GNU bug report logs - #19404
25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane

Previous Next

Package: emacs;

Reported by: Dmitry Gutov <dgutov <at> yandex.ru>

Date: Thu, 18 Dec 2014 11:53:01 UTC

Severity: normal

Found in version 25.0.50

Done: Dmitry Gutov <dgutov <at> yandex.ru>

Bug is archived. No further changes may be made.

Full log

Message #79 received at 19404 <at> debbugs.gnu.org (full text, mbox):

From: David Engster <deng <at> randomsample.de>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 19404 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>, dgutov <at> yandex.ru
Subject: Re: bug#19404: 25.0.50;
 Gnus shows self-signed certificate warning when connecting to Gmane
Date: Fri, 19 Dec 2014 17:55:19 +0100

Lars Ingebrigtsen writes:
> Eli Zaretskii <eliz <at> gnu.org> writes:
>
>>> It simply means: "The certificate’s issuer is not known. This is the
>>> case if the issuer is not included in the trusted certificate list."
>>
>> I suggest that we say something like this, indeed.
>
> However, this means nothing to people who don't know what it already
> means, while "self-signed" is something that more people understand.

You wish...

> But the suggestion to only suggest that the certificate may be
> self-signed if the issuer and host name are the same may help a bit.
> There's quite a few self-signed sites out there where that's not the
> case, though.

The host name has nothing to do with a certificate being self-signed or
not. Forget actual servers for a moment and look only at the
certificate. There's an 'issuer' and a 'subject'. Both contain
identities in the form of a string like

  /C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org

As you can see, part of that string is the "common name" (CN), which can
be a hostname (maybe with a wildcard), an email address, etc. Whoever
has the private key for that certificate claims the identity for that
CN.

The 'issuer' is the identity who signed that certificate with its own
private key. In real life this should mean that the issuer made sure
that the person who created that certificate with this CN is actually
the administrator for that server, or the person with that e-mail
address.

If a certificate is "self-signed", this means that issuer and subject
are the same entity, i.e., the string in there is identical. There are
some rules how these strings must be compared. I think(!) that if you
simply compare them byte by byte, you should err on the side of
safety. But I would assume there is a function for that in GnuTLS that
adheres to RFC5280 for comparing such things.

As to what messages we should emit in such cases, I think we should
simply say what Firefox says: "The certificate is not trusted because it
is self-signed."

-David
This bug report was last modified 10 years and 190 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.