nntp and ssl

nntp and ssl

[Antoine Junod]

Hello,

I was using gnus to read my mails (IMAP + SSL) and news 
(NNTP) without any problem until my news provider updated 
the news server. NNTP is no longer supported and I have to 
use NNTP over SSL.

I've tried to change my conf as follow:

(setq gnus-select-method' 
 
                                        (nntp "news.epfl.ch" 
 
 

           (nntp-open-connection-function 
nntp-open-ssl-stream) 
 

           (nntp-port-number) 
 

           (nntp-address "news.epfl.ch")) 
 



But when i'm launching gnus, il says me
nntp (news.epfl.ch) open error: ''.  Continue? (y or n)

What should I try to debug that?

Network config seems a bit crazy for that server but 
thinderbird can handle that crazieness so i think it's not 
so important (look at the last steps):

zapata ~ # tcptraceroute news.epfl.ch 563
Selected device eth0, address 213.239.193.37, port 33726 for 
outgoing packets
Tracing the path to news.epfl.ch (128.178.50.84) on TCP port 
563 (nntps), 30 hops max
  1  213-239-193-33.clients.your-server.de (213.239.193.33) 
  0.414 ms  0.393 ms  0.450 ms
  2  et-2-14.RS86001.RZ3.hetzner.de (213.133.96.77)  0.865 
ms  0.287 ms  0.234 ms
  3  gi-upl.lambdanet.hetzner.de (213.239.240.195)  0.931 ms 
  0.294 ms  0.421 ms
  4  nbg.de.lambdanet.net (213.133.96.234)  1.182 ms  0.445 
ms  0.422 ms
  5  FRA-2-pos620.de.lambdanet.net (217.71.96.41)  4.295 ms 
  72.759 ms  4.421 ms
  6  FRA-11-pos300.de.lambdanet.net (217.71.105.94)  5.239 
ms  4.202 ms  4.445 ms
  7  FRA-8-pos300.de.lambdanet.net (217.71.105.225)  4.639 
ms  4.217 ms  4.181 ms
  8  ZUR-1-eth000-103.ch.lambdanet.net (80.86.163.26) 
17.382 ms  16.709 ms  16.714 ms
  9  swiix1-g2-1.switch.ch (194.42.48.11)  20.946 ms  20.725 
ms  20.531 ms
10  swiZH2-10GE-1-3.switch.ch (130.59.36.130)  21.051 ms 
20.340 ms  20.620 ms
11  swiEL2-G2-3.switch.ch (130.59.36.78)  20.842 ms  20.464 
ms  20.349 ms
12  news.epfl.ch (128.178.50.84)  21.376 ms  20.425 ms 
20.758 ms
13  news.epfl.ch (128.178.50.84)  21.235 ms  20.673 ms 
21.437 ms
14  news.epfl.ch (128.178.50.84)  20.425 ms  20.379 ms 
20.978 ms
15  news.epfl.ch (128.178.50.84) [open]  20.743 ms * 20.882 ms
zapata ~ #

I'm really sorry to typeset as a piggy but i'm not writing 
that post in emacs and the news reader i'm using does not 
seem to like me.

Thanks a lot for your help
-AJ

Re: nntp and ssl

[Lars Magne Ingebrigtsen]

Antoine Junod <antoine.junod@epfl.ch> writes:

> (setq gnus-select-method' 
>                                        (nntp "news.epfl.ch" 
>           (nntp-open-connection-function nntp-open-ssl-stream) 
>           (nntp-port-number) 
>           (nntp-address "news.epfl.ch")) 

I think that should be

            (nntp-port-number 563) 

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: nntp and ssl

[m. kolb]

Antoine Junod <antoine.junod@epfl.ch> writes:

> Hello,
>
> I was using gnus to read my mails (IMAP + SSL) and news (NNTP) without
> any problem until my news provider updated the news server. NNTP is no
> longer supported and I have to use NNTP over SSL.
>
> I've tried to change my conf as follow:
>
> (setq gnus-select-method'                                       (nntp
> "news.epfl.ch"
>
>            (nntp-open-connection-function nntp-open-ssl-stream)
>
>            (nntp-port-number)
>
>            (nntp-address "news.epfl.ch"))

When we changed to require SSL and authentication, I changed my
pertinent .gnus.el like this:

(add-hook 'nntp-server-opened-hook 'nntp-send-authinfo)

(setq gnus-select-method '(nntp "nntp.msu.edu"
      (nntp-open-connection-function
       nntp-open-ssl-stream)
      (nntp-port-number "nntps")
      (nntp-address "nntp.msu.edu")))


Best of luck,

./muk

-- 
m. kolb  <muk@msu.edu>

Re: nntp and ssl

[Antoine Junod]

m. kolb wrote:
> Antoine Junod <antoine.junod@epfl.ch> writes:
> 
> 
>>Hello,
>>
>>I was using gnus to read my mails (IMAP + SSL) and news (NNTP) without
>>any problem until my news provider updated the news server. NNTP is no
>>longer supported and I have to use NNTP over SSL.
>>
>>I've tried to change my conf as follow:
>>
>>(setq gnus-select-method'                                       (nntp
>>"news.epfl.ch"
>>
>>           (nntp-open-connection-function nntp-open-ssl-stream)
>>
>>           (nntp-port-number)
>>
>>           (nntp-address "news.epfl.ch"))
> 
> 
> When we changed to require SSL and authentication, I changed my
> pertinent .gnus.el like this:
> 
> (add-hook 'nntp-server-opened-hook 'nntp-send-authinfo)
> 
> (setq gnus-select-method '(nntp "nntp.msu.edu"
>       (nntp-open-connection-function
>        nntp-open-ssl-stream)
>       (nntp-port-number "nntps")
>       (nntp-address "nntp.msu.edu")))

hum, it freeze with the following line:

      Loading ssl...done

Any idea?
Thanks for your help.

-AJ

Re: nntp and ssl

[m. kolb]

Antoine Junod <antoine.junod@epfl.ch> writes:

> hum, it freeze with the following line:
>
>       Loading ssl...done

Unfortunately I'm not sure what is happening there.  Can you just
openssl s_client -connect newshost:563 from your machine and see what is
happening?

Best of luck, and sorry for the late reply.

./muk

Re: nntp and ssl

[Anne & Lynn Wheeler]

muk@msu.edu (m. kolb) writes:
> Unfortunately I'm not sure what is happening there.  Can you just
> openssl s_client -connect newshost:563 from your machine and see what is
> happening?

about 20-30percent of the time ... i see freeze-up while reading
active file. it rarely freezes at any other point ....  openssl
0.9.8a-5.2; no gnus v0.5

first couple times i had to kill emacs and restart. i eventually did a
script that i run in another window that gets the process number of
openssl and kills it. turns out that it kills openssl and then after a
couple seconds it checks to see if it has to kill openssl a second
time (about half the time after it has killed openssl while reading
the active file, gnus continues a little bit and then freezes a second
time).

it then is good ... until the next get-new-news, at which point there
is about 1-in-3 chance it will repeat

it also freezes about 95 percent of the time when posting ... i run
the kill script; gnus then completes saying that the posting failed;
however the post was actually made (like is going to happen when this
is posted)

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Re: nntp and ssl

[Antoine Junod]

m. kolb wrote:
> Antoine Junod <antoine.junod@epfl.ch> writes:
 >
> > hum, it freeze with the following line:
> >
> >       Loading ssl...done
> 
> 
> Unfortunately I'm not sure what is happening there.  Can you just
> openssl s_client -connect newshost:563 from your machine and see what is
> happening?

It seems to work fine:

$> openssl s_client -connect newse.fpl.ch:563
CONNECTED(00000003)
depth=0 
/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=news.epfl.ch/emailAddress=Franck.Perrot@epfl.ch
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 
/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=news.epfl.ch/emailAddress=Franck.Perrot@epfl.ch
verify error:num=27:certificate not trusted
verify return:1
depth=0 
/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=news.epfl.ch/emailAddress=Franck.Perrot@epfl.ch
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 
s:/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=news.epfl.ch/emailAddress=Franck.Perrot@epfl.ch
    i:/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=EPFL Certification 
Authority/emailAddress=cert-auth@epfl.ch
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICqTCCAhKgAwIBAgICB3EwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAkNI
MQ0wCwYDVQQIEwRWYXVkMREwDwYDVQQHEwhMYXVzYW5uZTENMAsGA1UEChMERVBG
TDElMCMGA1UEAxMcRVBGTCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqG
SIb3DQEJARYRY2VydC1hdXRoQGVwZmwuY2gwHhcNMDYwMzE2MTEwODQ1WhcNMTIw
MTE0MTEwODQ1WjB7MQswCQYDVQQGEwJDSDENMAsGA1UECBMEVmF1ZDERMA8GA1UE
BxMITGF1c2FubmUxDTALBgNVBAoTBEVQRkwxFTATBgNVBAMTDG5ld3MuZXBmbC5j
aDEkMCIGCSqGSIb3DQEJARYVRnJhbmNrLlBlcnJvdEBlcGZsLmNoMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCofko/xRXXuY545eh9SrN74VV0+VdV+/Sf3mSU
XiUvR1BSijiQQ/AvJxK+aap284txZ2s7442UnZ1kypGjqZVx6gGq4nps9GuN15zN
/aeCVZHEwKgxB2ULCWPPArISWdMO57ZqkCDQjQhjpyAVtS4yRd951XkTtsclZ19k
u9n2nQIDAQABoy8wLTArBgNVHREEJDAighBlcGZsbmV3cy5lcGZsLmNogg5mb3J1
bXMuZXBmbC5jaDANBgkqhkiG9w0BAQQFAAOBgQApm6IM+sNxMQ9isRP8CIIbD1PP
1cLdFRUuB3hqC/MSWdQITEFknWWHnjGwVyOZMCp8sqoDmh+qXb05n6lKWbvsrdX7
wpHeCBXkXrxU6bJLtgn+9nnpMNJGQv8KQehaqEQgZhSnAZFADT6g2ciqiL+ZrOMu
BuL+yYbAwZ9TYmyblw==
-----END CERTIFICATE-----
subject=/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=news.epfl.ch/emailAddress=Franck.Perrot@epfl.ch
issuer=/C=CH/ST=Vaud/L=Lausanne/O=EPFL/CN=EPFL Certification 
Authority/emailAddress=cert-auth@epfl.ch
---
No client certificate CA names sent
---
SSL handshake has read 847 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID: 
9FB22FCA52BC2E7938D0746223ACEE033B951D662BA5DEB21D8AD342F2E0F9D8
     Session-ID-ctx:
     Master-Key: 
D0F0A77AC81973EC392A5C8D8FA547748C6ABDD8F430406B254E115F3ED7B7CD8FB65C910757726BBCFD01C92AC01056
     Key-Arg   : None
     Start Time: 1146377081
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
---
200 Bienvenue sur le serveur News de l'EPFL - Welcome to the EPFL's News 
server

Thanks a lot for your help
-AH

Re: nntp and ssl

[m. kolb]

Antoine Junod <antoine.junod@epfl.ch> writes:

> m. kolb wrote:
>> Antoine Junod <antoine.junod@epfl.ch> writes:
>  >
>> > hum, it freeze with the following line:
>> >
>> >       Loading ssl...done
>> Unfortunately I'm not sure what is happening there.  Can you just
>> openssl s_client -connect newshost:563 from your machine and see what is
>> happening?
>
> It seems to work fine:
>
> $> openssl s_client -connect newse.fpl.ch:563
> CONNECTED(00000003)
> depth=0

I'm at a loss :/  Sorry!