[Pan-devel] at GIT 6ffb80b still the same here: seems AW works, but not GN nor Gmane (Re: ANN: SSL Support))

[SciFi]

Hi,

I am running your GIT 6ffb80b of Pan now.

I have also 'cvs-up'd the openssl repo as of 'today'.
Compiled & installed it from a 'clean'd state.
Its 'test's seem to run okay.

But --
Nothing has changed here w/r/t Pan:
My AW-only setup seems to be the only one working in SSL mode
(with the "discovered" pem-file-naming I mentioned previously).

I still can't get Gmane in SSL mode working,
not even with Pan creating the ssl_certs subdir from scratch.
After "applying" (accepting) the Gmane cert with that pop-up,
it also has a (new) pop-up showing an error storing that cert
and the event-log records this error, too, as before.

Same thing with my GN -- still no-worky.

I did find a way to get the GN+AW mix working half-way,
i.e. the AW half does take the (same) SSL cert,
while the GN cert has an error (similar to Gmane mentioned above).
So I have the GN+AW mix with
GN - primary w/ plaintext mode
AW - fallback w/ secured mode
running together in one Pan setup.  ;p

And as before, I *never* know if the SSL mode
is really-Really-REALLY *secure*.  ;p


BTW as an independent test,
I follow the wget bzr repo
and have it using openssl mode also
instead of its (new) default of gnutls.
Seems to work fine with e.g. https sites etc.


So
Here's my latest idea with this Pan-SSL dilemma:

The thing about AW is that we must use a
_different_ hostname
together with port 563
in order to get their SSL service.
When the Pan PEM file matches the _basic_ hostname for AW SSL
(not with ssl-us.foo and ssl-eu.foo etc in the PEM filenames,
 but the basic ssl.foo name does seem to be accepted by
 _all_ of those other servers),
things seem to be working
(but alas again are we *really* in "truly secure" mode).

As for Gmane and GN,
both of their FAQs indicate that
we use the _same_ hostnames as their "regular" servers
but simply change to use port 563
to get their SSL services
(e.g. news.foo both for plaintext and for secure modes).
Letting the Pan PEM files match these hostnames
seem to _prevent_ Pan going into SSL mode with them.
It's funny that it is these two companies
that are not working very well with your Pan-SSL code.
Coincidence?
Bottom line here is that
I don't have _any_ idea what-else the Pan PEM files
should be named for these servers,
nor if there are any-other ssl-mode server-names they use,
the names chosen by your code do seem to be
at least part of the problem
in these particular circumstances.
But I could be far-far-far-off …
however it is the only picture I can imagine ATM.

I suppose I could run some tests
but please provide exact detailed instructions?