depending on what front-end you connect to.
I still think that may be it...
> Meanwhile, the multiple cert-accept dialogs could well be due to pan's
> multiple connections code. If you dial back your allowed connections to
> only one, do you consistently only get one accept dialog? If so, the
> problem should be fixed, but it could well be difficult to do so, and
> since under normal conditions once you accept the cert it shouldn't
> happen again (until the cert changes), it may be that Heinrich either
> thought it was fixed or decided to leave that bug to work on some other
> time.
FWIW, I'm using only a single connection with gmane. It's mostly text,
with an occasional screen-shot or whatever posting, so there's really no
need for more, and I have no wish to abuse gmane just for doing so. But
it did take two connections back when I was running it that way before.
You could try that and see...
(Mostly OT comment: If I stay full time for a few more weeks I'm going to
be tempted to sign up somewhere for a real nsp. I figure a half-TB block
should last me quite some time, over a year even if I go back to
binaries, as I never did download more than about a gig a day, average.
THEN I'll actually be able to test some of this stuff.)
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman