GNU bug report logs - #15792
24.3; Builtin TLS support should enable certificate verification support by default

Previous Next

Package: emacs;

Reported by: Vincent Bernat <bernat <at> luffy.cx>

Date: Sat, 2 Nov 2013 18:45:02 UTC

Severity: important

Merged with 13374, 13877

Found in version 24.3

Done: Ted Zlatanov <tzz <at> lifelogs.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Vincent Bernat <bernat <at> luffy.cx>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#13877: closed (24.3; gnutls.el: Enable Certificate Checks)
Date: Sat, 02 Nov 2013 21:08:03 +0000

[Message part 1 (text/plain, inline)]
Your message dated Sat, 02 Nov 2013 22:07:16 +0100
with message-id <87txfusebf.fsf <at> guybrush.luffy.cx>
and subject line Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default
has caused the debbugs.gnu.org bug report #15792,
regarding 24.3; gnutls.el: Enable Certificate Checks
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
15792: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=15792
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Moritz Ulrich <moritz <at> tarn-vedra.de>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.3; gnutls.el: Enable Certificate Checks
Date: Tue, 05 Mar 2013 11:40:09 +0100

Currently, gnutls.el doesn't check certificate signatures when used via
`open-network-stream' with :type 'tls or `open-gnutls-stream'.

This is caused by the following code from `open-gnutls-stream'
(gnutls.el:110):

--8<---------------cut here---------------start------------->8---
(gnutls-negotiate :process (open-network-stream name buffer host service)
                  :type 'gnutls-x509pki
                  :hostname host)
--8<---------------cut here---------------end--------------->8---

There is NO way to set :verify-host, :verify-flags, etc. for this call
to `gnutls-negotiate' when using gnutls via high-level functions like
`open-network-stream'.

I consider this a bug, as Emacs won't check any certificates and
therefore allow man in the middle attacks without even documenting this.

It should at least be possible to pass :verify-* from
`open-network-stream' down to `gnutls-negotiate'. That would be a simple
yet effective solution.


In GNU Emacs 24.3.1 (x86_64-apple-darwin11.4.2, NS apple-appkit-1138.51)
 of 2013-03-05 on Moritzs-MacBook-Air
Windowing system distributor `Apple', version 10.3.1138
Configured using:
 `configure '--prefix=/usr/local/Cellar/emacs/24.3-rc1' '--without-dbus'
 '--enable-locallisppath=/usr/local/share/emacs/site-lisp'
 '--infodir=/usr/local/Cellar/emacs/24.3-rc1/share/info/emacs'
 '--with-ns' '--disable-ns-self-contained' '--with-gnutls' '--with-jpeg'
 '--with-xml2' '--with-imagemagick' 'CC=cc''

<#secure method=pgpmime mode=sign>

-- 
Moritz Ulrich



[Message part 3 (message/rfc822, inline)]
From: Vincent Bernat <bernat <at> luffy.cx>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 15792-close <at> debbugs.gnu.org
Subject: Re: bug#15792: 24.3;
 Builtin TLS support should enable certificate verification support by
 default
Date: Sat, 02 Nov 2013 22:07:16 +0100

 ❦  2 novembre 2013 19:48 CET, Glenn Morris <rgm <at> gnu.org> :

> See http://debbugs.gnu.org/13374 and related discussion.

Thanks! Sorry for the duplicate, I didn't find this bug report.
-- 
printk("??? No FDIV bug? Lucky you...\n");
	2.2.16 /usr/src/linux/include/asm-i386/bugs.h
This bug report was last modified 11 years and 207 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.