GNU bug report logs - #18600
24.3.94; EWW fails to check https certificates

Previous Next

Package: emacs;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Thu, 2 Oct 2014 06:27:02 UTC

Severity: important

Tags: fixed, security

Merged with 16193, 16978

Found in versions 24.3, 24.3.94

Fixed in version 25.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #28 received at 18600 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 18600 <at> debbugs.gnu.org, Glenn Morris <rgm <at> gnu.org>
Subject: Re: bug#18600: 24.3.94; EWW fails to check https certificates
Date: Sat, 04 Oct 2014 22:00:27 -0400

> With these in mind, I have two recommendations:
> * I believe that eww https should check certificates by default in 24.4,
>   even though other tls connections are tolerant by default.
> * At minimum, it should be possible to enable certificate checking for
>   eww https connections while still allowing self-signed certificates
>   for other uses of 'open-gnutls-stream' such as imaps and smtps.  This
>   is fairly common case.

I think it's too late to do that for Emacs-24.4.  But we should apply
such a change to `emacs-24' after the 24.4 release, so that it will be
included in the next release regardless if the next release is 25.1 or
a 24.5 bugfix.


        Stefan
This bug report was last modified 10 years and 180 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.