GNU bug report logs - #15792
24.3; Builtin TLS support should enable certificate verification support by default

Previous Next

Package: emacs;

Reported by: Vincent Bernat <bernat <at> luffy.cx>

Date: Sat, 2 Nov 2013 18:45:02 UTC

Severity: important

Merged with 13374, 13877

Found in version 24.3

Done: Ted Zlatanov <tzz <at> lifelogs.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Moritz Ulrich <moritz <at> tarn-vedra.de>
Subject: bug#13877: closed (Re: bug#15792: 24.3; Builtin TLS support
 should enable certificate verification support by default)
Date: Sat, 02 Nov 2013 21:08:03 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#15792: 24.3; gnutls.el: Enable Certificate Checks

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 13877 <at> debbugs.gnu.org.

-- 
15792: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=15792
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Vincent Bernat <bernat <at> luffy.cx>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 15792-close <at> debbugs.gnu.org
Subject: Re: bug#15792: 24.3;
 Builtin TLS support should enable certificate verification support by
 default
Date: Sat, 02 Nov 2013 22:07:16 +0100

 ❦  2 novembre 2013 19:48 CET, Glenn Morris <rgm <at> gnu.org> :

> See http://debbugs.gnu.org/13374 and related discussion.

Thanks! Sorry for the duplicate, I didn't find this bug report.
-- 
printk("??? No FDIV bug? Lucky you...\n");
	2.2.16 /usr/src/linux/include/asm-i386/bugs.h


[Message part 3 (message/rfc822, inline)]
From: Moritz Ulrich <moritz <at> tarn-vedra.de>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.3; gnutls.el: Enable Certificate Checks
Date: Tue, 05 Mar 2013 11:40:09 +0100

Currently, gnutls.el doesn't check certificate signatures when used via
`open-network-stream' with :type 'tls or `open-gnutls-stream'.

This is caused by the following code from `open-gnutls-stream'
(gnutls.el:110):

--8<---------------cut here---------------start------------->8---
(gnutls-negotiate :process (open-network-stream name buffer host service)
                  :type 'gnutls-x509pki
                  :hostname host)
--8<---------------cut here---------------end--------------->8---

There is NO way to set :verify-host, :verify-flags, etc. for this call
to `gnutls-negotiate' when using gnutls via high-level functions like
`open-network-stream'.

I consider this a bug, as Emacs won't check any certificates and
therefore allow man in the middle attacks without even documenting this.

It should at least be possible to pass :verify-* from
`open-network-stream' down to `gnutls-negotiate'. That would be a simple
yet effective solution.


In GNU Emacs 24.3.1 (x86_64-apple-darwin11.4.2, NS apple-appkit-1138.51)
 of 2013-03-05 on Moritzs-MacBook-Air
Windowing system distributor `Apple', version 10.3.1138
Configured using:
 `configure '--prefix=/usr/local/Cellar/emacs/24.3-rc1' '--without-dbus'
 '--enable-locallisppath=/usr/local/share/emacs/site-lisp'
 '--infodir=/usr/local/Cellar/emacs/24.3-rc1/share/info/emacs'
 '--with-ns' '--disable-ns-self-contained' '--with-gnutls' '--with-jpeg'
 '--with-xml2' '--with-imagemagick' 'CC=cc''

<#secure method=pgpmime mode=sign>

-- 
Moritz Ulrich
This bug report was last modified 11 years and 208 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.