walt posted on Tue, 01 May 2012 13:18:47 -0700 as excerpted: > Hi Heinrich, > > I finally figured out why pan is rejecting the cert from my news servers > even though I click on "always trust cert" an infinite number of times. > > At least I think I know :) > > Both of my for-pay servers are smaller resellers who use certs with > names that don't match the URL of the server, unlike the top-tier news > providers. > > So my question is whether gnutls provides fine-grained methods for > ignoring specific errors and allowing others? > > Or, should pan just not verify the cert at all if I've checked "always > trust"? > I'm inclined to vote for that option as long as I have at least one > chance to refuse the certificate before connecting to the server. > > Other opinions are invited, of course.
I just woke up after a good rest and I think I'm still in that creative not-quite-awake-yet zone that's so good for seeing connections one might not otherwise see... I'm not sure how much of the following pan already implements... Something like the ssh model would be useful here. Once the cert is verified, it's considered safe on that site, regardless of other details. Only when the cert changes does it trigger a new warning. But with the server-farm model some providers use, it may be necessary for a site to have multiple certificate "slots". I'm wondering if /that/ might be the problem in some cases -- the same set of certs being used, but which one you get depending either on the group (text vs. small binary vs. large binary is one model I've seen, large-binary having only a few day to a few week retention, small binary a few weeks to a few months, text months to years), or on round-robin connection assignment, thus appearing random. With multiple connections, the round-robin version especially could be particularly troublesome as each connection could get a different certificate, thus having multiple certs in the same session to the same server! If pan is only prepared to deal with one certificate per server, that would trigger all sorts of warnings as pan tried to shuffle the single cert it has approved between all the different connections! Does that possibly fit what you're seeing? Check the cert details and see if you're getting different certs for the same session, possibly limited to the number of connections you're using. If you're seeing different certs in the same session for the same provider, that could well be it. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
