Discussion:
END of maintenance
(too old to reply)
Aioe
2021-07-18 13:26:03 UTC
Permalink
After about two hours offline, the server resumed working as usual.
The news server and website are online and everything seems to be
working fine.
Please, if you notice any abnormal server behavior warn me: the upgrade
was extensive and complex, I may have missed some bugs.
Windoze
2021-07-19 02:04:05 UTC
Permalink
Post by Aioe
After about two hours offline, the server resumed working as usual.
The news server and website are online and everything seems to be
working fine.
Please, if you notice any abnormal server behavior warn me: the upgrade
was extensive and complex, I may have missed some bugs.
Everything seems to be working. Thank you and congratulation for winning
the Euro 2020. Roberto Mancini did a very good job as manager of Italy!

<https://en.wikipedia.org/wiki/Roberto_Mancini>
Richmond
2021-07-19 19:05:39 UTC
Permalink
Post by Aioe
After about two hours offline, the server resumed working as usual.
The news server and website are online and everything seems to be
working fine.
Please, if you notice any abnormal server behavior warn me: the
upgrade was extensive and complex, I may have missed some bugs.
I've been noticing the server is often 'offline' in gnus. It comes
online again if I open it.
Paul
2021-07-20 05:53:45 UTC
Permalink
Post by Richmond
Post by Aioe
After about two hours offline, the server resumed working as usual.
The news server and website are online and everything seems to be
working fine.
Please, if you notice any abnormal server behavior warn me: the
upgrade was extensive and complex, I may have missed some bugs.
I've been noticing the server is often 'offline' in gnus. It comes
online again if I open it.
Modern news servers use volatile connections.

In the old days, you might remember telnetting to port 119
and doing stuff manually.

That worked, because the connection was "persistent".
A discrete "exit" in Telnet, might cause the connection
to drop. Or, perhaps the connection would drop after
fifteen minutes of inactivity (like some FTP used to).

On a modern news server, the server drops the connection
maybe a few seconds after client activity stops. This allows
the news server connection table, to support ten times
as many customers, while using volatile connections.

It also means, that (semi) modern clients of USENET, the
software is pretty well continuously logging in again and
opening new connections, to give the "impression of being
connected". when the connections are at "machine speed" and
not "human speed".

As a consequence, if you carried out the telnet blah.com 119
test today, you would be sorely disappointed in what happens
next.

Any older client, with a different view of the world, may think
it's "sitting on a connection", when in fact, it isn't. The
mismatch between the new behavior on the server, and the old
expectations on the client, can lead to some weird notifications
in the client.

Check and see if perhaps GNUS suffers from this condition.

*******

On Windows, a user can use TCPView to watch connections established
and torn down.

Loading Image...

And since that's just a copy of the "netstat" idea from elsewhere,
maybe a "netstat viewer" would work on Linux or the like.

Loading Image...

There should be a way to observe how quickly the connections
on GNUS drop on you.

*******

Free newsservers usually have a limit of "connection minutes per day"
or "connections made per day", and occasionally a person using some
ancient software, will manage to exceed the daily quota and get
kicked to the curb (disconnected for the rest of the day) as
a form of warning about excessive resource utilization. On the
modern news server, you're only supposed to be connected for
the duration of a transaction, and after that, you politely
leave. Whereas in the old days, it would be popular for the
"connection to stay up, all day long". Perhaps an older client,
does not even have the common sense to automatically log in
again, after the connection drops.

Paul
Aioe
2021-07-20 07:16:48 UTC
Permalink
Post by Paul
Modern news servers use volatile connections.
I have increased the initial timeout to 180 seconds, please check if you
have any problems
Richmond
2021-07-20 09:07:36 UTC
Permalink
Il 20/07/21 07:53, Paul ha scritto: > Modern news servers use volatile
connections.
I have increased the initial timeout to 180 seconds, please check if
you have any problems
I find the problem occurs when I start gnus. It starts with the server
offline. So, I disabled the agent (which caches article), then I found
that gnus starts with the error message:

error Process nntpd not running

I notice also that if I use this command:

gnutls-cli news.aioe.org:563 (from linux bash)

I get the error:

- Status: The certificate is NOT trusted. The name in the certificate
does not match the expected. *** PKI verification of server certificate
failed... *** Fatal error: Error in the certificate.

But this seems to be because I am using news.aioe.org and not
nntp.aioe.org.

gnutls-cli nntp.aioe.org:563

does not produce the error.

So maybe I need to use nntp instead of news in Gnus? I could try that
but I will have to delete all my groups I think.

I am going to monitor to see if the connection drops from gnus once it
is opened...
Aioe
2021-07-20 09:27:42 UTC
Permalink
Post by Richmond
But this seems to be because I am using news.aioe.org and not
nntp.aioe.org.
At this point, nntp.aioe.org and news.aioe.org are the same host, innd
is an obsolete server program that does not allow to use more than a
single ssl certificate.
you have to use nntp.aioe.org
Richmond
2021-07-20 10:04:22 UTC
Permalink
Post by Aioe
Post by Richmond
But this seems to be because I am using news.aioe.org and not
nntp.aioe.org.
At this point, nntp.aioe.org and news.aioe.org are the same host, innd
is an obsolete server program that does not allow to use more than a
single ssl certificate.
you have to use nntp.aioe.org
I have deleted news.aioe.org and started over with nntp.aioe.org, but I
am still getting the error.
Aioe
2021-07-20 10:07:04 UTC
Permalink
Post by Richmond
I have deleted news.aioe.org and started over with nntp.aioe.org, but I
am still getting the error.
this sounds strange
could you send me your error string?

SSL certificate is for NNTP.AIOE.ORG (that is the main server name)
Richmond
2021-07-20 10:20:49 UTC
Permalink
Post by Aioe
Post by Richmond
I have deleted news.aioe.org and started over with nntp.aioe.org, but I
am still getting the error.
this sounds strange
could you send me your error string?
SSL certificate is for NNTP.AIOE.ORG (that is the main server name)
I mean the error from gnus:

"nntp (nntp.aioe.org) open error: ‘>>> (error Process nntpd not
running)’. Continue? (y or n) y
"
Aioe
2021-07-20 10:36:21 UTC
Permalink
Post by Richmond
"nntp (nntp.aioe.org) open error: ‘>>> (error Process nntpd not
running)’. Continue? (y or n) y
honestly i don't know, i never used gnus

my logs don't show errors from your IP address, everything is as
expected on my side
Richmond
2021-07-20 17:52:06 UTC
Permalink
Post by Aioe
Post by Richmond
"nntp (nntp.aioe.org) open error: ‘>>> (error Process nntpd not
running)’. Continue? (y or n) y
honestly i don't know, i never used gnus
my logs don't show errors from your IP address, everything is as
expected on my side
While trying to understand the problem, I have found a work around. I
placed a delay of 3 seconds at the end of emacs startup and before
starting gnus. I don't know why this works, I am hoping the gnus mailing
list will help.
Aioe
2021-07-20 20:20:18 UTC
Permalink
Post by Richmond
While trying to understand the problem, I have found a work around. I
placed a delay of 3 seconds at the end of emacs startup
this behavior sounds like an effect of the delay between the attempt to
establish a TCP / IP connection and the connection.
It is possible that gnus expects to find the server immediately
available then shows an error because the server takes a few tenths of a
second to establish the connection. As far as I understand, gnus is a
program meant to be used with local news servers which have much shorter
latencies than remote news servers.

it's only an suspect, i'm not sure that this is the right reason.
Grant Taylor
2021-07-20 15:35:24 UTC
Permalink
innd is an obsolete server program that does not allow to use more than
a single ssl certificate.
Do you /need/ more than one certificate?

Can you put the all of the names in the Subject Alternative Name field
of the certificate?

TLS standards for the contemporary web* have deprecated the Common Name
field and instead rely entirely on the Subject Alternative Name field.
As such I put the hosts canonical name (usually what's returned by
hostname -f) in the CN field and all names, including the canonical
name, in the SAN field.

*Yes, I realize that news is not the web. However, many TLS libraries
are following the web.
--
Grant. . . .
unix || die
Aioe
2021-07-20 16:10:45 UTC
Permalink
Post by Grant Taylor
innd is an obsolete server program that does not allow to use more
than a single ssl certificate.
Do you /need/ more than one certificate?
Up to version 2.4, INND support for SSL encryption was very bad so many
newsreaders did not support it because few servers offered that service.
Even when newsreaders supported SSL, this feature was poorly implemented
by developers because no one was using it at that time and this made
unnecessary to waste time on it for the programmers.

The newsreaders we use today have remained those of 15 years ago,
development has been minimal in recent years.

To do an experiment, I have now generated the server SSL certificate
using the SAN (if letsencrypt manages it correctly and if I have
understood how to do it).

I can easily assume that this will cause problems for older newsreaders,
the ones most used by my users.

Thank you for your suggestion, if you're able to make some test i'm
curious about the support of modern SSL certificates by current newsreaders
Grant Taylor
2021-07-20 20:08:57 UTC
Permalink
Post by Aioe
Thank you for your suggestion, if you're able to make some test i'm
curious about the support of modern SSL certificates by current newsreaders
I was able to connect to Aioe without any problems after reconfiguring
Thunderbird to use SSL/TLS for connection security and restarting
Thunderbird. (The restart is related to a long standing Thunderbird issue.)

I am connecting to nntp.aioe.org (port 563) with OpenSSL and not having
any problems. I see the CN is nntp.aioe.org and the SANs are
nntp.aioe.org and news.aioe.org.

I have the same success if I connect to news.aioe.org.

echo "" | openssl s_client -connect nntp.aioe.org:563 | openssl x509 -text
--
Grant. . . .
unix || die
Aioe
2021-07-20 20:27:13 UTC
Permalink
Post by Grant Taylor
I have the same success if I connect to news.aioe.org.
Thunderbird has good SSL support, the problem is antiques like mesnews
or forte agent.
You should consider that forcing access only with TLS 1.2 has given
problems for many users and it is a 15 year old technology.
I can't tell you if some very old version of OE is able to use these
certificates and I can't ask users because such debug operation is too
complex for them.
I'm trying, if no one complains in the next few days, it will have worked
Grant Taylor
2021-07-20 22:30:08 UTC
Permalink
Post by Aioe
You should consider that forcing access only with TLS 1.2 has given
problems for many users and it is a 15 year old technology.
Yes, I conceptually understand the problem that you're talking about.

I didn't pay attention to thee details, did you change anything about
your certificate other than the CN/SAN? If not, I would expect that
clients that were working with the old configuration would continue to
work with your new continuation.
Post by Aioe
I'm trying, if no one complains in the next few days, it will have worked
ACK
--
Grant. . . .
unix || die
Aioe
2021-07-21 21:09:42 UTC
Permalink
did you change anything about your certificate other than the CN/SAN?
no, i didn't change anything other

Loading...