GNU bug report logs - #15792
24.3; Builtin TLS support should enable certificate verification support by default

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Oleksii Shevchuk <alxchk <at> gmail.com>
Subject: bug#13374: closed (Re: bug#15792: 24.3; Builtin TLS support
 should enable certificate verification support by default)
Date: Sat, 02 Nov 2013 21:08:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#15792: 24.?; open-gnutls-stream insecurity

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 13374 <at> debbugs.gnu.org.

-- 
15792: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=15792
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Vincent Bernat <bernat <at> luffy.cx>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 15792-close <at> debbugs.gnu.org
Subject: Re: bug#15792: 24.3;
 Builtin TLS support should enable certificate verification support by
 default
Date: Sat, 02 Nov 2013 22:07:16 +0100

 ❦  2 novembre 2013 19:48 CET, Glenn Morris <rgm <at> gnu.org> :

> See http://debbugs.gnu.org/13374 and related discussion.

Thanks! Sorry for the duplicate, I didn't find this bug report.
-- 
printk("??? No FDIV bug? Lucky you...\n");
	2.2.16 /usr/src/linux/include/asm-i386/bugs.h

[Message part 3 (message/rfc822, inline)]

From: Oleksii Shevchuk <alxchk <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.?; open-gnutls-stream insecurity
Date: Mon, 07 Jan 2013 12:20:45 +0200

Hi list!

open-gnutls-stream wrapper doesn't pass :verify-hostname-error t
:verify-error t to gnutls-negotiate. So MitM is possible when you use
gnus and other packages. 

Even with :verify-hostname-error t :verify-error t gnutls-negotiate
doesn't produce error with selfsigned CA certificate, when :type
'gnutls-x509pki passed.

I use next in my .gnus:

(defun open-gnutls-stream (name buffer host service)
  (gnutls-negotiate :process (open-network-stream name buffer host service)
                    :hostname host
                    :verify-hostname-error t :verify-error t))

Works for me.

// ----

In GNU Emacs 24.3.50.1 (x86_64-pc-linux-gnu, X toolkit)
 of 2013-01-06 on BlackICE
Bzr revision: cyd <at> gnu.org-20130106025857-h1wkwx5cwvekj4l1
Windowing system distributor `The X.Org Foundation', version 11.0.11300000
System Description:	Gentoo Base System release 2.2

Configured using:
 `configure --prefix=/usr --build=x86_64-pc-linux-gnu
 --host=x86_64-pc-linux-gnu --mandir=/usr/share/man
 --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
 --localstatedir=/var/lib --libdir=/usr/lib64
 --disable-dependency-tracking --program-suffix=-emacs-24-vcs
 --program-transform-name=s/emacs-[0-9].*/emacs-24-vcs/
 --infodir=/usr/share/info/emacs-24-vcs
 --enable-locallisppath=/etc/emacs:/usr/share/emacs/site-lisp
 --with-crt-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.7.2/../../../../lib64
 --with-gameuser=games --without-compress-info --without-hesiod
 --without-kerberos --without-kerberos5 --with-gpm --with-dbus
 --with-gnutls --with-xml2 --without-selinux --with-wide-int
 --with-sound --with-x --without-ns --without-gconf --with-gsettings
 --without-toolkit-scroll-bars --with-gif --with-jpeg --with-png
 --with-rsvg --with-tiff --with-xpm --without-imagemagick --with-xft
 --without-libotf --without-m17n-flt --with-x-toolkit=lucid
 --without-xaw3d GENTOO_PACKAGE=app-editors/emacs-vcs-24.3.9999
 EBZR_BRANCH=trunk EBZR_REVNO=111428'

Important settings:
  value of $LC_ALL: ru_RU.UTF-8
  value of $LANG: russian
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.