FS#66473 - [pan] no longer connects correctly for SSL

Attached to Project: Community Packages
Opened by Kevin Knerr (barthel) - Thursday, 30 April 2020, 02:44 GMT
Last edited by Antonio Rojas (arojas) - Friday, 01 May 2020, 07:01 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Antonio Rojas (arojas)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: Pan recently stopped completing the username/password handshake after setting up the SSL connection. I've been successfully using the same server configuration since 2016. I checked with my Usenet provider who confirmed that I'm connecting to the SSL port, but not completing authentication. (I can switch back to port 119 without SSL/TLS and connect successfully.)

I suspect the problem is with the package. The PKGBUILD shows that "--with-gnutls" is passed while compiling, but gnutls isn't included in the depends() clause.

Given that gnutls was updated recently, the problem I'm experiencing may be a result of pan not being flagged for rebuilding.

At any rate, gnutls should be included in the depends() clause.

Additional info:
* package version(s) pan 0.146-1; gnutls 3.6.13-1 (was working with gnutls-3.6.12-1)
* config and/or log files etc.
* link to upstream bug report, if any (N/A)

Steps to reproduce:
This task depends upon

Closed by  Antonio Rojas (arojas)
Friday, 01 May 2020, 07:01 GMT
Reason for closing:  Upstream
Comment by Doug Newgard (Scimmia) - Thursday, 30 April 2020, 04:25 GMT
Packages aren't flagged for rebuilding from the depends array, and a version bump without a soname change doesn't need rebuilds. Nothing in the pan package is linked to gnutls anyway.

Logs?

Edit: and gnutls is in the dep tree anyway, so even if this uses it, the dep is covered.
Comment by Kevin Knerr (barthel) - Thursday, 30 April 2020, 19:34 GMT
When I looked at the upstream changes for gnutls, I believe I saw notices of ABI/API changes related to security issues. I didn't think a minor version change should affect things, but that was the only thing I could identify that has changed between the last time I connected successfully with SSL and this past week.

The attached files are the output of "pan --debug --verbose" with port 119 (successful connection) and port 563 (unsuccessful SSL connection).

This is the log snippet sent to me by newsguy:

8< begin snippet >8

Our logs showed your SSL connection was established, but your news client
exited before sending userid/passwd. Please check your client settings.

Apr 26 16:12:39 news1 nnrpd[8502]: 104.190.210.161 connect
Apr 26 16:12:39 news1 nnrpd[8502]: 104.190.210.161 SSL Connection Apr 26
16:12:39 news1 nnrpd[8502]: 104.190.210.161 exit articles 0:0 groups 0
#(null):
Apr 26 16:12:39 news1 nnrpd[8502]: 104.190.210.161 times user 0.025 system
0.006 elapsed 27.181 #(null):

8< end snippet >8
   pan.119.log (350.1 KiB)
   pan.563.log (42.8 KiB)
Comment by loqs (loqs) - Thursday, 30 April 2020, 20:15 GMT
Downgrading just gnutls to 3.6.12-1 pan can connect successfully?
Comment by Kevin Knerr (barthel) - Friday, 01 May 2020, 00:59 GMT
Tried both gnutls 3.6.12-1 and 3.6.11-1, but no success.

Which means it's somewhere else in the environment. I'll take a look at compiling a fresh copy tomorrow to see if that fixes the issues. If not, I'll close this bug pending more investigation on my end.
Comment by Kevin Knerr (barthel) - Friday, 01 May 2020, 02:43 GMT
I've rebuilt the package, changing only the version number to -1.1 in the PKGBUILD. No change in behavior.

Closing this report, submitted upstream: https://gitlab.gnome.org/GNOME/pan/-/issues/112

Loading...