GNU bug report logs - #19404
25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane

Previous Next

Package: emacs;

Reported by: Dmitry Gutov <dgutov <at> yandex.ru>

Date: Thu, 18 Dec 2014 11:53:01 UTC

Severity: normal

Found in version 25.0.50

Done: Dmitry Gutov <dgutov <at> yandex.ru>

Bug is archived. No further changes may be made.

Full log

Message #49 received at 19404 <at> debbugs.gnu.org (full text, mbox):

From: David Engster <deng <at> randomsample.de>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 19404 <at> debbugs.gnu.org, larsi <at> gnus.org, dgutov <at> yandex.ru
Subject: Re: bug#19404: 25.0.50;
 Gnus shows self-signed certificate warning when connecting to Gmane
Date: Thu, 18 Dec 2014 22:40:56 +0100

Eli Zaretskii writes:
>> From: David Engster <deng <at> randomsample.de>
>> Cc: Eli Zaretskii <eliz <at> gnu.org>,  19404 <at> debbugs.gnu.org,  dgutov <at> yandex.ru
>> Date: Thu, 18 Dec 2014 21:20:05 +0100
>
>> 
>> Just to make a few things clear: A 'self-signed' certificate simply
>> means that a certificate is signed with its own private key. You can
>> easily identify them by looking at the 'Issuer' and 'Subject' - they are
>> identical:
>> 
>>   openssl s_client -connect news.gmane.org:563
>> 
>>   [...]
>> 
>>   Certificate chain
>>   0 s:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org
>>     i:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org
>> 
>> If you connect to a service secured with such a certificate, you'll be
>> greeted with a certificate chain with a depth of '0', only containing
>> this one certificate (so it's actually not a chain). Self-signed
>> certificates are by default never trustworthy, since anyone can create
>> them.
>
> Do you understand why I got the same "self-signed" indication for a
> certificate whose chain couldn't be verified because the root
> certificates were not available?  E.g., remove or rename your bundle,
> then try "M-x eww" to some HTTPS address -- you will see the
> "self-signed" indication in that case as well.  Why does this happen?

I see now that :self-signed is mapped to
GNUTLS_CERT_SIGNER_NOT_FOUND. This however does not mean that a
certificate is self-signed. See

http://www.gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fstatus_005ft

It simply means: "The certificate’s issuer is not known. This is the
case if the issuer is not included in the trusted certificate list."

It *could* be self-signed. I don't know the best way in libgnutls to
detect this. You probably have to compare issuer and subject, or
similar.

-David
This bug report was last modified 10 years and 190 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.