GNU bug report logs - #16978
24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities

Previous Next

Package: emacs;

Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>

Date: Mon, 10 Mar 2014 07:00:02 UTC

Severity: important

Tags: fixed, security

Merged with 16193, 18600

Found in versions 24.3, 24.3.94

Fixed in version 25.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #21 received at 16978 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Cc: 16978 <at> debbugs.gnu.org, Glenn Morris <rgm <at> gnu.org>
Subject: Re: bug#16978: 24.3;
 SSL/TLS with multiple man-in-the-middle vulnerabilities
Date: Mon, 17 Mar 2014 17:33:56 -0400

On Tue, 11 Mar 2014 18:04:25 +0100 Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> wrote: 

JL> I'm now on GNU Emacs 24.3.50.1.  I can't get gnutls-verify-error to
JL> work.  So far I only tried that with NNTPS, not SMTP.  If I set
JL> gnutls-verify-error to t, the TCP connection to port 563 is closed
JL> immediately (on the wire I see FIN/ACK immediately after the
JL> three-way handshake; no TLS related data at all).
JL> Afterwards, the server is shown as offline in the server buffer.
JL> gnus-server-open-server fails as long as gnutls-verify-error is t.

Hi Jens,

I've tested this:

(require 'gnutls)
(setq gnutls-verify-error t)
(open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
(open-gnutls-stream "tls" "tls-buffer" "localhost" "imaps")

I just made a small change to allow the t in the above, so please update
to the latest.

Can you please run `gnutls-serv' with the right options and hit it
directly, and see if that replicates the issue?

Thanks
Ted
This bug report was last modified 10 years and 178 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.