[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MOR

From: SciFi
Subject: Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support))
Date: Wed, 23 Nov 2011 05:15:24 +0000 (UTC)
User-agent: Pan/0.135 (Tomorrow I'll Wake Up and Scald Myself with Tea; GIT 7e49a9b (; x86_64-apple-darwin10.8.0; gcc-4.2.1 (Apple build 5666 (dot 3)); 32-bit mode)


On Tue, 22 Nov 2011 05:15:52 +0000, Duncan partly wrote:
> SciFi posted on Tue, 22 Nov 2011 02:17:21 +0000 as excerpted:
> […]
>> Now, for GN:
>> : Certificate accepted: depth=0, 
>> /serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE
>> /C=US
>> /
>> /OU=GT53604560
>> /OU=See (c)10
>> /OU=Domain Control Validated - QuickSSL(R)
>> /
>> I _am_ letting your Pan2_SSL code store the
>> pem-filename as shown in the depth=0 CN string,
>> but the rest of your Pan2-SSL code is balking here.
>> I don't understand this.
> Without looking at the pan code or knowing much about GN's
> server-setup, do both the forward and reverse DNS match up
> with the given domain name?  It's not giving you something
> like for a reverse lookup on the
> IP address, right?
> That's the first thing off the top of my head...

Well, at least here,
'dig' gives one (and only one) address for
and 'dig -x' finds that same address back to the same name
with no others.

'dig' gives a whole bank of addresses
for the single domain-name of --
I'd say this is for "round robin" load balancing.
Then 'dig -x' for each of those addresses
does not necessarily resolve back properly,
as you have said.
But remember if I use the pem-filename '',
then HM's code seems to work for all of AW's NNTPS sites.

So this particular point seems to be moot.  ;)

I do need more discussion on this,
I just don't know why HM's code is not working with GN & Gmane.

As to other writings, esp'ly on using TLS,
I'm trying to cite relevant discussions from other groups/lists, too,
mainly what I read on the Tor groups here at Gmane,
for many reasons to include more SSL protocols inside Pan.  ;)
I understand your explanations on why TLS might seem "insecure".

>> For Gmane:
>> : Certificate accepted: depth=0,
>> /C=NO
>> /ST=Some-State
>> /L=Oslo
>> /O=Gmane
>> /
> [three times same depth=0 entry]
>> (yes the same line three-times)
>> I don't understand this, either,
>> I think this is some sort of "self-signed cert".
> Yes, it's a self-signed cert.
>> Anyway, your Pan2-SSL code is balking at this, too, here.
>> (Actually, I set stunnel to use the IP-number of
>> which has been their secure NNTP server in the past
>> but might be taken-out at any time)
> Question: How many connections do you have gmane set for?

I only use One connection for Gmane.
There's no reason for more connections,
at least for Gmane.  ;)

> […]
> As for gmane IP address, I use regardless of
> whether I'm using SSL or not.

Earlier in this entire thread, I said
I have used HM's code with
whether or not I have SSL-mode enabled or not
and the proper port-number 563 vs 119
[there are other port#s that will work,
 mainly to skirt-around ISP traffic-shapers & such].

I went back to using the name-&-address
because I thought HM's pem-filename logic would cause it to work.
(As I said, nope, didn't help.)
This has been my #1 concern inside this thread
i.e. how HM's pan-ssl code is treating the stored pem-filenames
after I "discovered" how AW was able to work.

> […]

I'm back to making Pan use stunnel (v4.47 as of this writing)
with the openssl-cvs repo as of a few days ago.

(I don't know if using openssl-cvs repo is another "clue",
 but I keep listing it as if it's one.
 This way we would at least get their latest code.
 BTW I don't trust the code provided by this fruity company
 which currently says
 > $ /usr/bin/openssl version
 > OpenSSL 0.9.8r 8 Feb 2011
 whereas my build says
 > $ openssl version
 > OpenSSL 1.1.0-dev xx XXX xxxx
 built into /usr/local/ssl
 which is used by stunnel, wget, etc., as well as HM's pan,
 as evidenced by their logs here.  ;)
 Why won't this lousy fruit "officially" upgrade us to
 using OpenSSL-1.x.x, I will never know.
 But this is the main drive of my "non-fruit" projects
 if there weren't other factors to blame
 [read my footer below for clues].)


 BTW if anyone is wondering why having secure sessions is a "must",
 please go to:

 There's been more news-server shutdowns lately
 such as the big one in Europe:
 The fight is becoming filthy now.

 Also BTW,
 the ISP here is starting to charge more for extra usage,
 $10 per 50-GB
 over their 150-GB/month limit.
 Yes indeed I am seeking knowledge on whether a
 class-action lawsuit is available for joining.
 If anyone knows, please let me know.
 (This _is_ taking a bite out of my non-fruit projects.)

 And also the USGovmt is trying to take-over
 all forms of communications.
 Witness the "EAS Test" on Nov.9.
 (a failure ATM IMO)

 bottom line:
 as to
 in this world

reply via email to

[Prev in Thread] Current Thread [Next in Thread]