From: Maxim Cournoyer Subject: Gmane with Gnus first timer Newsgroups: gmane.emacs.gnus.user To: info-gnus-english@gnu.org Date: Wed, 27 Sep 2017 11:12:38 -0400 (4 days, 59 minutes, 13 seconds ago) Hello Gnusers! I've started experimenting with Gmane[1], and it seems very useful at easily navigating archived mailing lists! I thought I'd share some of the details for NNTP neophytes like me; I had the good fortune to be helped on the IRC #gnus channel by sixbitslacker, who shared important bits of their config as well as the Gmane's X.509 certificate necessary for proper TLS authentication. * Gnus configuration The first thing I did was adding a select method to my Gnus configuration. I already had a `gnus-select-method' defined with my email server, so I used `gnus-secondary-select-methods' for Gmane: ;; To be put in your ~/.gnus.el or similar. (setq gnus-secondary-select-methods '((nntp "gmane" (nntp-address "news.gmane.org")))) * Gmane TLS certificate I then started Gnus. I was greeted with a warning that said: Certificate information Issued by: news.gmane.org Issued to: Gmane Hostname: news.gmane.org Public key: RSA, signature: RSA-SHA1 Protocol: TLS1.2, key: RSA, cipher: AES-256-GCM, mac: AEAD Security level: Low Valid: From 2015-01-13 to 2018-01-12 The TLS connection to news.gmane.org:nntp is insecure for the following reasons: certificate signer was not found (self-signed) certificate was signed with an insecure algorithm the certificate was signed by an unknown and therefore unstrusted authority certificate could not be verified While we can't do anything about the weak SHA1 signature, we can at least fix the other warnings by trusting the self-signed certificate that Gmane is using. To do so, we must first retrieve the X.509 certificate that Gmane uses. The OpenSSL package provides a mean to do so (credits to sixbitslacker): openssl s_client -starttls smtp -connect news.gmane.org:119 Amongst the output you should find the server certificate, which is: -----BEGIN CERTIFICATE----- MIICwjCCAiugAwIBAgIJAJOYYw06tv/WMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV BAYTAk5PMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQKEwVHbWFuZTEXMBUG A1UEAxMObmV3cy5nbWFuZS5vcmcwHhcNMTUwMTEzMjExMzQ2WhcNMTgwMTEyMjEx MzQ2WjBLMQswCQYDVQQGEwJOTzETMBEGA1UECBMKU29tZS1TdGF0ZTEOMAwGA1UE ChMFR21hbmUxFzAVBgNVBAMTDm5ld3MuZ21hbmUub3JnMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDK4MBGhSVg3O/L0U7ME7D4kmiPShwxmu6NZzQ5UsBV3S5H qzPBEaInGUqX0IJX2pGVMKTGOmy+Sz0aJYcKQJdJ1Zq9LAtUOk7gflxX4z4wrcng 9bRz1z8D3/KJFyTrELZyEC8DkKEwbO4LxO3QrfxNXOkpuVZ0eUlP/AwVGN9D+QID AQABo4GtMIGqMB0GA1UdDgQWBBRCnZpe5p9+0CKQoFm/RVzp/EmUTzB7BgNVHSME dDBygBRCnZpe5p9+0CKQoFm/RVzp/EmUT6FPpE0wSzELMAkGA1UEBhMCTk8xEzAR BgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAoTBUdtYW5lMRcwFQYDVQQDEw5uZXdz LmdtYW5lLm9yZ4IJAJOYYw06tv/WMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF BQADgYEAQgcrfK9IN7DfqIGVwuhHZRBskbcTyD0oh11zUrr1s44sEq4pWT/ht42C Cpn4g+mCCOLewLT+MAHxs7Acxbkxd+lQyRVWknVLHNQL48dUrQX9QCEZVcLHcZmL w2mmmDMfRgLNKdNDO60BMtK/EGGaaYmLY+B4EzQtSVGRZfANXLg= -----END CERTIFICATE----- Save this file somewhere, say, to "~/.gnutls/gmane.pem". Now we must configure Emacs to trust this certificate. One easy way is to add this line to your ~/.emacs file: (add-to-list 'gnutls-trustfile "~/.gnutls/gmane.pem") Another other options to make it globally trusted would be to place the file under /etc/ Eval this line (C-M-x or C-x C-e on that s-exp) and restart Gnus. The only remaining warning should be the one about the weak SHA1 signature: When I did, Emacs still complained that the server was deemed insecure because the "certificate signer was not found (self-signed)". I am not sure why it persists warning me about a self-signed certificate after I've explicitly given it my trust, nor do I know why the weak SHA1 issue is not raised anymore... But anyway, I consider our due diligence done, so at this point you may choose "Always" when presented the security prompt. * Browsing lists with Gmane You should now be in the plain old *Group* buffer, with nothing new in it. To actually navigate the mailing lists archived by Gmane, you may press the '^' key to show a list of the known servers. It should contain an entry for the newly added news.gmane.org news server, such as: {nntp:gmane} (opened) Finally, by clicking (on typing RET) on that gmane entry, you should now have access to a huge collection of archived mailing lists (31682 at the time of writing), which can be comfortably browsed in a Gnusy way. You can also subscribe using 'u', to show some of these in your *Group* buffer. * Posting to a Gmane Instead of sending an email with 'm', you can now send an article (the equivalent in the world of news) with the 'a' key. This long text is my first attempt at doing so; if you received it, it's because it worked! Happy hacking, Maxim [1] http://gmane.org