GNU bug report logs - #26835
26.0.50; url-retrieve no longer raises certificate errors

Previous Next

Package: emacs;

Reported by: Aaron Jensen <aaronjensen <at> gmail.com>

Date: Mon, 8 May 2017 18:44:01 UTC

Severity: normal

Tags: security

Found in version 26.0.50

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #24 received at 26835 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 26835 <at> debbugs.gnu.org, aaronjensen <at> gmail.com
Subject: Re: bug#26835: 26.0.50;
 url-retrieve no longer raises certificate errors
Date: Wed, 10 May 2017 19:48:32 +0300

> From: Lars Ingebrigtsen <larsi <at> gnus.org>
> Cc: Aaron Jensen <aaronjensen <at> gmail.com>,  26835 <at> debbugs.gnu.org
> Date: Wed, 10 May 2017 16:24:13 +0200
> 
> >> (setq gnutls-verify-error t)
> >> (url-retrieve-synchronously "https://wrong.host.badssl.com/")
> >> 
> >> In Emacs 25.2, this causes an error to be thrown when you use
> >> url-retrieve, in 26, it silently proceeds.
> >
> > That's because we now perform GnuTLS negotiation asynchronously,
> > without blocking.
> 
> (As an aside, perhaps url-retrieve-synchronously should be opening the
> socket with :nowait nil?)

Yes, I had a similar thought while I was reading the code.

> Good analysis.  I'll try to have a look at this soonish (and make it
> report the error properly) unless somebody else beats me to it.

Thanks.
This bug report was last modified 7 years and 257 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.