[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] gnutls error: hostname does not match server name
From: |
walt |
Subject: |
Re: [Pan-users] gnutls error: hostname does not match server name |
Date: |
Wed, 02 May 2012 11:44:08 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120420 Thunderbird/12.0 |
On 05/02/2012 09:11 AM, Duncan wrote:
> walt posted on Tue, 01 May 2012 13:18:47 -0700 as excerpted:
>
>> Hi Heinrich,
>>
>> I finally figured out why pan is rejecting the cert from my news servers
>> even though I click on "always trust cert" an infinite number of times.
>>
>> At least I think I know :)
>>
>> Both of my for-pay servers are smaller resellers who use certs with
>> names that don't match the URL of the server, unlike the top-tier news
>> providers.
>>
>> So my question is whether gnutls provides fine-grained methods for
>> ignoring specific errors and allowing others?
>>
>> Or, should pan just not verify the cert at all if I've checked "always
>> trust"?
>> I'm inclined to vote for that option as long as I have at least one
>> chance to refuse the certificate before connecting to the server.
>>
>> Other opinions are invited, of course.
>
> I just woke up after a good rest and I think I'm still in that creative
> not-quite-awake-yet zone that's so good for seeing connections one might
> not otherwise see...
>
> I'm not sure how much of the following pan already implements...
>
> Something like the ssh model would be useful here. Once the cert is
> verified, it's considered safe on that site, regardless of other
> details. Only when the cert changes does it trigger a new warning.
Heinrich's latest git has fixed the problem, so I'm not motivated to
do any more debugging today :)
However, I did test to see what happens when a server changes it cert.
I deleted one cert from .pan2/ and deliberately copied another server's
cert and changed the name, so pan would be confused.
I had "always trust" checked, and pan stored the correct cert in place
of the bogus one. So, there's not much protection against MITM attacks,
but OTOH I *did* say to accept the cert without verifying.
I see that both of my (very low-budget) news providers use self-signed
certs anyway, so there is no protection from MITM possible in any case.
(Cheap is cheap ;)
BTW while debugging I stumbled across gnutls-cli, which makes it trivial
to examine a server's cert like this:
#gnutls-cli -p 563 news.foo.com
Re: [Pan-users] gnutls error: hostname does not match server name, Heinrich Müller, 2012/05/02