nnimap unable to open server unknown service 993

nnimap unable to open server unknown service 993

[Steinar Bang]

Platform: Windows 7,
           emacs 24.3.1,
           Ma Gnus v0.8 (git HEAD),
           GNU TLS gnutls-3.0.9-w32-bin.zip from  
http://sourceforge.net/projects/ezwinports/files/

Summary: I haven't found a solution for the problem yet.  Any  
assistance/ideas/guesses will be appreciated.

What follows are my experiments and results.

When connecting I get the following messages in the minibuffer:
  Opening nnimap server on privat...
  Opening connection to imap.mydomain.com via tls...
  Unable to open server nnimap+privat due to: Unknown service: 993
  Opening nnimap server on privat...failed:

Connecting to the same IMAP server with Opera on the same computer,  
succeeds (so there should be no firewall issues).

The nnimap server is defined as a secondary select method:
  (setq gnus-secondary-select-methods
        '((nnimap "privat"
   	        (nnimap-address "imap.mydomain.com")
                 (nnimap-authenticator cram-md5)
                 (nnimap-stream ssl))
          (nntp "news.gmane.org")
          (nndiary "")
          ))

I have installed GNU TLS by downloading the bin.zip file from the above  
URL, extracting all DLL files in the bin directory of the zip file, and  
dropping them into the emacs bin directory.  That makes emacs 24 pick them  
up and use the built-in TLS.

I have googled for this error message and found this thread:
  https://groups.google.com/forum/?fromgroups=#!topic/gnu.emacs.gnus/vTPHwp0hVak
which probably isn't the issue, because
  1. My c:/Windows/System32/drivers/etc/services contain the line:
      imaps             993/tcp                           #IMAP4 protocol  
over TLS/SSL
  2. I'm running git gnus HEAD, which should contain the fix that Lars  
talked about at the end of the thread

I found this thread which looked more promising:  
http://thread.gmane.org/gmane.emacs.gnus.user/14695

 From that thread it looked like the cause of the error message, might be a  
certificate issue. My IMAP server's certificate is signed by  
http://cacert.org so not having the Cacert.org CA certificate installed  
where GNU TLS could find it, looked like a likely culprit.

The question was then: where should I drop the cacert.org CA certificate  
so that the GNU TLS DLL in emacs would pick it up?

Googling some more, I found this:
  http://www.gnu.org/software/emacs/manual/html_node/emacs-gnutls/Help-For-Users.html

The value of gnutls-trustfiles, was:
  ("/etc/ssl/certs/ca-certificates.crt" "/etc/pki/tls/certs/ca-bundle.crt"  
"/etc/ssl/ca-bundle.pem" "/usr/ssl/certs/ca-bundle.crt")

I downloaded the cacert.org class 1 sertificate from  
http://www.cacert.org/index.php?id=3

I saved the downloaded file as  
C:\ProgramFiles\emacs-24.3\etc\gnutls\cacert.org_root.crt

I evaluated the following in the scratch buffer:
  (push "C:/ProgramFiles/emacs-24.3/etc/gnutls/cacert.org_root.crt"  
gnutls-trustfiles)

I then tried to start gnus, but I got the same issue.

I have tried the log levels 1, 2 and 5, by evaluating
  (setq gnutls-log-level 1)
and then tried `M-x gnus', and when that didn't give anything meaningful,  
I evaluated
  (setq gnutls-log-level 2)
and then tried `M-x gnus', and when that didn't give anything meaningful,  
I evaluated
  (setq gnutls-log-level 5)
and then tried `M-x gnus'.

But not even log level 5 gave me any clue that there were CA issues with  
the nnimap connection.

It did show that GNU TLS was active, though.  And that GNU TLS used the  
cacert.org cert, when trying to open an nntps connection to news.gmane.org:
  Opening nnimap server on privat...
  Opening connection to imap.mydomain.com via tls...
  Unable to open server nnimap+privat due to: Unknown service: 993
  Opening nnimap server on privat...failed:
  Opening nntp server on news.gmane.org...
  gnutls.c: [1] (Emacs) allocating credentials
  gnutls.c: [2] (Emacs) allocating x509 credentials
  gnutls.c: [2] (Emacs) using default verification flags
  gnutls.c: [1] (Emacs) setting the trustfile:   
C:/ProgramFiles/emacs-24.3/etc/gnutls/cacert.org_root.crt
  gnutls.c: [1] (Emacs) gnutls callbacks
  gnutls.c: [1] (Emacs) gnutls_init
  ...[snip! news.gmane.org stuff]

Re: nnimap unable to open server unknown service 993

[David Engster]

Steinar Bang writes:
>  Unable to open server nnimap+privat due to: Unknown service: 993

[...]

> The nnimap server is defined as a secondary select method:
>  (setq gnus-secondary-select-methods
>        '((nnimap "privat"
>   	        (nnimap-address "imap.mydomain.com")
>                 (nnimap-authenticator cram-md5)

try adding

   (nnimap-server-port 993)

>                 (nnimap-stream ssl))

and maybe also drop this, I'm not sure.

-David

Re: nnimap unable to open server unknown service 993

[Steinar Bang]

>>>>> David Engster <deng@randomsample.de>:
> Steinar Bang writes:
>> Unable to open server nnimap+privat due to: Unknown service: 993
> [...]
>> The nnimap server is defined as a secondary select method:
>> (setq gnus-secondary-select-methods
>> '((nnimap "privat"
>>  (nnimap-address "imap.mydomain.com")
>>  (nnimap-authenticator cram-md5)

> try adding

>    (nnimap-server-port 993)

That worked!  Thanks!

The entry now looks like this:
      '((nnimap "privat"
		(nnimap-address "imap.mydomain.com")
                (nnimap-authenticator cram-md5)
                (nnimap-server-port 993)
                (nnimap-stream ssl))


>> (nnimap-stream ssl))

> and maybe also drop this, I'm not sure.

With or without it didn't make any difference.  I'm leaving it in
place.  The config file is shared between different emacs versions, and
with openssl and gnutls shell scripts.

nntp server news.gmane.org tries to use gnutls (Was: nnimap unable to open server unknown service 993)

[Steinar Bang]

However, with nnimap working, the next issue is kind of interesting: tls
seems to be invoked when entering one of the nntp groups on
news.gmane.org: 
 Opening nntp server on news.gmane.org...done
 gnutls.c: [0] (Emacs) fatal error: Error in the push function.
 gnutls.c: [0] (Emacs) fatal error: The specified session has been invalidated for some reason. [112 times]

This happens only when trying to enter a group.  I don't see this error
when doing a `g' in the Groups buffer.

I have this issue both with news.gmane.org, which is in the
gnus-secondary-select-methods, and with ger.gmane.org which has been
added to the server buffer.

I do not see this issue on news.eclipse.org.  I haven't tried any of the
other nntp servers yet.

Re: nntp server news.gmane.org tries to use gnutls

[Adam Sjøgren]

Steinar Bang <sb@dod.no> writes:

> I have this issue both with news.gmane.org, which is in the
> gnus-secondary-select-methods, and with ger.gmane.org which has been
> added to the server buffer.

I seem to remember newer Gnusae try to use STARTTLS if the server
supports it.

> I do not see this issue on news.eclipse.org.

  $ telnet news.eclipse.org nntp
  [...]
  200 news.eclipse.org InterNetNews NNRP server INN 2.4.2 ready (posting ok).
  STARTTLS
  500 What?

vs.

  $ telnet news.gmane.org nntp
  [...]
  200 news.gmane.org InterNetNews NNRP server INN 2.5.1 ready (posting ok)
  STARTTLS
  382 Begin TLS negotiation now


  Best regards,

    Adam

-- 
 "Hur långt man än har kommit                                 Adam Sjøgren
  är det alltid längre kvar"                             asjo@koldfront.dk

Re: nntp server news.gmane.org tries to use gnutls

[Steinar Bang]

>>>>> asjo@koldfront.dk (Adam Sjøgren):
> Steinar Bang <sb@dod.no> writes:

> I seem to remember newer Gnusae try to use STARTTLS if the server
> supports it.

Hm... is that a feature or a bug...?

>   $ telnet news.eclipse.org nntp
>   [...]
>   200 news.eclipse.org InterNetNews NNRP server INN 2.4.2 ready (posting ok).
>   STARTTLS
>   500 What?

> vs.

>   $ telnet news.gmane.org nntp
>   [...]
>   200 news.gmane.org InterNetNews NNRP server INN 2.5.1 ready (posting ok)
>   STARTTLS
>   382 Begin TLS negotiation now

Indeed.

Is there a way to switch it off?  Alternatively: how can I make it work?
Install the cert for news.gmane.org in a place where gnutls will find
it, same as I did with the cacert CA? (BTW it would be nice if the
gmane.org certs were signed by cacert instead of being self-signed)



-- 
"Som graset står eg ventande på ein ljå"

Re: nntp server news.gmane.org tries to use gnutls

[Katsumi Yamaoka]

Steinar Bang wrote:
> Is there a way to switch it off?

I'm using this for months.  It seems to work but sometimes I see
gnutls.c issuing a worning (I haven't examined it yet tho).

(defadvice open-network-stream (before
				never-use-stls
				(name buffer host service &rest parameters)
				activate)
  "Never use starttls (gnutls, that issues an annoying warning)."
  (when (member name '("nntpd" "POP"))
    (setq parameters (copy-sequence parameters))
    (plist-put parameters :starttls-function nil)))

Re: nntp server news.gmane.org tries to use gnutls

[Adam Sjøgren]

Steinar Bang <sb@dod.no> writes:

>>>>>> asjo@koldfront.dk (Adam Sjøgren):
>> Steinar Bang <sb@dod.no> writes:

>> I seem to remember newer Gnusae try to use STARTTLS if the server
>> supports it.

> Hm... is that a feature or a bug...?

To me it sounds like a feature - default to the most reasonable thing to
do.

It sounds like a bug if it doesn't work, though.

> Is there a way to switch it off?  Alternatively: how can I make it work?
> Install the cert for news.gmane.org in a place where gnutls will find
> it, same as I did with the cacert CA?

I don't think I have done anything like that to make it work - I may be
misremembering though. Looks like I just have (require 'gnutls) and
that's it.

(GNU Emacs 24.3.50.1, Ma Gnus v0.8)

> (BTW it would be nice if the gmane.org certs were signed by cacert
> instead of being self-signed)

They just have to be updated quite often, which is a {b,ch}ore.


  Best regards,

    Adam

-- 
 "Hur långt man än har kommit                                 Adam Sjøgren
  är det alltid längre kvar"                             asjo@koldfront.dk

Re: nntp server news.gmane.org tries to use gnutls

[Steinar Bang]

>>>>> asjo@koldfront.dk (Adam Sjøgren):

> To me it sounds like a feature - default to the most reasonable thing
> to do.

Yes, but that's what I was unsure about: is gunning for STARTTLS always
the most reasonable thing to do...?

> It sounds like a bug if it doesn't work, though.

Indeed.

> I don't think I have done anything like that to make it work - I may
> be misremembering though. Looks like I just have (require 'gnutls) and
> that's it.

I tried Katsumi Yamaoka's workaround, but that didn't work for me.  I
just got
 Opening nntp server on news.gmane.org...done
 apply: Server closed connection

Since then it has sometimes worked and sometimes not.  Entering
gmane.discuss worked, but entering this group immediately after,
failed. 

So now I tried upping the GNUTls log level in Messages, by doing
 (setq gnutls-log-level 1)
in the scratch buffer.

And then entering this group worked without a hitch... but I don't know
if this was coincidental or an actual effect.  Have the gmane servers
had some issues today, I wonder...?

This is what the increased log level said:
 Opening nntp server on news.gmane.org...
 gnutls.c: [1] (Emacs) allocating credentials
 gnutls.c: [1] (Emacs) gnutls callbacks
 gnutls.c: [1] (Emacs) gnutls_init
 gnutls.c: [1] (Emacs) got non-default priority string: NORMAL
 gnutls.c: [1] (Emacs) setting the priority string
 news.gmane.org certificate could not be verified.
 gnutls.c: [1] (Emacs) certificate signer was not found: news.gmane.org
 gnutls.c: [1] (Emacs) certificate validation failed: news.gmane.org
 Opening nntp server on news.gmane.org...done

(certificate validation failed, but that did not stop Gnus from
continuing)

>> (BTW it would be nice if the gmane.org certs were signed by cacert
>> instead of being self-signed)

> They just have to be updated quite often, which is a {b,ch}ore.

Possible solutions:
 - Automate the server certificate updates (once every 3 months)
   http://wiki.cacert.org/Software/CertApi
 - Someone (ie. Lars) should get a higher level of trust with cacert.org
   and get longer-lived certs
 - Both of the above

(I think I will try for the automated solution for my own certs)

Re: nntp server news.gmane.org tries to use gnutls

[Adam Sjøgren]

Steinar Bang <sb@dod.no> writes:

> Yes, but that's what I was unsure about: is gunning for STARTTLS always
> the most reasonable thing to do...?

If it is available, I think encryption is, yes.

> (certificate validation failed, but that did not stop Gnus from
> continuing)

At least the CIA sniffers won't know what you were reading, although you
don't know for sure who was serving you articles.

[...]

> Possible solutions:
>  - Automate the server certificate updates (once every 3 months)
>    http://wiki.cacert.org/Software/CertApi

Does this allow renewal? It is unclear to me, but so it a lot of this
stuff.

>  - Someone (ie. Lars) should get a higher level of trust with cacert.org
>    and get longer-lived certs

Sounds like work to me, and I don't even have to do it...

> (I think I will try for the automated solution for my own certs)

Let us know how it goes!


  Best regards,

    Adam

-- 
 "Hur långt man än har kommit                                 Adam Sjøgren
  är det alltid längre kvar"                             asjo@koldfront.dk