GNU bug report logs - #16784
24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

Previous Next

Packages: gnus, emacs;

Reported by: sb <at> dod.no

Date: Mon, 17 Feb 2014 17:52:01 UTC

Severity: normal

Tags: fixed

Found in version 24.3

Fixed in version 25.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: sb <at> dod.no
Cc: Lars Magne Ingebrigtsen <larsi <at> gnus.org>, 16784 <at> debbugs.gnu.org
Subject: bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate
Date: Thu, 20 Mar 2014 10:48:25 -0400

On Tue, 18 Feb 2014 10:43:00 -0500 Ted Zlatanov <tzz <at> lifelogs.com> wrote: 

TZ> On Mon, 17 Feb 2014 18:50:32 +0100 sb <at> dod.no wrote: 
s> Entering news.gmane.no nntp groups in gnus fails on Windows, because it
s> tries to upgrade the connection using STARTTLS and fails because the
s> news.gmane.org certificate is self signed.

SB> I would like one of the following solutions:
SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
SB> NNTP connections

I think Lars has to give an opinion here.

SB> 2. The possibility to tell GNU-TLS not to be so stringent about
SB> certificate verification

The latest Emacs trunk has this:

(defcustom gnutls-verify-error nil
  "If non-nil, this should be a list of checks per hostname regex or t."
  :group 'gnutls
  :version "24.4"
  :type '(choice
          (const t)
          (repeat :tag "List of hostname regexps with flags for each"
           (list
            (choice :tag "Hostname"
                    (const ".*" :tag "Any hostname")
                    regexp)
            (set (const :trustfiles)
                 (const :hostname))))))

So basically customize that variable and add :trustfiles and :hostname
for the respective verifications, or nil to disable them.

Also note that internally, we use some default flags for
`gnutls-negotiate'.  From the docstring:

VERIFY-FLAGS is a numeric OR of verification flags only for
`gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
here's a recent version of the list.

    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256

It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.

This is the current default, except as modified by the GnuTLS priority
string.  I would expect callers such as Gnus to modify this, but not
normal users.

Ted
This bug report was last modified 10 years and 227 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.