From unknown Sat Aug 09 13:19:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default Resent-From: Vincent Bernat Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 02 Nov 2013 18:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 15792 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 15792@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.13834178585996 (code B ref -1); Sat, 02 Nov 2013 18:45:02 +0000 Received: (at submit) by debbugs.gnu.org; 2 Nov 2013 18:44:18 +0000 Received: from localhost ([127.0.0.1]:59842 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VcgBF-0001Yc-7f for submit@debbugs.gnu.org; Sat, 02 Nov 2013 14:44:17 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45278) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vcclt-0001An-Ni for submit@debbugs.gnu.org; Sat, 02 Nov 2013 11:05:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vcclh-0000B1-GK for submit@debbugs.gnu.org; Sat, 02 Nov 2013 11:05:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:58516) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vcclh-0000Ax-Co for submit@debbugs.gnu.org; Sat, 02 Nov 2013 11:05:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46985) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vcclb-0003ta-92 for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2013 11:05:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VcclV-00009w-1H for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2013 11:05:35 -0400 Received: from bart.luffy.cx ([78.47.78.131]:39897) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VcclU-000095-HO for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2013 11:05:28 -0400 Received: from bart.luffy.cx (localhost [127.0.0.1]) by bart.luffy.cx (Postfix) with ESMTP id 7FED114948 for ; Sat, 2 Nov 2013 16:05:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject :date:message-id:mime-version:content-type; s=postfix; bh=wpL6FU yTDH3RRjaoaTxPmthUIJk=; b=dFlce1k3zu1Fgif7Rp3v4sqzbD6yXM15I7EiiX u5OtpAXYSLtDmU3aoiWOwVV02COFwDsXl8U13akgye2APzdd+zaz+bfopmAztgC3 MC5sJBof2fX4ZmzIXz4U7H2POTVR5OwJ4AdN3qNRzCkwIGwKu9RDFf2zldde72d0 tEm2E= DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject :date:message-id:mime-version:content-type; q=dns; s=postfix; b= vpYIRbXayRbg7AGA2MXyQjBSrka8vpkpwfYGPHI/KPjNPYiYQFFvHS5ZoQziUate veHZJuH/PuDciityJndG9cHuTSdZP8FVJf5LlmM4yFmdEH1ubzqlIBm7PpThUxfv WCfrp8SsppJYOGR9qB52J1HzNDh42Pn6IVXVt7KlwBg= Received: from guybrush.luffy.cx (4vh54-1-88-121-64-64.fbx.proxad.net [88.121.64.64]) by bart.luffy.cx (Postfix) with ESMTPS id 4A58214943 for ; Sat, 2 Nov 2013 16:05:24 +0100 (CET) Received: by guybrush.luffy.cx (Postfix, from userid 1000) id 94A2533B; Sat, 2 Nov 2013 16:05:21 +0100 (CET) From: Vincent Bernat Date: Sat, 02 Nov 2013 16:05:21 +0100 Message-ID: <87a9hmu9n2.fsf@guybrush.luffy.cx> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Mailman-Approved-At: Sat, 02 Nov 2013 14:44:15 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi! New builtin TLS support disables certificate verification by default. This is a very bad practice and the default should be to check for certificate validity. Moreover, the end-user of a package using this builtin support has no easy way to enable the verification of TLS certificates. For example, Gnus does not provide anything to enable this and as a simple user, it seems quite difficult to ensure that certificates are verified. And each package has the responsability to enable this option. This is cumbersome. Previously, enabling/disabling certificate verification was easy. You set `tls-program` variable to something that checks or don't check for certificates. For gnutls-client, this was a matter of using or not using the `--insecure` switch. I didn't find a way to disable the builtin TLS support (other than to recompile Emacs). I propose: 1. Verify the certificates by default. 2. Prompt the user if there is a problem. 3. Add the possibility to not check for certificates by default. I can provide a patch for the first step but I have little Emacs-fu for the other two parts (all the more that most of the code is in C). -- Use variable names that mean something. - The Elements of Programming Style (Kernighan & Plauger) From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 02 14:46:47 2013 Received: (at control) by debbugs.gnu.org; 2 Nov 2013 18:46:48 +0000 Received: from localhost ([127.0.0.1]:59848 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VcgDf-0001dr-I1 for submit@debbugs.gnu.org; Sat, 02 Nov 2013 14:46:47 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:33859 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VcgDd-0001di-FN for control@debbugs.gnu.org; Sat, 02 Nov 2013 14:46:45 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1VcgDd-0000z1-5Z for control@debbugs.gnu.org; Sat, 02 Nov 2013 14:46:45 -0400 Date: Sat, 02 Nov 2013 14:46:45 -0400 Message-Id: Subject: control message for bug 15792 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.5 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.5 (-----) forcemerge 13374 15792 From unknown Sat Aug 09 13:19:18 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 02 Nov 2013 18:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15792 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Vincent Bernat Cc: 15792@debbugs.gnu.org Received: via spool by 15792-submit@debbugs.gnu.org id=B15792.13834181426576 (code B ref 15792); Sat, 02 Nov 2013 18:50:02 +0000 Received: (at 15792) by debbugs.gnu.org; 2 Nov 2013 18:49:02 +0000 Received: from localhost ([127.0.0.1]:59854 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VcgFq-0001hy-2s for submit@debbugs.gnu.org; Sat, 02 Nov 2013 14:49:02 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:33880 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VcgFo-0001hZ-9G for 15792@debbugs.gnu.org; Sat, 02 Nov 2013 14:49:00 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1VcgFl-00017v-PM; Sat, 02 Nov 2013 14:48:57 -0400 From: Glenn Morris References: <87a9hmu9n2.fsf@guybrush.luffy.cx> X-Spook: Rubin assassinate Sundevil Mole defense information X-Ran: 2A<^?*s2T-80g#/=9CXl*8cM9Iow@6fo1V6`:=C5E-8l!'Ug*Oa^*xf)mB;\2$XN+"/h\d X-Hue: cyan X-Attribution: GM Date: Sat, 02 Nov 2013 14:48:57 -0400 In-Reply-To: <87a9hmu9n2.fsf@guybrush.luffy.cx> (Vincent Bernat's message of "Sat, 02 Nov 2013 16:05:21 +0100") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -5.5 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.5 (-----) See http://debbugs.gnu.org/13374 and related discussion. From unknown Sat Aug 09 13:19:18 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Vincent Bernat Subject: bug#15792: closed (Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default) Message-ID: References: <87txfusebf.fsf@guybrush.luffy.cx> <87a9hmu9n2.fsf@guybrush.luffy.cx> X-Gnu-PR-Message: they-closed 15792 X-Gnu-PR-Package: emacs Reply-To: 15792@debbugs.gnu.org Date: Sat, 02 Nov 2013 21:08:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1383426482-24337-1" This is a multi-part message in MIME format... ------------=_1383426482-24337-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #15792: 24.3; Builtin TLS support should enable certificate verification su= pport by default which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 15792@debbugs.gnu.org. --=20 15792: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D15792 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1383426482-24337-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 15792-close) by debbugs.gnu.org; 2 Nov 2013 21:07:22 +0000 Received: from localhost ([127.0.0.1]:60008 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VciPi-0006JZ-39 for submit@debbugs.gnu.org; Sat, 02 Nov 2013 17:07:22 -0400 Received: from bart.luffy.cx ([78.47.78.131]:34275) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VciPf-0006JO-Qd for 15792-close@debbugs.gnu.org; Sat, 02 Nov 2013 17:07:20 -0400 Received: from bart.luffy.cx (localhost [127.0.0.1]) by bart.luffy.cx (Postfix) with ESMTP id 51BBD1446E; Sat, 2 Nov 2013 22:07:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=postfix; bh=CyDBXhIak vZX7Qyo7rZ0+YNHbI4=; b=EhF42dae3vBAcZrGBGlAKkdQnegKtEQt5b7W0bk+U Yrek4baxElfa7xuTFrqBtoRpFYn+x8GRUKnOPL9KhCfGejRG7+YP/yhIgMgqC9Kd eEHDUXaGyM8BnogCjowtIbHLhweTAxGNGRUAAkDNE+nwiJApLsTSmIJ6fT7nlk+7 38= DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; q=dns; s=postfix; b=uLS /Eh4c4+xDBlX1MHeke2FhDPL0tfI4vGJ+rma39WOB5p3kom3vxIRNiWiB02uFrIl vsVH0ZENoWrqATm8JLcjJfqN+4qXjIxpvDWAFy829fZbfFdexuDOPB7TTD0oJoVR UlRTkgQOhe+1WIQfClJNynmBQGfnN3Qe8YLdXTPo= Received: from guybrush.luffy.cx (4vh54-1-88-121-64-64.fbx.proxad.net [88.121.64.64]) by bart.luffy.cx (Postfix) with ESMTPS id 1630614063; Sat, 2 Nov 2013 22:07:18 +0100 (CET) Received: by guybrush.luffy.cx (Postfix, from userid 1000) id 71CC033B; Sat, 2 Nov 2013 22:07:16 +0100 (CET) From: Vincent Bernat To: Glenn Morris Subject: Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default References: <87a9hmu9n2.fsf@guybrush.luffy.cx> Date: Sat, 02 Nov 2013 22:07:16 +0100 In-Reply-To: (Glenn Morris's message of "Sat, 02 Nov 2013 14:48:57 -0400") Message-ID: <87txfusebf.fsf@guybrush.luffy.cx> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.5 (/) X-Debbugs-Envelope-To: 15792-close Cc: 15792-close@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) =E2=9D=A6 2 novembre 2013 19:48 CET, Glenn Morris =C2=A0: > See http://debbugs.gnu.org/13374 and related discussion. Thanks! Sorry for the duplicate, I didn't find this bug report. --=20 printk("??? No FDIV bug? Lucky you...\n"); 2.2.16 /usr/src/linux/include/asm-i386/bugs.h ------------=_1383426482-24337-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 2 Nov 2013 18:44:18 +0000 Received: from localhost ([127.0.0.1]:59842 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VcgBF-0001Yc-7f for submit@debbugs.gnu.org; Sat, 02 Nov 2013 14:44:17 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45278) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vcclt-0001An-Ni for submit@debbugs.gnu.org; Sat, 02 Nov 2013 11:05:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vcclh-0000B1-GK for submit@debbugs.gnu.org; Sat, 02 Nov 2013 11:05:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:58516) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vcclh-0000Ax-Co for submit@debbugs.gnu.org; Sat, 02 Nov 2013 11:05:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46985) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vcclb-0003ta-92 for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2013 11:05:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VcclV-00009w-1H for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2013 11:05:35 -0400 Received: from bart.luffy.cx ([78.47.78.131]:39897) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VcclU-000095-HO for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2013 11:05:28 -0400 Received: from bart.luffy.cx (localhost [127.0.0.1]) by bart.luffy.cx (Postfix) with ESMTP id 7FED114948 for ; Sat, 2 Nov 2013 16:05:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject :date:message-id:mime-version:content-type; s=postfix; bh=wpL6FU yTDH3RRjaoaTxPmthUIJk=; b=dFlce1k3zu1Fgif7Rp3v4sqzbD6yXM15I7EiiX u5OtpAXYSLtDmU3aoiWOwVV02COFwDsXl8U13akgye2APzdd+zaz+bfopmAztgC3 MC5sJBof2fX4ZmzIXz4U7H2POTVR5OwJ4AdN3qNRzCkwIGwKu9RDFf2zldde72d0 tEm2E= DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject :date:message-id:mime-version:content-type; q=dns; s=postfix; b= vpYIRbXayRbg7AGA2MXyQjBSrka8vpkpwfYGPHI/KPjNPYiYQFFvHS5ZoQziUate veHZJuH/PuDciityJndG9cHuTSdZP8FVJf5LlmM4yFmdEH1ubzqlIBm7PpThUxfv WCfrp8SsppJYOGR9qB52J1HzNDh42Pn6IVXVt7KlwBg= Received: from guybrush.luffy.cx (4vh54-1-88-121-64-64.fbx.proxad.net [88.121.64.64]) by bart.luffy.cx (Postfix) with ESMTPS id 4A58214943 for ; Sat, 2 Nov 2013 16:05:24 +0100 (CET) Received: by guybrush.luffy.cx (Postfix, from userid 1000) id 94A2533B; Sat, 2 Nov 2013 16:05:21 +0100 (CET) From: Vincent Bernat To: bug-gnu-emacs@gnu.org Subject: 24.3; Builtin TLS support should enable certificate verification support by default Date: Sat, 02 Nov 2013 16:05:21 +0100 Message-ID: <87a9hmu9n2.fsf@guybrush.luffy.cx> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 02 Nov 2013 14:44:15 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi! New builtin TLS support disables certificate verification by default. This is a very bad practice and the default should be to check for certificate validity. Moreover, the end-user of a package using this builtin support has no easy way to enable the verification of TLS certificates. For example, Gnus does not provide anything to enable this and as a simple user, it seems quite difficult to ensure that certificates are verified. And each package has the responsability to enable this option. This is cumbersome. Previously, enabling/disabling certificate verification was easy. You set `tls-program` variable to something that checks or don't check for certificates. For gnutls-client, this was a matter of using or not using the `--insecure` switch. I didn't find a way to disable the builtin TLS support (other than to recompile Emacs). I propose: 1. Verify the certificates by default. 2. Prompt the user if there is a problem. 3. Add the possibility to not check for certificates by default. I can provide a patch for the first step but I have little Emacs-fu for the other two parts (all the more that most of the code is in C). -- Use variable names that mean something. - The Elements of Programming Style (Kernighan & Plauger) ------------=_1383426482-24337-1-- From unknown Sat Aug 09 13:19:18 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Oleksii Shevchuk Subject: bug#13374: closed (Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default) Message-ID: References: <87txfusebf.fsf@guybrush.luffy.cx> <87mwwlz43m.fsf@Black.ICE> X-Gnu-PR-Message: they-closed 13374 X-Gnu-PR-Package: emacs Reply-To: 13374@debbugs.gnu.org Date: Sat, 02 Nov 2013 21:08:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1383426482-24337-3" This is a multi-part message in MIME format... ------------=_1383426482-24337-3 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #15792: 24.?; open-gnutls-stream insecurity which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 13374@debbugs.gnu.org. --=20 15792: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D15792 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1383426482-24337-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 15792-close) by debbugs.gnu.org; 2 Nov 2013 21:07:22 +0000 Received: from localhost ([127.0.0.1]:60008 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VciPi-0006JZ-39 for submit@debbugs.gnu.org; Sat, 02 Nov 2013 17:07:22 -0400 Received: from bart.luffy.cx ([78.47.78.131]:34275) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VciPf-0006JO-Qd for 15792-close@debbugs.gnu.org; Sat, 02 Nov 2013 17:07:20 -0400 Received: from bart.luffy.cx (localhost [127.0.0.1]) by bart.luffy.cx (Postfix) with ESMTP id 51BBD1446E; Sat, 2 Nov 2013 22:07:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=postfix; bh=CyDBXhIak vZX7Qyo7rZ0+YNHbI4=; b=EhF42dae3vBAcZrGBGlAKkdQnegKtEQt5b7W0bk+U Yrek4baxElfa7xuTFrqBtoRpFYn+x8GRUKnOPL9KhCfGejRG7+YP/yhIgMgqC9Kd eEHDUXaGyM8BnogCjowtIbHLhweTAxGNGRUAAkDNE+nwiJApLsTSmIJ6fT7nlk+7 38= DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; q=dns; s=postfix; b=uLS /Eh4c4+xDBlX1MHeke2FhDPL0tfI4vGJ+rma39WOB5p3kom3vxIRNiWiB02uFrIl vsVH0ZENoWrqATm8JLcjJfqN+4qXjIxpvDWAFy829fZbfFdexuDOPB7TTD0oJoVR UlRTkgQOhe+1WIQfClJNynmBQGfnN3Qe8YLdXTPo= Received: from guybrush.luffy.cx (4vh54-1-88-121-64-64.fbx.proxad.net [88.121.64.64]) by bart.luffy.cx (Postfix) with ESMTPS id 1630614063; Sat, 2 Nov 2013 22:07:18 +0100 (CET) Received: by guybrush.luffy.cx (Postfix, from userid 1000) id 71CC033B; Sat, 2 Nov 2013 22:07:16 +0100 (CET) From: Vincent Bernat To: Glenn Morris Subject: Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default References: <87a9hmu9n2.fsf@guybrush.luffy.cx> Date: Sat, 02 Nov 2013 22:07:16 +0100 In-Reply-To: (Glenn Morris's message of "Sat, 02 Nov 2013 14:48:57 -0400") Message-ID: <87txfusebf.fsf@guybrush.luffy.cx> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.5 (/) X-Debbugs-Envelope-To: 15792-close Cc: 15792-close@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) =E2=9D=A6 2 novembre 2013 19:48 CET, Glenn Morris =C2=A0: > See http://debbugs.gnu.org/13374 and related discussion. Thanks! Sorry for the duplicate, I didn't find this bug report. --=20 printk("??? No FDIV bug? Lucky you...\n"); 2.2.16 /usr/src/linux/include/asm-i386/bugs.h ------------=_1383426482-24337-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 7 Jan 2013 16:52:28 +0000 Received: from localhost ([127.0.0.1]:34432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TsFw3-00065o-1V for submit@debbugs.gnu.org; Mon, 07 Jan 2013 11:52:28 -0500 Received: from eggs.gnu.org ([208.118.235.92]:53020) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Ts9pN-0004KV-2A for submit@debbugs.gnu.org; Mon, 07 Jan 2013 05:21:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts9pB-0002wH-9T for submit@debbugs.gnu.org; Mon, 07 Jan 2013 05:21:00 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from lists.gnu.org ([208.118.235.17]:59014) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts9pB-0002wB-6B for submit@debbugs.gnu.org; Mon, 07 Jan 2013 05:20:57 -0500 Received: from eggs.gnu.org ([208.118.235.92]:36115) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts9p8-0005k9-0x for bug-gnu-emacs@gnu.org; Mon, 07 Jan 2013 05:20:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts9p4-0002v5-VI for bug-gnu-emacs@gnu.org; Mon, 07 Jan 2013 05:20:53 -0500 Received: from mail-we0-f175.google.com ([74.125.82.175]:53970) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts9p4-0002uy-A7 for bug-gnu-emacs@gnu.org; Mon, 07 Jan 2013 05:20:50 -0500 Received: by mail-we0-f175.google.com with SMTP id z53so9743490wey.6 for ; Mon, 07 Jan 2013 02:20:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:subject:date:message-id:mime-version :content-type; bh=8pGQHbFJ9ax5BJclbdUg7IGVabDaypH9ZOyEjF939Rw=; b=B0Zo0O//cw5DqlEuC1b4GTxwi8GYrDxyRWIZ2fKD2akUNaBlZ5RhieiRXAHy6hUdFF mHIlCBkQIizikqXTVmybIFY2yH1EVKCTuEZ+a4FH/z/uEJP8ifPyZwQMM/Ktbfm8E96I DY8nc+fQlXpiqIYPitTXhxaQ8P0ljhyZQGZWMbYfq2khWkufY2b81cWvVtIUyAVvFuaZ Cf4Wd4EPZWPcfpCbJg8FXtuQK2fuHkvEgSeXFLR2VSb0WODhEqudSy2NwHKYpT31HSdw mbvyZ2eeR1Rrg3F2Muv1R+BODtX6zXvIhEeSQoW2/rk7d3Axa+YpxFr/kI/UCCc1ii3k 97Pg== X-Received: by 10.180.87.102 with SMTP id w6mr8257613wiz.19.1357554049138; Mon, 07 Jan 2013 02:20:49 -0800 (PST) Received: from localhost ([109.86.168.179]) by mx.google.com with ESMTPS id fv2sm11398561wib.4.2013.01.07.02.20.48 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 07 Jan 2013 02:20:48 -0800 (PST) From: Oleksii Shevchuk To: bug-gnu-emacs@gnu.org Subject: 24.?; open-gnutls-stream insecurity Date: Mon, 07 Jan 2013 12:20:45 +0200 Message-ID: <87mwwlz43m.fsf@Black.ICE> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 208.118.235.17 X-Spam-Score: -4.2 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 07 Jan 2013 11:52:25 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.1 (------) Hi list! open-gnutls-stream wrapper doesn't pass :verify-hostname-error t :verify-error t to gnutls-negotiate. So MitM is possible when you use gnus and other packages. Even with :verify-hostname-error t :verify-error t gnutls-negotiate doesn't produce error with selfsigned CA certificate, when :type 'gnutls-x509pki passed. I use next in my .gnus: (defun open-gnutls-stream (name buffer host service) (gnutls-negotiate :process (open-network-stream name buffer host service) :hostname host :verify-hostname-error t :verify-error t)) Works for me. // ---- In GNU Emacs 24.3.50.1 (x86_64-pc-linux-gnu, X toolkit) of 2013-01-06 on BlackICE Bzr revision: cyd@gnu.org-20130106025857-h1wkwx5cwvekj4l1 Windowing system distributor `The X.Org Foundation', version 11.0.11300000 System Description: Gentoo Base System release 2.2 Configured using: `configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --program-suffix=-emacs-24-vcs --program-transform-name=s/emacs-[0-9].*/emacs-24-vcs/ --infodir=/usr/share/info/emacs-24-vcs --enable-locallisppath=/etc/emacs:/usr/share/emacs/site-lisp --with-crt-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.7.2/../../../../lib64 --with-gameuser=games --without-compress-info --without-hesiod --without-kerberos --without-kerberos5 --with-gpm --with-dbus --with-gnutls --with-xml2 --without-selinux --with-wide-int --with-sound --with-x --without-ns --without-gconf --with-gsettings --without-toolkit-scroll-bars --with-gif --with-jpeg --with-png --with-rsvg --with-tiff --with-xpm --without-imagemagick --with-xft --without-libotf --without-m17n-flt --with-x-toolkit=lucid --without-xaw3d GENTOO_PACKAGE=app-editors/emacs-vcs-24.3.9999 EBZR_BRANCH=trunk EBZR_REVNO=111428' Important settings: value of $LC_ALL: ru_RU.UTF-8 value of $LANG: russian locale-coding-system: utf-8-unix default enable-multibyte-characters: t ------------=_1383426482-24337-3-- From unknown Sat Aug 09 13:19:18 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Moritz Ulrich Subject: bug#13877: closed (Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default) Message-ID: References: <87txfusebf.fsf@guybrush.luffy.cx> X-Gnu-PR-Message: they-closed 13877 X-Gnu-PR-Package: emacs Reply-To: 13877@debbugs.gnu.org Date: Sat, 02 Nov 2013 21:08:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1383426483-24337-5" This is a multi-part message in MIME format... ------------=_1383426483-24337-5 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #15792: 24.3; gnutls.el: Enable Certificate Checks which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 13877@debbugs.gnu.org. --=20 15792: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D15792 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1383426483-24337-5 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 15792-close) by debbugs.gnu.org; 2 Nov 2013 21:07:22 +0000 Received: from localhost ([127.0.0.1]:60008 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VciPi-0006JZ-39 for submit@debbugs.gnu.org; Sat, 02 Nov 2013 17:07:22 -0400 Received: from bart.luffy.cx ([78.47.78.131]:34275) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VciPf-0006JO-Qd for 15792-close@debbugs.gnu.org; Sat, 02 Nov 2013 17:07:20 -0400 Received: from bart.luffy.cx (localhost [127.0.0.1]) by bart.luffy.cx (Postfix) with ESMTP id 51BBD1446E; Sat, 2 Nov 2013 22:07:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=postfix; bh=CyDBXhIak vZX7Qyo7rZ0+YNHbI4=; b=EhF42dae3vBAcZrGBGlAKkdQnegKtEQt5b7W0bk+U Yrek4baxElfa7xuTFrqBtoRpFYn+x8GRUKnOPL9KhCfGejRG7+YP/yhIgMgqC9Kd eEHDUXaGyM8BnogCjowtIbHLhweTAxGNGRUAAkDNE+nwiJApLsTSmIJ6fT7nlk+7 38= DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; q=dns; s=postfix; b=uLS /Eh4c4+xDBlX1MHeke2FhDPL0tfI4vGJ+rma39WOB5p3kom3vxIRNiWiB02uFrIl vsVH0ZENoWrqATm8JLcjJfqN+4qXjIxpvDWAFy829fZbfFdexuDOPB7TTD0oJoVR UlRTkgQOhe+1WIQfClJNynmBQGfnN3Qe8YLdXTPo= Received: from guybrush.luffy.cx (4vh54-1-88-121-64-64.fbx.proxad.net [88.121.64.64]) by bart.luffy.cx (Postfix) with ESMTPS id 1630614063; Sat, 2 Nov 2013 22:07:18 +0100 (CET) Received: by guybrush.luffy.cx (Postfix, from userid 1000) id 71CC033B; Sat, 2 Nov 2013 22:07:16 +0100 (CET) From: Vincent Bernat To: Glenn Morris Subject: Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default References: <87a9hmu9n2.fsf@guybrush.luffy.cx> Date: Sat, 02 Nov 2013 22:07:16 +0100 In-Reply-To: (Glenn Morris's message of "Sat, 02 Nov 2013 14:48:57 -0400") Message-ID: <87txfusebf.fsf@guybrush.luffy.cx> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.5 (/) X-Debbugs-Envelope-To: 15792-close Cc: 15792-close@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) =E2=9D=A6 2 novembre 2013 19:48 CET, Glenn Morris =C2=A0: > See http://debbugs.gnu.org/13374 and related discussion. Thanks! Sorry for the duplicate, I didn't find this bug report. --=20 printk("??? No FDIV bug? Lucky you...\n"); 2.2.16 /usr/src/linux/include/asm-i386/bugs.h ------------=_1383426483-24337-5 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 5 Mar 2013 16:46:44 +0000 Received: from localhost ([127.0.0.1]:60879 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UCv0i-0004wM-Qk for submit@debbugs.gnu.org; Tue, 05 Mar 2013 11:46:44 -0500 Received: from eggs.gnu.org ([208.118.235.92]:36985) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UCpIY-0002qo-LG for submit@debbugs.gnu.org; Tue, 05 Mar 2013 05:40:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UCpI9-0004HM-4J for submit@debbugs.gnu.org; Tue, 05 Mar 2013 05:40:18 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-102.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW, USER_IN_WHITELIST autolearn=unavailable version=3.3.2 Received: from lists.gnu.org ([208.118.235.17]:36592) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCpI9-0004HI-22 for submit@debbugs.gnu.org; Tue, 05 Mar 2013 05:40:17 -0500 Received: from eggs.gnu.org ([208.118.235.92]:48343) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCpI7-0004TX-Vn for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 05:40:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UCpI6-0004G7-Ot for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 05:40:15 -0500 Received: from mail-wg0-f53.google.com ([74.125.82.53]:56983) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCpI6-0004Fy-JB for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 05:40:14 -0500 Received: by mail-wg0-f53.google.com with SMTP id fn15so5593391wgb.32 for ; Tue, 05 Mar 2013 02:40:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:user-agent:date:message-id:mime-version :content-type:x-gm-message-state; bh=DiJ1UCA48Hrn92o/iLmDmhOVfhL3lisoZYc6EnL5zMs=; b=o4JQ0KbU8kuCYyo5u5y5rUKsThXnibO1xgfHIwPdFr8Lomg8kjyqweNkFLQ65I0uLA kAUmpumYeXBk11lPt4B3OgQWpTWf3AkDB9Vy7vERvUyez9Wyfy7/7CXIJZm4RRZ4YZna LuJnZlG+zrpyOOsXUmvtBZEkP4ecvDoU8dCAxhv1xadLUV5maoqMzE9yzUi7bfviA3LW FGp6euy0ml19MC+m7b3Q7UyF5ORAXmhJXfQTZhK3NdXssZxqbB+IzOXb4l4KJ6kAG8lT lkD3VuyD9XKN/0DLpCUYFAe/T4K5I5ko2GwojNR+TajHf4gh8SV60ZOGdXWE22vCGGus P3Yg== X-Received: by 10.205.139.71 with SMTP id iv7mr9015948bkc.86.1362480013118; Tue, 05 Mar 2013 02:40:13 -0800 (PST) Received: from Moritzs-MacBook-Air (pd956ba09.dip0.t-ipconnect.de. [217.86.186.9]) by mx.google.com with ESMTPS id g28sm6859705bkv.17.2013.03.05.02.40.11 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 05 Mar 2013 02:40:12 -0800 (PST) From: Moritz Ulrich To: bug-gnu-emacs@gnu.org Subject: 24.3; gnutls.el: Enable Certificate Checks User-agent: mu4e 0.9.9; emacs 24.3.1 Date: Tue, 05 Mar 2013 11:40:09 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Gm-Message-State: ALoCoQk3ERlHHjAG5jBCw7JGFwwZUoy4ebdMvYcw7lppbXSn/ECGAnjXFRawAkcELOCBpGiSGE5Y X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 208.118.235.17 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Tue, 05 Mar 2013 11:46:39 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) Currently, gnutls.el doesn't check certificate signatures when used via `open-network-stream' with :type 'tls or `open-gnutls-stream'. This is caused by the following code from `open-gnutls-stream' (gnutls.el:110): --8<---------------cut here---------------start------------->8--- (gnutls-negotiate :process (open-network-stream name buffer host service) :type 'gnutls-x509pki :hostname host) --8<---------------cut here---------------end--------------->8--- There is NO way to set :verify-host, :verify-flags, etc. for this call to `gnutls-negotiate' when using gnutls via high-level functions like `open-network-stream'. I consider this a bug, as Emacs won't check any certificates and therefore allow man in the middle attacks without even documenting this. It should at least be possible to pass :verify-* from `open-network-stream' down to `gnutls-negotiate'. That would be a simple yet effective solution. In GNU Emacs 24.3.1 (x86_64-apple-darwin11.4.2, NS apple-appkit-1138.51) of 2013-03-05 on Moritzs-MacBook-Air Windowing system distributor `Apple', version 10.3.1138 Configured using: `configure '--prefix=/usr/local/Cellar/emacs/24.3-rc1' '--without-dbus' '--enable-locallisppath=/usr/local/share/emacs/site-lisp' '--infodir=/usr/local/Cellar/emacs/24.3-rc1/share/info/emacs' '--with-ns' '--disable-ns-self-contained' '--with-gnutls' '--with-jpeg' '--with-xml2' '--with-imagemagick' 'CC=cc'' <#secure method=pgpmime mode=sign> -- Moritz Ulrich ------------=_1383426483-24337-5--