GNU bug report logs - #23759
25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist

Previous Next

Full log

Message #38 received at 23759 <at> debbugs.gnu.org (full text, mbox):

From: Konstantin Kliakhandler <kosta <at> slumpy.org>
To: Noam Postavsky <npostavs <at> users.sourceforge.net>
Cc: 23759 <at> debbugs.gnu.org, Ted Zlatanov <tzz <at> lifelogs.com>
Subject: Re: bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed
 gnutls-cli command if trusted cert files don't exist
Date: Tue, 5 Jul 2016 19:54:53 +0300

[Message part 1 (text/plain, inline)]

Hi,

On 5 July 2016 at 17:49, Noam Postavsky <npostavs <at> users.sourceforge.net>
wrote:
>
> I think gnutls is broken on master for OSX currently, see
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=23503
>

When I do this, with my patch enabled, I get a buffer with:

Cache-Control: max-age=0
> Expires: Tue, 05 Jul 2016 14:58:42 GMT
> Content-Length: 3104
> Keep-Alive: timeout=3, max=100
> Connection: Keep-Alive
> Content-Type: text/html
> Content-Language: en
> ...


Of course, it would have worked even before the patch since currently
tls.el by default attempts two connections via gnutls-tls and then tries
via openssl s_client, which always worked for me (at least for ERC).

On 5 July 2016 at 17:36, Ted Zlatanov <tzz <at> lifelogs.com> wrote:
>
>
> As you said, one of the key points of your patch is this:
>
> -  '("gnutls-cli --x509cafile %t -p %p %h"
> +  '("gnutls-cli -p %p %h"
> +    "gnutls-cli --x509cafile %t -p %p %h"
>

I wouldn't characterize it as "one of the key points" of my patch, and the
patch would work just as well if instead the line without --x509cafile was
at the bottom of the list. Well, it would work worse for some users, but
the key word is that it would work - except that now now it would take
several more attempts to connect on my computer and on OPs (instead of just
not connecting at all for OP).

Which replaces the specific call with a generic call (no CA file
> specified). This is probably less secure because it will use the system
> CA trustfiles regardless of the user's preferred `gnutls-trustfiles', so
> I'd rather not make it the first thing attempted.


Personally, I also think that the default as defined in my current patch is
preferable, since anyone who messes around with the certificates would edit
this variable e.g. to set there --strict-tofu or the like (I did. It is a
bit more annoying to use, but since I rarely open a new domain in emacs,
it's not a big deal). For everyone else, they trust their system CAs all
the time when they go online. Especially considering that the previous
default for this variable had "--insecure" in the arguments, I thought that
the priorities for the new setting was 1>2>3 "1. It is secure by default.
2. It works by default. 3. It is secure in edge cases", rather than 1>3>2.

Anyway, I do concede that the second version is more secure. Attached is a
patch that I hope is more to your liking. I put the the call that do not
use an explicit certificate at the bottom of the list, even below the call
to openssl s_client. I'm not sure what are the implications, as I don't
know the relative merits of openssl s_client vs gnutls-cli. If you are
inclined to educate me, please do as a short googling did not reveal the
answers.


> Once the libraries are installed, you're all set, they'll be used
> automatically.
>

From what both of you said, I still am not sure what is meant by "native
support". However, for various reasons I don't like the version provided in
homebrew. I prefer the version from https://emacsformacosx.com. Noam, is
this *"one of the pre-built binary packages"* you were referring to, or did
you mean something else? How will I know that the libraries are being used?
Finally, is there a way to test them explicitly? Anyway, it seems that the
version I got from the site above does not have built in gnutls:

system-configuration-features is a variable defined in ‘C source code’.
Its value is "NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS"
system-configuration-options is a variable defined in ‘C source code’.
Its value is
"--with-ns '--enable-locallisppath=/Library/Application
Support/Emacs/${version}/site-lisp:/Library/Application
Support/Emacs/site-lisp'

I'll build one myself and see if the results I get are any different.

Thanks for your time,
Kosta

[Message part 2 (text/html, inline)]

[0001-tls-Make-open-tls-stream-try-all-gnutls-trustfiles-a.patch (application/octet-stream, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.