walt posted on Mon, 22 Feb 2016 19:43:39 -0800 as excerpted: > Hi, veteran pan debuggers. > > I'm running the latest pan from git with gnutls support and I'm a bit > confused about how pan is saving the server certs. If you have a news > server that supports ssl/tls connections, could you look in your > ~/.pan2/ssl_certs directory for any files and check to make sure they > are stored correctly? > > They should be .pem files, which are plain text files containing lines > like -----BEGIN CERTIFICATE----- followed by a bunch of text garbage, > followed by -----END CERTIFICATE-----. > > Thanks for testing :)
Thanks for looking into this. Pan's certificate handling has been nagging at me for awhile as it didn't seem to work quite as I expected, but I don't know enough about it to do anything on my own. In particular, it seems I have to check the "always trust this server's certificate" box to avoid being prompted every time I restart pan and attempt to connect to a secure server, and if I'm not mistaken, that option defeats much of the purpose of a secure connection, since I think that makes it trust /any/ random cert it sees, thus allowing easy MitMing (man-in-the-middling). But the so-called certs seem to be only 6-bytes long, effectively non- ascii apparently binary garbage, instead of the base-64-encoded and thus ascii-looking cert of some rather longer length that I expected, and if pan isn't saving them correctly, that would explain why it can't recognize certs that have already been accepted, thus necessitating either accepting them every time or checking the "always trust" box. So indeed, thanks for looking into this. You certainly know code better than I, and have a much better chance at figuring out what's going on and how it differs from what's /supposed/ to be going on, than I. Hopefully after you're done, I'll feel rather better about pan's cert handling, either because it's fixed, or because I understand what it's actually doing somewhat better, and am comfortable it's working as it's /supposed/ to work. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
