GNU bug report logs - #26835
26.0.50; url-retrieve no longer raises certificate errors

Previous Next

Package: emacs;

Reported by: Aaron Jensen <aaronjensen <at> gmail.com>

Date: Mon, 8 May 2017 18:44:01 UTC

Severity: normal

Tags: security

Found in version 26.0.50

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #27 received at 26835 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: larsi <at> gnus.org
Cc: 26835 <at> debbugs.gnu.org, aaronjensen <at> gmail.com
Subject: Re: bug#26835: 26.0.50;
 url-retrieve no longer raises certificate errors
Date: Sat, 02 Sep 2017 16:42:44 +0300

> Date: Wed, 10 May 2017 19:48:32 +0300
> From: Eli Zaretskii <eliz <at> gnu.org>
> Cc: 26835 <at> debbugs.gnu.org, aaronjensen <at> gmail.com
> 
> > From: Lars Ingebrigtsen <larsi <at> gnus.org>
> > Cc: Aaron Jensen <aaronjensen <at> gmail.com>,  26835 <at> debbugs.gnu.org
> > Date: Wed, 10 May 2017 16:24:13 +0200
> > 
> > >> (setq gnutls-verify-error t)
> > >> (url-retrieve-synchronously "https://wrong.host.badssl.com/")
> > >> 
> > >> In Emacs 25.2, this causes an error to be thrown when you use
> > >> url-retrieve, in 26, it silently proceeds.
> > >
> > > That's because we now perform GnuTLS negotiation asynchronously,
> > > without blocking.
> > 
> > (As an aside, perhaps url-retrieve-synchronously should be opening the
> > socket with :nowait nil?)
> 
> Yes, I had a similar thought while I was reading the code.
> 
> > Good analysis.  I'll try to have a look at this soonish (and make it
> > report the error properly) unless somebody else beats me to it.
> 
> Thanks.

Ping!  Lars, any news on this issue?
This bug report was last modified 7 years and 257 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.