[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] ssl/tls certificate handling?
From: |
Duncan |
Subject: |
Re: [Pan-users] ssl/tls certificate handling? |
Date: |
Tue, 23 Feb 2016 08:46:30 +0000 (UTC) |
User-agent: |
Pan/0.140 (Chocolate Salty Balls; GIT a52b404) |
walt posted on Mon, 22 Feb 2016 19:43:39 -0800 as excerpted:
> Hi, veteran pan debuggers.
>
> I'm running the latest pan from git with gnutls support and I'm a bit
> confused about how pan is saving the server certs. If you have a news
> server that supports ssl/tls connections, could you look in your
> ~/.pan2/ssl_certs directory for any files and check to make sure they
> are stored correctly?
>
> They should be .pem files, which are plain text files containing lines
> like -----BEGIN CERTIFICATE----- followed by a bunch of text garbage,
> followed by -----END CERTIFICATE-----.
>
> Thanks for testing :)
Thanks for looking into this. Pan's certificate handling has been
nagging at me for awhile as it didn't seem to work quite as I expected,
but I don't know enough about it to do anything on my own.
In particular, it seems I have to check the "always trust this server's
certificate" box to avoid being prompted every time I restart pan and
attempt to connect to a secure server, and if I'm not mistaken, that
option defeats much of the purpose of a secure connection, since I think
that makes it trust /any/ random cert it sees, thus allowing easy MitMing
(man-in-the-middling).
But the so-called certs seem to be only 6-bytes long, effectively non-
ascii apparently binary garbage, instead of the base-64-encoded and thus
ascii-looking cert of some rather longer length that I expected, and if
pan isn't saving them correctly, that would explain why it can't
recognize certs that have already been accepted, thus necessitating
either accepting them every time or checking the "always trust" box.
So indeed, thanks for looking into this. You certainly know code better
than I, and have a much better chance at figuring out what's going on and
how it differs from what's /supposed/ to be going on, than I. Hopefully
after you're done, I'll feel rather better about pan's cert handling,
either because it's fixed, or because I understand what it's actually
doing somewhat better, and am comfortable it's working as it's /supposed/
to work.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
Message not available
- Message not available
- Re: [Pan-users] ssl/tls certificate handling?, walt, 2016/02/23
- Re: [Pan-users] ssl/tls certificate handling?, Duncan, 2016/02/23
- Re: [Pan-users] ssl/tls certificate handling?, walt, 2016/02/23
- Re: [Pan-users] ssl/tls certificate handling? [PATCH], walt, 2016/02/24
- Re: [Pan-users] ssl/tls certificate handling? [PATCH], Petr Kovar, 2016/02/29