Duncan posted on Mon, 10 Dec 2012 19:52:14 +0000 as excerpted: > walt posted on Mon, 10 Dec 2012 05:49:12 -0800 as excerpted: > >> On 12/08/2012 05:49 PM, walt wrote: >>> >>> Third bizarre behavior of pan+gnutls-3 is that the "broken" server is >>> not *always* broken, but works intermittently, sometimes for days at a >>> time, and then breaks again for reasons I can't understand. I just >>> started pan again at 17:30 PST and it connected perfectly to the >>> 'broken' server and stored its 6-byte cert file right beside the >>> 'working' server's 6-byte cert file, like this: >> >> Yesterday the 'broken' server started and stopped working at least five >> times, and did it again this morning. I still don't understand why >> this happens but at least I do have another possible clue: >> >> When I set pan to *not* trust the server's cert, two different things >> may happen. First, when the server is broken, pan never presents me >> with the cert for my approval, i.e. it seems to me that gnutls-3 is not >> actually fetching/reading the cert and therefore can't ask me to >> approve it. >> >> Second, when the server suddenly starts working again, pan actually >> does present me with the cert for approval, and in fact it presents it >> two and sometimes three times, so I have to click away the dialog box >> more than once. After that, pan works perfectly again for some >> unpredictable period of time before the server 'breaks' again. >> >> To add to my confusion, I can use gnutls-cli-debug -p 563 to examine >> the server's cert perfectly whether the server is 'broken' or not. >> That seems to imply that something in pan is changing rather than >> something in the server, doesn't it? >> >> I remain mystified :( > > I've been going to look into this myself (I've been running gnutls 3.x > for quite some time but switched back to plain text when pan's secure > code was still churning, and I need to try it again anyway), but I've > not had the time as I'm working full time again. =:^) Also, I forgot > after your first mail, so this one reminded me.
Seems I had switched back to nttps and had forgotten about it, so I was actually using it when I wrote that. =:^) > From your previous post, the short cert files are probably just hashes, > giving pan just enough info to know whether it has accepted the cert yet > or not. Reading the source may confirm that one way or the other. FWIW, I checked and my (working) *.pem file is 6-bytes too. So that would appear to be normal. FWIW if you wish to compare same-server, my only active server is gmane, here. news.gmane.org, standard ports (119/nntp or 563/nntps). Your (walt's) headers say you're posting with thunderbird, so probably direct, not via gmane. The gmane cert is self-issued, nothing fancy, but it works. > The broken/working/broken bit MAY be the NSP's server, serving different > certs depending on what front-end you connect to. I still think that may be it... > Meanwhile, the multiple cert-accept dialogs could well be due to pan's > multiple connections code. If you dial back your allowed connections to > only one, do you consistently only get one accept dialog? If so, the > problem should be fixed, but it could well be difficult to do so, and > since under normal conditions once you accept the cert it shouldn't > happen again (until the cert changes), it may be that Heinrich either > thought it was fixed or decided to leave that bug to work on some other > time. FWIW, I'm using only a single connection with gmane. It's mostly text, with an occasional screen-shot or whatever posting, so there's really no need for more, and I have no wish to abuse gmane just for doing so. But it did take two connections back when I was running it that way before. You could try that and see... (Mostly OT comment: If I stay full time for a few more weeks I'm going to be tempted to sign up somewhere for a real nsp. I figure a half-TB block should last me quite some time, over a year even if I go back to binaries, as I never did download more than about a gig a day, average. THEN I'll actually be able to test some of this stuff.) -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
