Re: [Pan-devel] still at GIT 7e49a9b, still the same here, plus some MORE research I've done (seems AW works, but not GN nor Gmane (Re: ANN: SSL Support))

[SciFi]

Hi,

On Tue, 22 Nov 2011 05:15:52 +0000, Duncan partly wrote:
> 
> SciFi posted on Tue, 22 Nov 2011 02:17:21 +0000 as excerpted:
> […]
> 
>> Now, for GN:
> 
>> : Certificate accepted: depth=0, 
>> /serialNumber=XqAKcg2TSvYlPuiWhSkEBTi2CYEq1LdE
>> /C=US
>> /O=news.giganews.com
>> /OU=GT53604560
>> /OU=See www.geotrust.com/resources/cps (c)10
>> /OU=Domain Control Validated - QuickSSL(R)
>> /CN=news.giganews.com
> 
>> I _am_ letting your Pan2_SSL code store the
>> pem-filename as shown in the depth=0 CN string,
>> but the rest of your Pan2-SSL code is balking here.
>> I don't understand this.
> 
> Without looking at the pan code or knowing much about GN's
> server-setup, do both the forward and reverse DNS match up
> with the given domain name?  It's not giving you something
> like host1.news.giganews.com for a reverse lookup on the
> IP address, right?
> 
> That's the first thing off the top of my head...

Well, at least here,
'dig' gives one (and only one) address for news.giganews.com
and 'dig -x' finds that same address back to the same name
with no others.

OTOH,
'dig' gives a whole bank of addresses
for the single domain-name of ssl.astraweb.com --
I'd say this is for "round robin" load balancing.
Then 'dig -x' for each of those addresses
does not necessarily resolve back properly,
as you have said.
But remember if I use the pem-filename 'ssl.astraweb.com',
then HM's code seems to work for all of AW's NNTPS sites.

So this particular point seems to be moot.  ;)

I do need more discussion on this,
I just don't know why HM's code is not working with GN & Gmane.


As to other writings, esp'ly on using TLS,
I'm trying to cite relevant discussions from other groups/lists, too,
mainly what I read on the Tor groups here at Gmane,
for many reasons to include more SSL protocols inside Pan.  ;)
I understand your explanations on why TLS might seem "insecure".


>> For Gmane:
>>>>>>
>> : Certificate accepted: depth=0,
>> /C=NO
>> /ST=Some-State
>> /L=Oslo
>> /O=Gmane
>> /CN=news.gmane.org/address@hidden
> 
> [three times same depth=0 entry]
> 
>> (yes the same line three-times)
>> I don't understand this, either,
>> I think this is some sort of "self-signed cert".
> 
> Yes, it's a self-signed cert.
> 
>> Anyway, your Pan2-SSL code is balking at this, too, here.
>> (Actually, I set stunnel to use the IP-number of
>> dough.gmane.org
>> which has been their secure NNTP server in the past
>> but might be taken-out at any time)
> 
> Question: How many connections do you have gmane set for?

I only use One connection for Gmane.
There's no reason for more connections,
at least for Gmane.  ;)

> […]
> As for gmane IP address, I use news.gmane.org regardless of
> whether I'm using SSL or not.

Earlier in this entire thread, I said
I have used HM's code with news.gmane.org
whether or not I have SSL-mode enabled or not
and the proper port-number 563 vs 119
[there are other port#s that will work,
 mainly to skirt-around ISP traffic-shapers & such].

I went back to using the dough.gmane.org name-&-address
because I thought HM's pem-filename logic would cause it to work.
(As I said, nope, didn't help.)
This has been my #1 concern inside this thread
i.e. how HM's pan-ssl code is treating the stored pem-filenames
after I "discovered" how AW was able to work.


> […]


Anyway,
I'm back to making Pan use stunnel (v4.47 as of this writing)
with the openssl-cvs repo as of a few days ago.

(I don't know if using openssl-cvs repo is another "clue",
 but I keep listing it as if it's one.
 This way we would at least get their latest code.
 BTW I don't trust the code provided by this fruity company
 which currently says
 > $ /usr/bin/openssl version
 > OpenSSL 0.9.8r 8 Feb 2011
 whereas my build says
 > $ openssl version
 > OpenSSL 1.1.0-dev xx XXX xxxx
 built into /usr/local/ssl
 which is used by stunnel, wget, etc., as well as HM's pan,
 as evidenced by their logs here.  ;)
 Why won't this lousy fruit "officially" upgrade us to
 using OpenSSL-1.x.x, I will never know.
 But this is the main drive of my "non-fruit" projects
 if there weren't other factors to blame
 [read my footer below for clues].)



-- 


[
 BTW if anyone is wondering why having secure sessions is a "must",
 please go to:
 <http://americancensorship.org/>
]

[
 There's been more news-server shutdowns lately
 such as the big one in Europe:
 <http://news-service.com/>
 The fight is becoming filthy now.
]

[
 Also BTW,
 the ISP here is starting to charge more for extra usage,
 $10 per 50-GB
 over their 150-GB/month limit.
 Yes indeed I am seeking knowledge on whether a
 class-action lawsuit is available for joining.
 If anyone knows, please let me know.
 (This _is_ taking a bite out of my non-fruit projects.)
]

[
 And also the USGovmt is trying to take-over
 all forms of communications.
 Witness the "EAS Test" on Nov.9.
 (a failure ATM IMO)
]

[
 bottom line:
 YOU *ALL* NEED TO WAKE UP
 as to
 WHAT's REALLY GOING ON
 in this world
 !!!!
]