pan-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-users] gnutls error: hostname does not match server name

From: Duncan
Subject: Re: [Pan-users] gnutls error: hostname does not match server name
Date: Wed, 2 May 2012 16:11:57 +0000 (UTC)
User-agent: Pan/0.136 (I'm far too busy being delicious; GIT 187e40f /st/portage/src/egit-src/pan2) 
walt posted on Tue, 01 May 2012 13:18:47 -0700 as excerpted:

> Hi Heinrich,
> 
> I finally figured out why pan is rejecting the cert from my news servers
> even though I click on "always trust cert" an infinite number of times.
> 
> At least I think I know :)
> 
> Both of my for-pay servers are smaller resellers who use certs with
> names that don't match the URL of the server, unlike the top-tier news
> providers.
> 
> So my question is whether gnutls provides fine-grained methods for
> ignoring specific errors and allowing others?
> 
> Or, should pan just not verify the cert at all if I've checked "always
> trust"?
> I'm inclined to vote for that option as long as I have at least one
> chance to refuse the certificate before connecting to the server.
> 
> Other opinions are invited, of course.

I just woke up after a good rest and I think I'm still in that creative 
not-quite-awake-yet zone that's so good for seeing connections one might 
not otherwise see...

I'm not sure how much of the following pan already implements...

Something like the ssh model would be useful here.  Once the cert is 
verified, it's considered safe on that site, regardless of other 
details.  Only when the cert changes does it trigger a new warning.

But with the server-farm model some providers use, it may be necessary 
for a site to have multiple certificate "slots".

I'm wondering if /that/ might be the problem in some cases -- the same 
set of certs being used, but which one you get depending either on the 
group (text vs. small binary vs. large binary is one model I've seen, 
large-binary having only a few day to a few week retention, small binary 
a few weeks to a few months, text months to years), or on round-robin 
connection assignment, thus appearing random.  With multiple connections, 
the round-robin version especially could be particularly troublesome as 
each connection could get a different certificate, thus having multiple 
certs in the same session to the same server!  If pan is only prepared to 
deal with one certificate per server, that would trigger all sorts of 
warnings as pan tried to shuffle the single cert it has approved between 
all the different connections!

Does that possibly fit what you're seeing?  Check the cert details and 
see if you're getting different certs for the same session, possibly 
limited to the number of connections you're using.  If you're seeing 
different certs in the same session for the same provider, that could 
well be it.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman
reply via email to
[Prev in Thread] Current Thread [Next in Thread]