secnews.netscape.com?

secnews.netscape.com?

[Amos Gouaux]

As header may reveal, this is a Solaris box with xemacs-21.1.14 and
ognus-0.03.

I wanted to set up a foreign group for secnews.netscape.com.  I've
been using netscape to read some of these, but grow weary of it.

So, I pressed `^' to go into the server buffer, pressed `a' to add
another server ("netscape"), then pressed `e' to edit it as follows:

(nntp "netscape" 
      (nntp-open-connection-function nntp-open-ssl-stream) 
      (nntp-port-number "563") 
      (nntp-address "secnews.netscape.com")) 

However, after doing all of that, if I press `O' to open that
server, I get back "Couldn't open netscape".  If I just hit the
return key on that entry: "Unable to contact server netscape:".  I
even tried setting `debug-on-error' to `t', but nothing happens.

I know it is possible to do ssl connections because I'm using an ssl
connection to an imap server, and that seems to work fine[1].  Is
there something else I can try?

-Amos

Notes:
1. I don't know if the stunnel/openssl on the imap server are too
   old and/or buggy or what, but I've noticed that when I have gnus
   running all day, after a while the connection to this imap server
   will hang.  If it matters, it's also a foreign group, and I had
   that group at a level 2 so that a gnus-demon-add-handler thing
   could periodically check for new mail.  Don't know if that could
   be a contributing factor.  I guess the only way to track that
   down is to set nnimap-debug and let that buffer fill up, huh?

Re: secnews.netscape.com?

[Amos Gouaux]

>>>>> On 07 May 2001 23:49:05 -0500,
>>>>> Amos Gouaux <amos+lists.ding@utdallas.edu> (ag) writes:

ag> (nntp "netscape" 
ag>       (nntp-open-connection-function nntp-open-ssl-stream) 
ag>       (nntp-port-number 563) 
ag>       (nntp-address "secnews.netscape.com")) 

ag> However, after doing all of that, if I press `O' to open that
ag> server, I get back "Couldn't open netscape".  If I just hit the
ag> return key on that entry: "Unable to contact server netscape:".  I
ag> even tried setting `debug-on-error' to `t', but nothing happens.

Well, this was interesting.  I looked in the ding archive and
noticed the maintainer of w3 stating that ssl-program-arguments
shouldn't be modified.  Something about "s_client" no longer being
valid with OpenSSL.  Well, I'm not sure where that comes from
because it sure seems to be valid with openssl-0.9.6a.  I also
notice that imap.el uses this command to openssl.  So, I tried the
following alteration:

*** lisp/nntp.el.~1~  Mon Apr 30 16:39:59 2001
--- lisp/nntp.el  Tue May  8 18:09:11 2001
***************
*** 920,927 ****
    (open-network-stream "nntpd" buffer nntp-address nntp-port-number))
  
  (defun nntp-open-ssl-stream (buffer)
!   (let* ((ssl-program-arguments '("-connect" (concat host ":" service)))
!   (proc (open-ssl-stream "nntpd" buffer nntp-address nntp-port-number)))
      (save-excursion
        (set-buffer buffer)
        (nntp-wait-for-string "^\r*20[01]")
--- 920,927 ----
    (open-network-stream "nntpd" buffer nntp-address nntp-port-number))
  
  (defun nntp-open-ssl-stream (buffer)
!   (let* ((ssl-program-arguments '("s_client" "-connect" (concat host ":" service)))
!   (proc (open-ssl-stream "nntpd-ssl" buffer nntp-address nntp-port-number)))
      (save-excursion
        (set-buffer buffer)
        (nntp-wait-for-string "^\r*20[01]")


Now I'm able to login to secnews.netscape.com:563 without any problems.

-- 
Amos

Re: secnews.netscape.com?

[Amos Gouaux]

>>>>> On 08 May 2001 18:17:15 -0500,
>>>>> Amos Gouaux <amos+lists.ding@utdallas.edu> (ag) writes:

ag> Well, this was interesting.  I looked in the ding archive and
ag> noticed the maintainer of w3 stating that ssl-program-arguments
ag> shouldn't be modified.  Something about "s_client" no longer being
ag> valid with OpenSSL.  Well, I'm not sure where that comes from
ag> because it sure seems to be valid with openssl-0.9.6a.  I also
ag> notice that imap.el uses this command to openssl.  So, I tried the
ag> following alteration:

[...]

ag> Now I'm able to login to secnews.netscape.com:563 without any problems.

More curious, this nntp over ssl only works if I open it before
opening an imaps connection.  If I open the imaps connection first,
then I get the same error I was getting before.  Odd......

-- 
Amos

Re: secnews.netscape.com?

[Simon Josefsson]

Amos Gouaux <amos+lists.ding@utdallas.edu> writes:

> Well, this was interesting.  I looked in the ding archive and
> noticed the maintainer of w3 stating that ssl-program-arguments
> shouldn't be modified.  Something about "s_client" no longer being
> valid with OpenSSL.

Right, OpenSSL used to ship a binary called `s_client', now it only
ship one binary `openssl' that take old binary names as the first
argument.

> !   (let* ((ssl-program-arguments '("-connect" (concat host ":" service)))
> !   (proc (open-ssl-stream "nntpd" buffer nntp-address nntp-port-number)))
...
> !   (let* ((ssl-program-arguments '("s_client" "-connect" (concat host ":" service)))
> !   (proc (open-ssl-stream "nntpd-ssl" buffer nntp-address nntp-port-number)))
>
> Now I'm able to login to secnews.netscape.com:563 without any problems.

The SSL stuff in nntp.el seem to be written for old OpenSSL, and you
have a new one.  Can you simply remove the line and see if it works?
I don't think nntp.el should mess with internal ssl variables unless
it's required. E.g.:

--- nntp.el.~6.8.~	Sun May  6 02:15:22 2001
+++ nntp.el	Wed May  9 21:28:48 2001
@@ -920,8 +920,7 @@
   (open-network-stream "nntpd" buffer nntp-address nntp-port-number))
 
 (defun nntp-open-ssl-stream (buffer)
-  (let* ((ssl-program-arguments '("-connect" (concat host ":" service)))
-	 (proc (open-ssl-stream "nntpd" buffer nntp-address nntp-port-number)))
+  (let ((proc (open-ssl-stream "nntpd" buffer nntp-address nntp-port-number)))
     (save-excursion
       (set-buffer buffer)
       (nntp-wait-for-string "^\r*20[01]")

Re: secnews.netscape.com?

[Simon Josefsson]

Amos Gouaux <amos+lists.ding@utdallas.edu> writes:

> ag> Now I'm able to login to secnews.netscape.com:563 without any problems.
> 
> More curious, this nntp over ssl only works if I open it before
> opening an imaps connection.  If I open the imaps connection first,
> then I get the same error I was getting before.  Odd......

Indeed.  Could you edebug `nntp-open-ssl-stream' and/or
`open-ssl-stream' to see what happens?  I can't see that imap.el
permanently makes any SSL related modifications..  other than the
autoload'ing of ssl.el?  Don't know if it matters.

Re: secnews.netscape.com?

[Simon Josefsson]

Amos Gouaux <amos+lists.ding@utdallas.edu> writes:

>sj> The SSL stuff in nntp.el seem to be written for old OpenSSL, and you
>sj> have a new one.  Can you simply remove the line and see if it works?
>sj> I don't think nntp.el should mess with internal ssl variables unless
>sj> it's required. E.g.:
> 
>sj> --- nntp.el.~6.8.~	Sun May  6 02:15:22 2001
>sj> +++ nntp.el	Wed May  9 21:28:48 2001
>sj> @@ -920,8 +920,7 @@
>sj>    (open-network-stream "nntpd" buffer nntp-address nntp-port-number))
>  
>sj>  (defun nntp-open-ssl-stream (buffer)
>sj> -  (let* ((ssl-program-arguments '("-connect" (concat host ":" service)))
>sj> -	 (proc (open-ssl-stream "nntpd" buffer nntp-address nntp-port-number)))
>sj> +  (let ((proc (open-ssl-stream "nntpd" buffer nntp-address nntp-port-number)))
>sj>      (save-excursion
>sj>        (set-buffer buffer)
>sj>        (nntp-wait-for-string "^\r*20[01]")
> 
> Looks like this hasn't been applied yet, at least looking at
> gnus-CURRENT-20010728 from ftp.gnus.org.  I think we got distracted
> by the subsequent problem with imap-ssl (which was fixed).

I've committed it -- I hope it doesn't break NNTPS for anyone.