GNU bug report logs -
#16978
24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities
Previous Next
Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Date: Mon, 10 Mar 2014 07:00:02 UTC
Severity: important
Tags: fixed, security
Merged with 16193,
18600
Found in versions 24.3, 24.3.94
Fixed in version 25.1
Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
On 2014-03-17, Ted Zlatanov wrote:
> (require 'gnutls)
> (setq gnutls-verify-error t)
> (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
> (open-gnutls-stream "tls" "tls-buffer" "localhost" "imaps")
>
> I just made a small change to allow the t in the above, so please
> update to the latest.
>
> Can you please run `gnutls-serv' with the right options and hit it
> directly, and see if that replicates the issue?
Hi Ted,
I don’t see `gnutls-serv'. The following works for me:
(open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
It also catches MITM attacks with self-signed certs:
(error "Certificate validation failed imap.gmail.com, verification
code 66")
That’s good.
Thanks
Jens
P.S. Self-signed certs are unusable now, e.g., this fails:
(open-gnutls-stream "tls" "tls-buffer" "news.gmane.org" "nntps")
Of course, this is to be expected, but Gnus aborts the connection
without any user-visible clue, and the server is reported to be
offline.
P.P.S. I’m using imap.el, which knows of various ways to establish
SSL/TLS connections, but gnutls.el is not among them.
This bug report was last modified 10 years and 178 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.