On 05/02/2012 09:11 AM, Duncan wrote: > walt posted on Tue, 01 May 2012 13:18:47 -0700 as excerpted: > >> Hi Heinrich, >> >> I finally figured out why pan is rejecting the cert from my news servers >> even though I click on "always trust cert" an infinite number of times. >> >> At least I think I know :) >> >> Both of my for-pay servers are smaller resellers who use certs with >> names that don't match the URL of the server, unlike the top-tier news >> providers. >> >> So my question is whether gnutls provides fine-grained methods for >> ignoring specific errors and allowing others? >> >> Or, should pan just not verify the cert at all if I've checked "always >> trust"? >> I'm inclined to vote for that option as long as I have at least one >> chance to refuse the certificate before connecting to the server. >> >> Other opinions are invited, of course. > > I just woke up after a good rest and I think I'm still in that creative > not-quite-awake-yet zone that's so good for seeing connections one might > not otherwise see... > > I'm not sure how much of the following pan already implements... > > Something like the ssh model would be useful here. Once the cert is > verified, it's considered safe on that site, regardless of other > details. Only when the cert changes does it trigger a new warning.
Heinrich's latest git has fixed the problem, so I'm not motivated to do any more debugging today :) However, I did test to see what happens when a server changes it cert. I deleted one cert from .pan2/ and deliberately copied another server's cert and changed the name, so pan would be confused. I had "always trust" checked, and pan stored the correct cert in place of the bogus one. So, there's not much protection against MITM attacks, but OTOH I *did* say to accept the cert without verifying. I see that both of my (very low-budget) news providers use self-signed certs anyway, so there is no protection from MITM possible in any case. (Cheap is cheap ;) BTW while debugging I stumbled across gnutls-cli, which makes it trivial to examine a server's cert like this: #gnutls-cli -p 563 news.foo.com _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
