From unknown Wed Jun 18 23:05:13 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#16193 <16193@debbugs.gnu.org> To: bug#16193 <16193@debbugs.gnu.org> Subject: Status: 24.3; Enable TLS certificate checking by default Reply-To: bug#16193 <16193@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:05:13 +0000 retitle 16193 24.3; Enable TLS certificate checking by default reassign 16193 emacs submitter 16193 "William G. Gardella" severity 16193 important tag 16193 fixed security thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 19 14:20:38 2013 Received: (at submit) by debbugs.gnu.org; 19 Dec 2013 19:20:38 +0000 Received: from localhost ([127.0.0.1]:58941 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vtj9A-0008Dc-2q for submit@debbugs.gnu.org; Thu, 19 Dec 2013 14:20:38 -0500 Received: from eggs.gnu.org ([208.118.235.92]:51850) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vtj93-0008DM-Qf for submit@debbugs.gnu.org; Thu, 19 Dec 2013 14:20:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vtj8x-0004tW-IG for submit@debbugs.gnu.org; Thu, 19 Dec 2013 14:20:29 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: ** X-Spam-Status: No, score=2.1 required=5.0 tests=BAYES_50, RCVD_IN_BL_SPAMCOP_NET,UNPARSEABLE_RELAY autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42422) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vtj8x-0004tS-GG for submit@debbugs.gnu.org; Thu, 19 Dec 2013 14:20:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53536) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vtj8s-0004r3-4L for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 14:20:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vtj8n-0004s9-1G for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 14:20:18 -0500 Received: from mx1.riseup.net ([198.252.153.129]:39751) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vtj8m-0004s3-IH for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 14:20:12 -0500 Received: from fulvetta.riseup.net (fulvetta-pn.riseup.net [10.0.1.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 52AB5575E7 for ; Thu, 19 Dec 2013 11:20:11 -0800 (PST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: wgreenhouse@fulvetta.riseup.net) with ESMTPSA id ED35E143 From: "William G. Gardella" To: bug-gnu-emacs@gnu.org Subject: 24.3; Enable TLS certificate checking by default Date: Thu, 19 Dec 2013 19:20:04 +0000 Message-ID: <87y53g7imz.fsf@motoko.kusanagi> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Virus-Scanned: clamav-milter 0.97.8 at mx1 X-Virus-Status: Clean X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) How to reproduce: use `open-network-stream' on any TLS connection to a server with an invalid, expired, or self-signed certificate. What I expect to happen: Emacs asks the user or signals on `error' or `user-error', terminating the connection attempt, or queries the user if they wish to continue. What does happen: The connection silently succeeds as though nothing were wrong. Why this is a problem: TLS is a dangerous place in the second decade of the 21st century, with numerous maliciously or accidentally misconfigured sites and a lot of criminal activity centered on subverting certs. It's hard enough for OS distributors to keep their certificate stores up to date to account for the latest breach, but that much worse if applications don't even bother to check against them. Emacs users should not be assumed to be any more vigilant to protect themselves than users of any other TLS frontend that defaults to this broken behavior of not checking certificates--that is to say, virtually any non-browser frontend to TLS. Recommended solutions: 1. Set `tls-checktrust' to 'ask or 'always by default. 2. Ensure that `tls-checktrust' actually works on an Emacs where libgnutls is linked in. (As far as I can tell, gnutls makes no reference to this variable, although `gnutls-negotiate' does seem to have some low-level facility for checking certificates, and there is the `gnutls-trustfiles' variable). 3. Document the default behavior in locations highly visible to users, i.e. not just in the elisp manual, which is primarily for people writing elisp, but also in the manuals of major `open-network-stream'-using packages, such as ERC and smtpmail. This is still an inferior solution as users are unlikely to consult these manuals if nothing seems to be wrong. -- Best, WGG In GNU Emacs 24.3.1 (x86_64-slackware-linux-gnu) of 2013-06-11 on motoko Windowing system distributor `The X.Org Foundation', version 11.0.11204000 Configured using: `configure '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--program-prefix=' '--program-suffix=' '--mandir=/usr/man' '--infodir=/usr/info' '--without-gconf' '--without-gsettings' '--with-x' '--with-x-toolkit=no' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'' Important settings: value of $LANG: en_US.UTF-8 locale-coding-system: utf-8 default enable-multibyte-characters: t Major mode: ERC Minor modes in effect: diff-auto-refine-mode: t shell-dirtrack-mode: t recentf-mode: t erc-list-mode: t erc-menu-mode: t erc-autojoin-mode: t erc-ring-mode: t erc-networks-mode: t erc-match-mode: t erc-netsplit-mode: t erc-pcomplete-mode: t erc-hl-nicks-mode: t erc-button-mode: t erc-fill-mode: t erc-stamp-mode: t erc-irccontrols-mode: t erc-noncommands-mode: t erc-move-to-prompt-mode: t erc-readonly-mode: t ido-hacks-mode: t winner-mode: t electric-pair-mode: t show-paren-mode: t global-rainbow-delimiters-mode: t rainbow-delimiters-mode: t ido-everywhere: t xterm-mouse-mode: t display-time-mode: t auto-insert-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t visual-line-mode: t Recent input: a v i o r . ESC b ESC b ESC b ESC b ESC b ESC b t e r s e SPC C-e ESC O D SPC t h a n SPC p a t c h SPC t h e SPC m a n u a l C-e RET I ' d SPC r a t h e r SPC h a v e SPC t l - s DEL DEL s - c h e c k t r u s t SPC d e f a u l t SPC t o SPC t SPC a n d SPC i t SPC b e SPC u n c DEL DEL n d o c u m e n t e d SPC b u i t SPC t DEL DEL DEL DEL DEL t h e SPC DEL DEL DEL DEL u t SPC t h e SPC S A F E SPC D E F A U L T SPC t h a n SPC t o SPC h a v e SPC t h e SPC v u l n SPC i n SPC a b o u DEL DEL DEL SPC b u n c h SPC o f SPC m a n u s l a ESC DEL m a n u a l s SPC t h a t SPC n e w b s SPC d o n ' t SPC r e a d RET C-x b C-s C-s C-s RET c C-x C-o DEL C-c C-x C-o C-x b RET C-c C-x ; DEL C-x b C-x b RET C-c C-x ; 2 DEL RET C-x b RET ESC x r e p o r t - e m a c s - b u g RET Recent messages: append: Wrong type argument: arrayp, nil Type "q" to restore previous buffer. Mark set Quit [2 times] append: Wrong type argument: arrayp, nil Timer stopped Quit [2 times] Clock stopped at [2013-12-19 Thu 14:03] after 2:16 Quit byte-code: Command attempted to use minibuffer while in minibuffer Quit Load-path shadows: /home/wgg/.emacs.d/elpa/gnuplot-0.6.0/gnuplot hides /usr/share/emacs/site-lisp/gnuplot /usr/share/emacs/site-lisp/t-mouse hides /usr/share/emacs/24.3/lisp/t-mouse /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-clojure hides /usr/share/emacs/24.3/lisp/org/ob-clojure /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-asymptote hides /usr/share/emacs/24.3/lisp/org/ob-asymptote /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-lisp hides /usr/share/emacs/24.3/lisp/org/ob-lisp /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-lob hides /usr/share/emacs/24.3/lisp/org/ob-lob /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-version hides /usr/share/emacs/24.3/lisp/org/org-version /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-gnuplot hides /usr/share/emacs/24.3/lisp/org/ob-gnuplot /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-mew hides /usr/share/emacs/24.3/lisp/org/org-mew /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-bibtex hides /usr/share/emacs/24.3/lisp/org/org-bibtex /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-haskell hides /usr/share/emacs/24.3/lisp/org/ob-haskell /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-C hides /usr/share/emacs/24.3/lisp/org/ob-C /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-js hides /usr/share/emacs/24.3/lisp/org/ob-js /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-mhe hides /usr/share/emacs/24.3/lisp/org/org-mhe /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-matlab hides /usr/share/emacs/24.3/lisp/org/ob-matlab /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-fortran hides /usr/share/emacs/24.3/lisp/org/ob-fortran /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-protocol hides /usr/share/emacs/24.3/lisp/org/org-protocol /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-ctags hides /usr/share/emacs/24.3/lisp/org/org-ctags /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-scala hides /usr/share/emacs/24.3/lisp/org/ob-scala /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-wl hides /usr/share/emacs/24.3/lisp/org/org-wl /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-picolisp hides /usr/share/emacs/24.3/lisp/org/ob-picolisp /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-entities hides /usr/share/emacs/24.3/lisp/org/org-entities /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-eshell hides /usr/share/emacs/24.3/lisp/org/org-eshell /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-clock hides /usr/share/emacs/24.3/lisp/org/org-clock /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-w3m hides /usr/share/emacs/24.3/lisp/org/org-w3m /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-src hides /usr/share/emacs/24.3/lisp/org/org-src /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-crypt hides /usr/share/emacs/24.3/lisp/org/org-crypt /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-ditaa hides /usr/share/emacs/24.3/lisp/org/ob-ditaa /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-css hides /usr/share/emacs/24.3/lisp/org/ob-css /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-ocaml hides /usr/share/emacs/24.3/lisp/org/ob-ocaml /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-compat hides /usr/share/emacs/24.3/lisp/org/org-compat /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-exp hides /usr/share/emacs/24.3/lisp/org/ob-exp /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-attach hides /usr/share/emacs/24.3/lisp/org/org-attach /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-agenda hides /usr/share/emacs/24.3/lisp/org/org-agenda /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-timer hides /usr/share/emacs/24.3/lisp/org/org-timer /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-screen hides /usr/share/emacs/24.3/lisp/org/ob-screen /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-table hides /usr/share/emacs/24.3/lisp/org/ob-table /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-octave hides /usr/share/emacs/24.3/lisp/org/ob-octave /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob hides /usr/share/emacs/24.3/lisp/org/ob /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-footnote hides /usr/share/emacs/24.3/lisp/org/org-footnote /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-install hides /usr/share/emacs/24.3/lisp/org/org-install /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-capture hides /usr/share/emacs/24.3/lisp/org/org-capture /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-mscgen hides /usr/share/emacs/24.3/lisp/org/ob-mscgen /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-feed hides /usr/share/emacs/24.3/lisp/org/org-feed /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-plantuml hides /usr/share/emacs/24.3/lisp/org/ob-plantuml /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-inlinetask hides /usr/share/emacs/24.3/lisp/org/org-inlinetask /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-latex hides /usr/share/emacs/24.3/lisp/org/ob-latex /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-scheme hides /usr/share/emacs/24.3/lisp/org/ob-scheme /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-mobile hides /usr/share/emacs/24.3/lisp/org/org-mobile /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-comint hides /usr/share/emacs/24.3/lisp/org/ob-comint /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-sh hides /usr/share/emacs/24.3/lisp/org/ob-sh /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-ledger hides /usr/share/emacs/24.3/lisp/org/ob-ledger /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-plot hides /usr/share/emacs/24.3/lisp/org/org-plot /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-sql hides /usr/share/emacs/24.3/lisp/org/ob-sql /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-id hides /usr/share/emacs/24.3/lisp/org/org-id /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-sqlite hides /usr/share/emacs/24.3/lisp/org/ob-sqlite /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-element hides /usr/share/emacs/24.3/lisp/org/org-element /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-R hides /usr/share/emacs/24.3/lisp/org/ob-R /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-mouse hides /usr/share/emacs/24.3/lisp/org/org-mouse /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-io hides /usr/share/emacs/24.3/lisp/org/ob-io /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-colview hides /usr/share/emacs/24.3/lisp/org/org-colview /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-indent hides /usr/share/emacs/24.3/lisp/org/org-indent /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-eval hides /usr/share/emacs/24.3/lisp/org/ob-eval /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-emacs-lisp hides /usr/share/emacs/24.3/lisp/org/ob-emacs-lisp /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-macs hides /usr/share/emacs/24.3/lisp/org/org-macs /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-calc hides /usr/share/emacs/24.3/lisp/org/ob-calc /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-docview hides /usr/share/emacs/24.3/lisp/org/org-docview /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-ruby hides /usr/share/emacs/24.3/lisp/org/ob-ruby /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-lilypond hides /usr/share/emacs/24.3/lisp/org/ob-lilypond /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-org hides /usr/share/emacs/24.3/lisp/org/ob-org /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-rmail hides /usr/share/emacs/24.3/lisp/org/org-rmail /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-info hides /usr/share/emacs/24.3/lisp/org/org-info /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-list hides /usr/share/emacs/24.3/lisp/org/org-list /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-datetree hides /usr/share/emacs/24.3/lisp/org/org-datetree /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-maxima hides /usr/share/emacs/24.3/lisp/org/ob-maxima /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org hides /usr/share/emacs/24.3/lisp/org/org /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-java hides /usr/share/emacs/24.3/lisp/org/ob-java /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-bbdb hides /usr/share/emacs/24.3/lisp/org/org-bbdb /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-tangle hides /usr/share/emacs/24.3/lisp/org/ob-tangle /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-vm hides /usr/share/emacs/24.3/lisp/org/org-vm /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-awk hides /usr/share/emacs/24.3/lisp/org/ob-awk /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-sass hides /usr/share/emacs/24.3/lisp/org/ob-sass /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-archive hides /usr/share/emacs/24.3/lisp/org/org-archive /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-shen hides /usr/share/emacs/24.3/lisp/org/ob-shen /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-dot hides /usr/share/emacs/24.3/lisp/org/ob-dot /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-gnus hides /usr/share/emacs/24.3/lisp/org/org-gnus /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-pcomplete hides /usr/share/emacs/24.3/lisp/org/org-pcomplete /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-python hides /usr/share/emacs/24.3/lisp/org/ob-python /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-ref hides /usr/share/emacs/24.3/lisp/org/ob-ref /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-loaddefs hides /usr/share/emacs/24.3/lisp/org/org-loaddefs /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-keys hides /usr/share/emacs/24.3/lisp/org/ob-keys /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-faces hides /usr/share/emacs/24.3/lisp/org/org-faces /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-habit hides /usr/share/emacs/24.3/lisp/org/org-habit /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-irc hides /usr/share/emacs/24.3/lisp/org/org-irc /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/org-table hides /usr/share/emacs/24.3/lisp/org/org-table /home/wgg/.emacs.d/elpa/org-plus-contrib-20131209/ob-perl hides /usr/share/emacs/24.3/lisp/org/ob-perl /home/wgg/.emacs.d/elpa/color-theme-sanityinc-tomorrow-1.10/.dir-locals hides /usr/share/emacs/24.3/lisp/gnus/.dir-locals ~/.emacs.d/emms/lisp/tq hides /usr/share/emacs/24.3/lisp/emacs-lisp/tq Features: (shadow emacsbug org-timer org-clock mule-diag ffap thai-util thai-word pcmpl-unix calc-mode calc-incom calc-bin calc-help calc-alg calc-math calc-ext calc-misc calc-menu mailalias smtpmail calc calc-loaddefs calc-macs t-mouse tramp-sh cc-langs cc-mode cc-fonts cc-guess cc-menus cc-cmds cc-styles cc-align cc-engine cc-vars cc-defs apropos edebug smerge-mode diff-mode flow-fill sanityinc-tomorrow-blue-theme sanityinc-tomorrow-day-theme cus-theme rainbow-mode iso-transl descr-text info-look canlock bbdb-message sendmail tmm em-unix em-term term ehelp em-script em-prompt em-ls em-hist em-pred em-glob em-dirs em-cmpl em-basic em-banner em-alias esh-var esh-io esh-cmd esh-opt esh-ext esh-proc esh-arg esh-groups eshell esh-module esh-mode esh-util w3m-cookie ace-jump-mode grep compile w3m-search shr-color nnir dired-aux debug url-queue erc-track erc-speedbar speedbar sb-image ezimage dframe erc-sound erc-services erc-replace erc-page erc-notify erc-desktop-notifications erc-log erc-identd erc-ibuffer ibuf-ext ibuffer erc-ezbounce erc-dcc erc-capab erc-autoaway bookmark org-attach vc-git org-id cal-move org-datetree image-file org-capture tramp-cache tramp tramp-compat tramp-loaddefs vc vc-dispatcher arc-mode archive-mode cus-edit man quail hippie-exp shell shr qp org-colview view cal-china lunar solar cal-dst cal-bahai cal-islam cal-hebrew holidays hol-loaddefs cal-iso erc-truncate gnus-html mm-url gnus-gravatar gravatar gnus-cite gnus-bcklg mail-extr gnus-async gnus-ml disp-table mm-archive url-cache url-handlers misearch multi-isearch conf-mode tabify org-table flyspell ispell sh-script smie executable w3m-form w3m-bookmark w3m-tabmenu w3m-session nndraft nnmh netrc nnfolder vc-bzr bbdb-gnus nnmaildir gnus-agent gnus-srvr gnus-score score-mode nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view mml-smime smime dig nntp gnus-cache gnus-sum nnoo gnus-group gnus-undo nnmail mail-source gnus-start gnus-spec gnus-int gnus-range message idna rfc822 mml mml-sec mm-decode mm-bodies mm-encode gmm-utils mailheader gnus-win gnus gnus-ems nnheader mail-utils gnutls network-stream starttls recentf tree-widget org-rmail org-mhe org-irc org-info org-gnus org-docview org-bibtex bibtex org-bbdb org-w3m org-habit org-agenda loadhist eldoc elisp-slime-nav help-mode etags erc-menu erc-join erc-ring erc-networks erc-match erc-netsplit erc-pcomplete sanityinc-tomorrow-bright-theme color-theme-sanityinc-tomorrow remember-theme server znc erc-shoot i-ching identica-mode json url-http url-auth mail-parse rfc2231 rfc2047 rfc2045 ietf-drums url-gw twittering-mode tls slime-fancy slime-fontifying-fu slime-package-fu slime-references slime-scratch slime-presentations slime-fuzzy slime-fancy-trace slime-fancy-inspector slime-c-p-c slime-editing-commands slime-autodoc slime-parse slime-repl slime hyperspec emms-playlist-limit emms-volume emms-volume-amixer emms-i18n emms-history emms-score emms-stream-info emms-metaplaylist-mode emms-bookmarks emms-lastfm-client parse-time emms-cue emms-mode-line-icon emms-browser sort emms-playlist-sort emms-last-played emms-player-xine emms-player-mpd tq emms-playing-time emms-lyrics emms-url url url-proxy url-privacy url-expand url-methods url-history url-cookie url-domsuf url-util url-parse url-vars mailcap emms-streams emms-tag-editor emms-mark emms-mode-line emms-cache emms-info-ogginfo emms-info-mp3info emms-info later-do emms-playlist-mode emms-player-vlc emms-player-mplayer emms-player-simple emms-source-playlist emms-source-file emms-setup emms emms-compat mule-util sauron-org appt diary-lib diary-loaddefs sauron-dbus sauron-notifications notifications dbus xml sauron-erc erc-hl-nicks color erc-button erc-fill erc-stamp erc-goodies erc erc-backend erc-compat auth-source eieio gnus-util mm-util mail-prsvr password-cache thingatpt sauron webjump w3m browse-url doc-view jka-compr dired-x cl-macs gv dired image-mode w3m-hist w3m-fb w3m-ems wid-edit w3m-ccl ccl w3m-favicon w3m-image w3m-proc w3m-util bbdb-mua bbdb-com crm mailabbrev bbdb timezone bbdb-loaddefs midnight org-mime cl ox-koma-letter ox-latex ox-icalendar ox-html ox-ascii ox-publish ox org-element org-protocol org org-macro org-footnote org-pcomplete pcomplete org-list org-faces org-entities noutline outline easy-mmode org-version ob-emacs-lisp ob ob-tangle org-src ob-ref ob-lob ob-table ob-keys ob-exp ob-comint ob-core ob-eval org-compat org-macs org-loaddefs format-spec find-func cal-menu calendar cal-loaddefs org-install uniquify ido-hacks winner electric paren rainbow-delimiters ielm pp comint ansi-color ring ido battery saveplace ace-jump-mode-autoloads ample-zen-theme-autoloads assemblage-theme-autoloads circe-autoloads clues-theme-autoloads color-theme-sanityinc-tomorrow-autoloads debbugs-autoloads deep-thought-theme-autoloads elisp-slime-nav-autoloads elnode-autoloads db-autoloads creole-autoloads erc-hl-nicks-autoloads fakir-autoloads flatland-theme-autoloads gandalf-theme-autoloads geiser-autoloads ghc-autoloads gnuplot-autoloads gruber-darker-theme-autoloads haskell-mode-autoloads edmacro kmacro imenu heroku-theme-autoloads isea-autoloads elpakit-autoloads anaphora-autoloads jujube-theme-autoloads kv-autoloads late-night-theme-autoloads lcs-autoloads lui-autoloads magit-autoloads main-line-autoloads minimap-autoloads noflet-autoloads oauth-autoloads oauth2-autoloads org-plus-contrib-autoloads info easymenu paredit-autoloads pos-tip-autoloads pretty-lambdada-autoloads purple-haze-theme-autoloads rainbow-delimiters-autoloads rainbow-mode-autoloads remember-theme-autoloads s-autoloads sauron-autoloads scpaste-autoloads htmlize-autoloads sea-before-storm-theme-autoloads soothe-theme-autoloads sr-speedbar-autoloads sr-speedbar subatomic-enhanced-theme-autoloads tommyh-theme-autoloads tracking-autoloads shorten-autoloads tron-theme-autoloads twilight-theme-autoloads typing-autoloads ujelly-theme-autoloads vlf-autoloads byte-opt warnings bytecomp byte-compile cconv advice help-fns cl-lib advice-preload waher-theme-autoloads web-autoloads wonderland-autoloads multi-autoloads dash-functional-autoloads finder-inf dash-autoloads yaml-mode-autoloads zone-matrix-autoloads package time-date xt-mouse time autoinsert cus-start cus-load epa-file epa derived epg epg-config tooltip ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process dbusbind dynamic-setting font-render-setting x multi-tty emacs) From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 19 15:22:08 2013 Received: (at 16193) by debbugs.gnu.org; 19 Dec 2013 20:22:08 +0000 Received: from localhost ([127.0.0.1]:58982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vtk6i-0001bZ-29 for submit@debbugs.gnu.org; Thu, 19 Dec 2013 15:22:08 -0500 Received: from mail-qe0-f45.google.com ([209.85.128.45]:35119) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vtk6f-0001bO-OP for 16193@debbugs.gnu.org; Thu, 19 Dec 2013 15:22:06 -0500 Received: by mail-qe0-f45.google.com with SMTP id 6so1529327qea.18 for <16193@debbugs.gnu.org>; Thu, 19 Dec 2013 12:22:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=Q02y+L1EUUkUcOwXVk0iXvomyB5xZ5tyrMLzsR+1HWg=; b=v6smbcqfkmO/mSqPZgTTNCnvo/0eabt4gffWi8icR6ePiJMwIETD2UJG3nxCJHbEW8 keZk8gT0uTcUAqmM5xL8t4MbkN7Q1V3UbjkQzfkBDKAzTNFl6B9mxwo6LjupyIbqx8tM J1rbzp4+mlC1bFRyfZLMYMbLoZQfxSHfETw3A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=Q02y+L1EUUkUcOwXVk0iXvomyB5xZ5tyrMLzsR+1HWg=; b=ZdVEOnahG7haZg28XKMHrCsVOJb88/xh3YGa+iEpHtFaSTshs5DZDYIDyh2VI/23oq dxdV8k9GXsvt+G7gjt20I2O78kvM2zhK9MQ5gpWkNfoYbACUvyO7214Cg/Wjv20ZuNPr DidzpFEWUf/m9lbj59zvhwtyGo3/bAKfZFbJ3mi8Nw64xnmjGGigtlzS9nElvypAnvNX xQ7z4FVUN6T6ETqV8f5rqs76horJU4JmUFip38y5vd+NDuPD5LIPzWQ/6CdOywofCjK1 HfF/2IDgEbFUZKrL6JOMFceVv433xZS/2VkQoAXScGK0MIt23WED96IWFwLgZWwhJGib EPLQ== X-Gm-Message-State: ALoCoQk61hqj1WYIIaHCkVMR/Tbo5Hb7w3AmYou+o31GLgOfjTI20u1vaWCH4kY21NQhc+G/9qnq X-Received: by 10.224.7.10 with SMTP id b10mr6991578qab.12.1387484525253; Thu, 19 Dec 2013 12:22:05 -0800 (PST) Received: from flea.lifelogs.com (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id n14sm11563109qav.8.2013.12.19.12.22.04 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Dec 2013 12:22:04 -0800 (PST) From: Ted Zlatanov To: "William G. Gardella" Subject: Re: bug#16193: 24.3; Enable TLS certificate checking by default Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos References: <87y53g7imz.fsf@motoko.kusanagi> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Thu, 19 Dec 2013 15:23:23 -0500 In-Reply-To: <87y53g7imz.fsf@motoko.kusanagi> (William G. Gardella's message of "Thu, 19 Dec 2013 19:20:04 +0000") Message-ID: <87pposh9ok.fsf@flea.lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16193 Cc: 16193@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Thu, 19 Dec 2013 19:20:04 +0000 "William G. Gardella" wrote: WGG> How to reproduce: use `open-network-stream' on any TLS connection to a WGG> server with an invalid, expired, or self-signed certificate. WGG> What I expect to happen: Emacs asks the user or signals on `error' or WGG> `user-error', terminating the connection attempt, or queries the user if WGG> they wish to continue. Please try setting `gnutls-verify-error' through customize in the Emacs trunk. Set it to t to always error on verification issues. I plan to change it to t (or some variation thereof, e.g. sit-for-a-bit) after the upcoming release, but didn't want to break people's setups. Also there's no way to make it interactive due to the way Emacs constructs the GnuTLS connection. It has to error out completely. WGG> Recommended solutions: WGG> 2. Ensure that `tls-checktrust' actually works on an Emacs where WGG> libgnutls is linked in. (As far as I can tell, gnutls makes no WGG> reference to this variable, although `gnutls-negotiate' does seem to WGG> have some low-level facility for checking certificates, and there is the WGG> `gnutls-trustfiles' variable). Please check that it works for you as described above. If yes, we'll close this ticket. WGG> 3. Document the default behavior in locations highly visible to users, WGG> i.e. not just in the elisp manual, which is primarily for people writing WGG> elisp, but also in the manuals of major `open-network-stream'-using WGG> packages, such as ERC and smtpmail. This is still an inferior solution WGG> as users are unlikely to consult these manuals if nothing seems to be WGG> wrong. After the upcoming release, yes. Ted From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 03 19:40:18 2014 Received: (at control) by debbugs.gnu.org; 3 Oct 2014 23:40:18 +0000 Received: from localhost ([127.0.0.1]:60656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XaCSP-0005S2-Kk for submit@debbugs.gnu.org; Fri, 03 Oct 2014 19:40:17 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:44665) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XaCSN-0005Ru-3T for control@debbugs.gnu.org; Fri, 03 Oct 2014 19:40:15 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1XaCSH-0006aI-TD for control@debbugs.gnu.org; Fri, 03 Oct 2014 19:40:10 -0400 Date: Fri, 03 Oct 2014 19:40:09 -0400 Message-Id: Subject: control message for bug 16193 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) forcemerge 18600 16193 From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 03 19:46:14 2014 Received: (at control) by debbugs.gnu.org; 3 Oct 2014 23:46:14 +0000 Received: from localhost ([127.0.0.1]:60664 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XaCYA-0006tl-7a for submit@debbugs.gnu.org; Fri, 03 Oct 2014 19:46:14 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:44770) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XaCY7-0006tc-BS for control@debbugs.gnu.org; Fri, 03 Oct 2014 19:46:11 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1XaCY6-0007tY-Rr for control@debbugs.gnu.org; Fri, 03 Oct 2014 19:46:10 -0400 Date: Fri, 03 Oct 2014 19:46:10 -0400 Message-Id: Subject: control message for bug 16193 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) merge 16978 16193 From debbugs-submit-bounces@debbugs.gnu.org Sun Nov 23 12:11:04 2014 Received: (at control) by debbugs.gnu.org; 23 Nov 2014 17:11:04 +0000 Received: from localhost ([127.0.0.1]:42861 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xsagi-0005Ky-3x for submit@debbugs.gnu.org; Sun, 23 Nov 2014 12:11:04 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:47865) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xsage-0005KK-J9 for control@debbugs.gnu.org; Sun, 23 Nov 2014 12:11:01 -0500 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1XsagN-0006eF-0u for control@debbugs.gnu.org; Sun, 23 Nov 2014 18:10:43 +0100 Date: Sun, 23 Nov 2014 18:10:42 +0100 Message-Id: To: control@debbugs.gnu.org From: Lars Magne Ingebrigtsen Subject: control message for bug #18600 X-MailScanner-ID: 1XsagN-0006eF-0u X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1417367443.44147@1nR7n+u+MI1L6d0nXXYEyw X-Spam-Status: No X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) tags 18600 fixed close 18600 25.1 From unknown Wed Jun 18 23:05:13 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 22 Dec 2014 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator