[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE re

From: SciFi
Subject: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support))
Date: Tue, 22 Nov 2011 02:17:21 +0000 (UTC)
User-agent: Pan/0.135 (Tomorrow I'll Wake Up and Scald Myself with Tea; GIT 7e49a9b (; x86_64-apple-darwin10.8.0; gcc-4.2.1 (Apple build 5666 (dot 3)); 32-bit mode)


In order to see how the various NNTP certs were coming down:
I redid my Pan configs to go thru stunnel
(version 4.47 just came out, I'm using it now).
I checked openssl-cvs repo, not much changed since I up'd it last.
And I turned-on the stunnel.conf option:
> verify = 0
and run with:
> foreground = yes
to print its log to the terminal.

For AW:
: Certificate accepted: depth=3, /L=ValiCert Validation Network/O=ValiCert, 
Inc./OU=ValiCert Class 2 Policy Validation 
: Certificate accepted: depth=2, /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy 
Class 2 Certification Authority
: Certificate accepted: depth=1, /C=US/ST=Arizona/L=Scottsdale/, 
Inc./OU= Daddy Secure 
Certification Authority/serialNumber=07969287
: Certificate accepted: depth=0, /O=* Control 
See those asterisks in the depth=0 names?
No wonder my "discovery" of the way your Pan2-SSL code
will work using a single pem-filename
for any of AW's ssl-<country>.foo servers.
(still just a hypothesis of mine ;) )

Now, for GN:
: Certificate accepted: depth=1, /C=US/O=GeoTrust Inc./OU=Domain Validated 
: Certificate accepted: depth=0, 
/serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE/C=US/ (c)10/OU=Domain Control Validated - 
I _am_ letting your Pan2_SSL code store the
pem-filename as shown in the depth=0 CN string,
but the rest of your Pan2-SSL code is balking here.
I don't understand this.

For Gmane:
: Certificate accepted: depth=0, 
: Certificate accepted: depth=0, 
: Certificate accepted: depth=0, 
(yes the same line three-times)
I don't understand this, either,
I think this is some sort of
"self-signed cert".
Anyway, your Pan2-SSL code is balking at this, too, here.
(Actually, I set stunnel to use the IP-number of
which has been their secure NNTP server in the past
but might be taken-out at any time)

BTW I am now trying to get stunnel to
run at higher 'verify' levels
but I am obviously missing some steps
to get their 'official' NNPT files (PEMs?) stored locally
and/or whatever-else is needed.
Please if anyone wants to help would be appreciated muchly.

At any rate,
I'm going to let my Pans run thru stunnel any more
until/unless your Pan2-SSL code has more testing,
please hollar if so.

Thanks for everything
so far
for the future.


=* Earlier text: *=


I've whacked-off most of this reply
for brevity's sake.  ;)

We have your GIT 7e49a9b now.
Still no-worky on the failing parts (GN and Gmane in my case)
while the working parts do still work (AW in my case).

Once again I am wondering why AW seems to work with your SSL code
(again with their "main" pem-filename for their regional ssl-* servers)
but no-other servers will work (not GN, not Gmane, still).

I still have no-idea what to name the pem files
on behalf of GN and Gmane
and adjust the servers.xml settings accordingly.

So, this is becoming very tiring for me.  ;)
Yet it is nagging me enough to try doing some research.  >:-|

Is there something to do with your support, perhaps?
I ask this because I read a post on the stunnel-user list/group
where "The Guru" dude could not get into SSL mode with a server,
and a reply from the stunnel main author was this:
Your server reply protocol version is 3.0.
You may wish to enable TLS on your server, or to specify:
     sslVersion = SSLv3
in your stunnel.conf.

I know your original announcement at the top of this thread said:
"so far SSL v.3.0 and no TLS!"
but your earlier Pan-SSL code _definitely_ mentioned TLS
for the "Secure" option on the news-server settings dialog.
Right now, tho, it does not mention TLS nor any-other protocol at all.
So I am confused, and I think you might still have
only TLS support built into your Pan-SSL code.
This might well explain why AW works and no-others.

Here's a bit of recent history about TLS, if anyone wonders:
A cursory examination of security discussions seems to show
that TLS turns out to be an UN-secure protocol.
It's apparently been "cracked" successfully, too many times,
so we users have been warned about using TLS anymore.
In fact, I believe Firefox et al have set TLS inactive as default
for HTTPS protocols etc.
However, the TLS options are still there for Firefox,
basically for servers that have not been changed/updated
for the latest SSL protocols.

Based on this (knowledge of TLS cracking),
I bet we won't be able to ask GN and Gmane to "enable TLS"
as the above stunnel reply indicates.

So, then, why is _my_ stunnel able to work with _all_
NNTPS servers I access?

My stunnel.conf just happens to have:
sslVersion = all
client = yes
(I believe "all" means SSLv2, SSLv3, _and_ TLSv1,
 and related options compiled into openssl itself)
and I'm using a personal client stunnel.pem file
which was generated based on the instructions at:

Also, I cannot find any exacting details
on just what SSL protocols are being used
by AW, GN, and Gmane.
On GN's FAQ, for example, I only see mention of "256-bit SSL encryption".
(I coulda sworn I saw "AES" on some news sites FAQs.)

I am suspecting AW accepts using TLS, tho,
since it _is_ working with your Pan-SSL code
(yes despite your claim lol),
which could make me worried about someone cracking it.

Based on all this,
I'll have to go back to using stunnel
if/when I really-Really-REALLY get paranoid.  ;)

However, if the Pan-SSL TLS-only idea is crazy somehow,
if you/anyone have any tests in mind,
please give detailed instructions.


 BTW if anyone is wondering why having secure sessions is a "must",
 please go to:

 There's been more news-server shutdowns lately
 such as the big one in Europe:
 The fight is becoming filthy now.

 Also BTW,
 the ISP here is starting to charge more for extra usage,
 $10 per 50-GB
 over their 150-GB/month limit.
 Yes indeed I am seeking knowledge on whether a
 class-action lawsuit is available for joining.
 If anyone knows, please let me know.
 (This _is_ taking a bite out of my non-fruit projects.)

 And also the USGovmt is trying to take-over
 all forms of communications.
 Witness the "EAS Test" on Nov.9.
 (a failure ATM IMO)

 bottom line:
 as to
 in this world

reply via email to

[Prev in Thread] Current Thread [Next in Thread]