GNU bug report logs - #19284
25.0.50; tls.el uses option --insecure

Previous Next

Package: emacs;

Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>

Date: Fri, 5 Dec 2014 19:44:01 UTC

Severity: normal

Tags: fixed, security

Found in version 25.0.50

Fixed in version 25.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
To: 19284 <at> debbugs.gnu.org
Subject: bug#19284: 25.0.50; tls.el uses option --insecure
Date: Fri, 05 Dec 2014 20:43:09 +0100

This is a followup to bug#16978, where I reported multiple MITM
issues.

tls.el calls gnutls-cli with option --insecure.

As Emacs applies TOFU by default via nsm.el (great work, many
thanks!), the above is dangerous.  I continue to use the following:
(setq tls-program '("gnutls-cli --strict-tofu -p %p %h"))

I’m not sure under what conditions tls.el is necessary.  Is it?

Best wishes
Jens

This bug report was last modified 9 years and 148 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #19284 25.0.50; tls.el uses option --insecure

GNU bug report logs - #19284
25.0.50; tls.el uses option --insecure