Re: [Pan-users] Need help debugging pan + gnutls-3.x.x

[Duncan]

Duncan posted on Mon, 10 Dec 2012 19:52:14 +0000 as excerpted:

> walt posted on Mon, 10 Dec 2012 05:49:12 -0800 as excerpted:
> 
>> On 12/08/2012 05:49 PM, walt wrote:
>>>
>>> Third bizarre behavior of pan+gnutls-3 is that the "broken" server is
>>> not *always* broken, but works intermittently, sometimes for days at a
>>> time, and then breaks again for reasons I can't understand.  I just
>>> started pan again at 17:30 PST and it connected perfectly to the
>>> 'broken' server and stored its 6-byte cert file right beside the
>>> 'working' server's 6-byte cert file, like this:
>> 
>> Yesterday the 'broken' server started and stopped working at least five
>> times, and did it again this morning.  I still don't understand why
>> this happens but at least I do have another possible clue:
>> 
>> When I set pan to *not* trust the server's cert, two different things
>> may happen.  First, when the server is broken, pan never presents me
>> with the cert for my approval, i.e. it seems to me that gnutls-3 is not
>> actually fetching/reading the cert and therefore can't ask me to
>> approve it.
>> 
>> Second, when the server suddenly starts working again, pan actually
>> does present me with the cert for approval, and in fact it presents it
>> two and sometimes three times, so I have to click away the dialog box
>> more than once.  After that, pan works perfectly again for some
>> unpredictable period of time before the server 'breaks' again.
>> 
>> To add to my confusion, I can use gnutls-cli-debug -p 563 to examine
>> the server's cert perfectly whether the server is 'broken' or not. 
>> That seems to imply that something in pan is changing rather than
>> something in the server, doesn't it?
>> 
>> I remain mystified :(
> 
> I've been going to look into this myself (I've been running gnutls 3.x
> for quite some time but switched back to plain text when pan's secure
> code was still churning, and I need to try it again anyway), but I've
> not had the time as I'm working full time again. =:^)  Also, I forgot
> after your first mail, so this one reminded me.

Seems I had switched back to nttps and had forgotten about it, so I was 
actually using it when I wrote that. =:^)

> From your previous post, the short cert files are probably just hashes,
> giving pan just enough info to know whether it has accepted the cert yet
> or not.  Reading the source may confirm that one way or the other.

FWIW, I checked and my (working) *.pem file is 6-bytes too.  So that 
would appear to be normal.

FWIW if you wish to compare same-server, my only active server is gmane, 
here.  news.gmane.org, standard ports (119/nntp or 563/nntps).  Your 
(walt's) headers say you're posting with thunderbird, so probably direct, 
not via gmane.  The gmane cert is self-issued, nothing fancy, but it 
works.

> The broken/working/broken bit MAY be the NSP's server, serving different
> certs depending on what front-end you connect to.

I still think that may be it...

> Meanwhile, the multiple cert-accept dialogs could well be due to pan's
> multiple connections code.  If you dial back your allowed connections to
> only one, do you consistently only get one accept dialog?  If so, the
> problem should be fixed, but it could well be difficult to do so, and
> since under normal conditions once you accept the cert it shouldn't
> happen again (until the cert changes), it may be that Heinrich either
> thought it was fixed or decided to leave that bug to work on some other
> time.

FWIW, I'm using only a single connection with gmane.  It's mostly text, 
with an occasional screen-shot or whatever posting, so there's really no 
need for more, and I have no wish to abuse gmane just for doing so.  But 
it did take two connections back when I was running it that way before.  
You could try that and see...

(Mostly OT comment: If I stay full time for a few more weeks I'm going to 
be tempted to sign up somewhere for a real nsp.  I figure a half-TB block 
should last me quite some time, over a year even if I go back to 
binaries, as I never did download more than about a gig a day, average.  
THEN I'll actually be able to test some of this stuff.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman