GNU bug report logs - #26835
26.0.50; url-retrieve no longer raises certificate errors

Previous Next

Package: emacs;

Reported by: Aaron Jensen <aaronjensen <at> gmail.com>

Date: Mon, 8 May 2017 18:44:01 UTC

Severity: normal

Tags: security

Found in version 26.0.50

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 26835 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Aaron Jensen <aaronjensen <at> gmail.com>
Cc: 26835 <at> debbugs.gnu.org
Subject: Re: bug#26835: 26.0.50;
 url-retrieve no longer raises certificate errors
Date: Mon, 08 May 2017 22:04:17 +0300

> From: Aaron Jensen <aaronjensen <at> gmail.com>
> Date: Mon, 8 May 2017 11:42:45 -0700
> 
> This post describes a method for configuring emacs to verify ssl
> certificates:
> https://glyph.twistedmatrix.com/2015/11/editor-malware.html
> 
> It also contains a snippet to test that it is properly configured:
> 
> (let ((bad-hosts
>        (loop for bad
>              in `("https://wrong.host.badssl.com/"
>                   "https://self-signed.badssl.com/")
>              if (condition-case e
>                     (url-retrieve
>                      bad (lambda (retrieved) t))
>                   (error nil))
>              collect bad)))
>   (if bad-hosts
>       (print (format "tls misconfigured; retrieved %s ok"
>                      bad-hosts))
>     (url-retrieve "https://badssl.com"
>                   (lambda (retrieved) t))))
> 
> This snippet works fine in 25.2 but reports an error on master (26.0.50)
> 
> As a simpler test, both:
> 
> (url-retrieve "https://wrong.host.badssl.com/")
> (url-retrieve-synchronously "https://wrong.host.badssl.com/")
> 
> Should fail, but do not.

I seem to be unable to reproduce any of the wrong behavior in the
current master build.  Could you please provide more details about
what errors you see and what failures you expected, but didn't see?

In my testing, Emacs asks me whether to continue connecting, when it
discovers a bad certificate, and it's up to me to decide.  Did it ask
you, and if it did, what alternative did you select?

Also, did you try all this in "emacs -Q"?  It looks like you did this
in a customized session (e.g., because in "emacs -Q" there's no 'loop'
function, which the above snippet uses).  So the problems could have
something to do with your customizations.

Thanks.
This bug report was last modified 7 years and 257 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.