Duncan: I posted this reply on 12-11 but AFAICT it never reached the mailing list, so this is my second try--with fingers crossed:
On 12/11/2012 02:45 AM, Duncan wrote:
The broken/working/broken bit MAY be the NSP's server, serving different >certs depending on what front-end you connect to.
I still think that may be it...
Aha! Good guess :) I'm not yet certain how many different keys I may be getting from the same IP address (it's always the same address) but there are at least two -- the broken one is RSA512 (weak) and the working one is RSA1024. Mind you, gnutls-2.x.x accepts both of those keys without problem, so gnutls-3 must be doing something different with the 512-bit key. I'm still struggling with pan's gnutls code, so I don't know yet if pan is asking gnutls to report on the cipher strength. Now that I understand what's happening I may be able to find the relevant piece of pan's code and puzzle it out. Thanks, as always, for being a good observer :) _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
