GNU bug report logs - #13374
24.?; open-gnutls-stream insecurity

Previous Next

Package: emacs;

Reported by: Oleksii Shevchuk <alxchk <at> gmail.com>

Date: Mon, 7 Jan 2013 16:53:02 UTC

Severity: important

Merged with 13877, 15792

Found in version 24.3

Done: Ted Zlatanov <tzz <at> lifelogs.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
To: Glenn Morris <rgm <at> gnu.org>
Cc: Oleksii Shevchuk <alxchk <at> gmail.com>, 13374 <at> debbugs.gnu.org, Ted Zlatanov <tzz <at> lifelogs.com>
Subject: bug#13374: 24.?; open-gnutls-stream insecurity
Date: Tue, 08 Jan 2013 05:42:52 +0100

Glenn Morris <rgm <at> gnu.org> writes:

> Ah well, ok, thanks for the explanation. It sounds then like it's
> probably better to leave this for trunk rather than try and force it
> into 24.3 at this relatively late stage.

Definitely.

Deciding on policies for handling opportunistic STARTTLS upgrades
combined with certificate failures has to be decided on, too.

That is, even if the user hasn't requested a TLS connection, Emacs will
auto-negotiate a STARTTLS connection now for virtually all protocol
types now.  If that "fails" because the certificate is self-signed or
expired, do we then want to bother the user by prompting for an action?
The user hasn't requested encryption and validation, but then this
question comes out of the blue?

So, er, someone (ahem) has to go through all the permutations of
connection types and failure modes, and write up some stuff.  We should
also have certificate management code in there somewhere so that the
user may be alerted if a privately signed certificate changes,
perhaps...

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/
This bug report was last modified 11 years and 157 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.