pan-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-devel] ANN: SSL Support

From: SciFi
Subject: Re: [Pan-devel] ANN: SSL Support
Date: Wed, 9 Nov 2011 02:49:13 +0000 (UTC)
User-agent: Pan/0.135 (Tomorrow I'll Wake Up and Scald Myself with Tea; GIT cefc477 (github.com/judgefudge/pan2/master); x86_64-apple-darwin10.8.0; gcc-4.2.1 (build 5666 (dot 3)); 32-bit mode) 
On Mon, 07 Nov 2011 08:23:05 +0000, Heinrich Müller wrote:
> 
> Am Thu, 03 Nov 2011 21:38:36 -0400 schrieb Domain Admin:
> 
>> On Wed, Oct 26, 2011 at 1:08 PM, Heinrich Müller <address@hidden> wrote:
>>>
>>> Am Wed, 26 Oct 2011 08:39:43 +0000 schrieb SciFi:
>>>
>>> >
>>> > As it is, your code seems to be working fine.
>>> > But I can never figure-out if we're running SSL "for reals"
>>> > (yes the servers did reject/not-respond-to the "plain-text" setting
>>> >  but I don't think that is enough proof ;) ).
>>> > And the doubled i/o rate calculations are something that needs further
>>> > study, please (this is during header-fetch _and_ downloading-binaries).
>>> >
>>> > Thank you for all your work.
>>>
>>>
>>> I'll add certificate checking for later. Then a message would pop up if
>>> that failed and would asked for user actions. For now, pan just assumes
>>> that everything is fine. Securitywise this _could_ be a problem, so I'll
>>> fix this is asap.
>>>
>> 
> Bumping myself. Done, merged into master. Seems stable enough.


Hi,

Tonight I did a fresh git-clone of your master branch at cefc477
so I could try your ssl+cert code.

No-worky for me.  ;(

Here's a short gdb backtrace & what I did:

-*-
$ gdb pan
GNU gdb 6.3.50-20050815 (Apple version gdb-1705) (Tue Jul  5 07:28:08 UTC 2011)
[…]
[…loading symbols etc…]
(gdb) run
[…more loading symbols etc…]
[…I put Pan into on-line mode, nothing in queues etc at this point,
  but a few seconds later I added a "Refresh Group List" item…]

** (pan:20827): WARNING **: SSL handshake failed: certificate verify failed
handshake ret -1

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000044
0x000ad7c6 in pan::GIOChannelSocketSSL::~GIOChannelSocketSSL (this=0x26df370) 
at socket-impl-openssl.cc:305
305       _session = SSL_get1_session(chan->ssl);
(gdb) bt
#0  0x000ad7c6 in pan::GIOChannelSocketSSL::~GIOChannelSocketSSL 
(this=0x26df370) at socket-impl-openssl.cc:305
#1  0x000affeb in pan::NNTP_Pool::on_socket_created (this=0x26decf0, 
address@hidden, port=563, ok=false, socket=0x26df370) at nntp-pool.cc:168
#2  0x000ab170 in pan::ThreadWorker::on_worker_done (this=0x26ded80, 
cancelled=false) at socket-impl-main.cc:88
#3  0x000d9b30 in pan::WorkerPool::Worker::main_thread_cleanup (this=0x26ded80) 
at worker-pool.cc:89
#4  0x000d9b77 in pan::WorkerPool::Worker::main_thread_cleanup_cb (g=0x26ded80) 
at worker-pool.cc:81
#5  0x00f45688 in g_main_context_dispatch ()
Previous frame inner to this frame (gdb could not unwind past this frame)
(gdb) quit
The program is running.  Exit anyway? (y or n) y
$ _
-*-

Note we do not originally have any certs at all,
I assumed such certs must initially come from the server(s)
(I still use GN as primary, AW as fallback)
and/or let Pan generate them on behalf of the user.
Or:  Could I use the one(s) generated from my stunnel operation?
Hmm, that's an idea.
I will play with it s'more
(I do see the prefs dialogs to find/add/delete certs etc).

- - - - -

Try #2:

I got Pan to fetch the PEM file from my stunnel operation
(I did follow their instructions to have my "own" cert there)
for both GN and AW in my setup.
Then I tried to get a Refresh Group List again.
No-worky again.  ;(
This time the gdb showed this:

-*-
[…]
gui cert failed : 0x26f4e60

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000050
0x0083add1 in gdk_window_set_geometry_hints ()
(gdb) bt
#0  0x0083add1 in gdk_window_set_geometry_hints ()
#1  0x005cf671 in gtk_window_check_resize ()
(gdb) cont
Continuing.
**
Pango:ERROR:pango-layout.c:3739:pango_layout_check_lines: assertion failed: 
(!layout->log_attrs)

Program received signal SIGABRT, Aborted.
0x0083add1 in gdk_window_set_geometry_hints ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y
$ _
-*-

Now I will go back to the non-ssl mode (still at cefc477)
so I can post this message to the list.  ;)

[I see stunnel-4.46 was released a few days ago,
 I suppose I could go back to using it, too, heh.]

…

BTW
A thought has come into my brain, once this is working fully:
I follow the Tor discussions here on Gmane.
I got an idea from them to use different certs,
very often, very randomly,
in order to "fool" those MITM attacks and such as that.
I dunno…
reply via email to
[Prev in Thread] Current Thread [Next in Thread]