GNU bug report logs - #13374
24.?; open-gnutls-stream insecurity

Previous Next

Package: emacs;

Reported by: Oleksii Shevchuk <alxchk <at> gmail.com>

Date: Mon, 7 Jan 2013 16:53:02 UTC

Severity: important

Merged with 13877, 15792

Found in version 24.3

Done: Ted Zlatanov <tzz <at> lifelogs.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Glenn Morris <rgm <at> gnu.org>
To: Ted Zlatanov <tzz <at> lifelogs.com>
Cc: Oleksii Shevchuk <alxchk <at> gmail.com>, 13374 <at> debbugs.gnu.org
Subject: bug#13374: 24.?; open-gnutls-stream insecurity
Date: Mon, 07 Jan 2013 20:05:06 -0500

Hi Ted,

Could you look at this report, with a view to possibly changing it in
emacs-24 branch, if appropriate? Thanks.

Oleksii Shevchuk wrote:

> open-gnutls-stream wrapper doesn't pass :verify-hostname-error t
> :verify-error t to gnutls-negotiate. So MitM is possible when you use
> gnus and other packages. 
>
> Even with :verify-hostname-error t :verify-error t gnutls-negotiate
> doesn't produce error with selfsigned CA certificate, when :type
> 'gnutls-x509pki passed.
>
> I use next in my .gnus:
>
> (defun open-gnutls-stream (name buffer host service)
>   (gnutls-negotiate :process (open-network-stream name buffer host service)
>                     :hostname host
>                     :verify-hostname-error t :verify-error t))
>

This bug report was last modified 11 years and 157 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #13374 24.?; open-gnutls-stream insecurity

GNU bug report logs - #13374
24.?; open-gnutls-stream insecurity