bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Lars Magne Ingebrigtsen]

The new NSM code uncovered this problem:

--------
Certificate issued by GeoTrust SSL CA - G3
Issued to Tumblr, Inc.
Certificate host name: *.media.tumblr.com
Public key: RSA, signature: RSA-SHA256, security level: Low
Valid from: 2014-09-30, valid to: 2016-04-08

The TLS connection to 33.media.tumblr.com:443 is insecure
for the following reason:

certificate could not be verified
--------

So the host checking code in, I think, gnutls-negotiate should be
extended to understand things like "*.media.tumblr.com".




In GNU Emacs 24.4.51.61 (x86_64-unknown-linux-gnu, X toolkit, Xaw scroll bars)
 of 2014-11-18 on stories
Repository revision: f924c7deeb96d2caf0d0e4fabc6008204984feeb
Windowing system distributor `The X.Org Foundation', version 11.0.11204000
System Description:	Debian GNU/Linux 7.6 (wheezy)

Important settings:
  value of $LANG: en_US
  locale-coding-system: iso-latin-1-unix

Major mode: Help

Minor modes in effect:
  shell-dirtrack-mode: t
  diff-auto-refine-mode: t
  tooltip-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t

Recent messages:
Reading active file from archive via nnfolder...done
Reading active file from archive via nnfolder...done
Reading active file via nndraft...done
Reading active file via nnmbox...done
Checking new news...done
Auto-saving...done
mouse-2: show the MIME part; down-mouse-3: more options
Type "q" in help window to restore its previous buffer.
Mark set [2 times]
Making completion list...

Load-path shadows:
/home/larsi/.emacs.d/elpa/debbugs-0.6/debbugs-gnu hides ~/src/elpa/elpa/packages/debbugs/debbugs-gnu
/home/larsi/.emacs.d/elpa/debbugs-0.6/debbugs-pkg hides ~/src/elpa/elpa/packages/debbugs/debbugs-pkg
/home/larsi/.emacs.d/elpa/debbugs-0.6/debbugs hides ~/src/elpa/elpa/packages/debbugs/debbugs
/home/larsi/mgnus/lisp/compface hides ~/pgnus/contrib/compface
/home/larsi/src/clock.el/clock hides /home/larsi/lisp/clock
/home/larsi/src/cddb.el/expect hides /home/larsi/lisp/expect
/home/larsi/src/pvr.el/pvr hides /home/larsi/lisp/pvr
~/pgnus/contrib/vcard hides /home/larsi/lisp/vcard
/home/larsi/src/cddb.el/captitle hides /home/larsi/lisp/captitle
~/lisp/zenirc-2.112/src/zenirc-example hides /home/larsi/lisp/zenirc-example
/home/larsi/mgnus/lisp/format-spec hides /home/larsi/src/emacs/nsm/lisp/format-spec
/home/larsi/mgnus/lisp/hex-util hides /home/larsi/src/emacs/nsm/lisp/hex-util
/home/larsi/mgnus/lisp/color hides /home/larsi/src/emacs/nsm/lisp/color
/home/larsi/mgnus/lisp/md4 hides /home/larsi/src/emacs/nsm/lisp/md4
/home/larsi/mgnus/lisp/password-cache hides /home/larsi/src/emacs/nsm/lisp/password-cache
/home/larsi/mgnus/lisp/dns-mode hides /home/larsi/src/emacs/nsm/lisp/textmodes/dns-mode
/home/larsi/mgnus/lisp/sasl-ntlm hides /home/larsi/src/emacs/nsm/lisp/net/sasl-ntlm
/home/larsi/mgnus/lisp/dns hides /home/larsi/src/emacs/nsm/lisp/net/dns
/home/larsi/mgnus/lisp/hmac-def hides /home/larsi/src/emacs/nsm/lisp/net/hmac-def
/home/larsi/mgnus/lisp/ntlm hides /home/larsi/src/emacs/nsm/lisp/net/ntlm
/home/larsi/mgnus/lisp/tls hides /home/larsi/src/emacs/nsm/lisp/net/tls
/home/larsi/mgnus/lisp/sasl-digest hides /home/larsi/src/emacs/nsm/lisp/net/sasl-digest
/home/larsi/mgnus/lisp/netrc hides /home/larsi/src/emacs/nsm/lisp/net/netrc
/home/larsi/mgnus/lisp/sasl-cram hides /home/larsi/src/emacs/nsm/lisp/net/sasl-cram
/home/larsi/mgnus/lisp/hmac-md5 hides /home/larsi/src/emacs/nsm/lisp/net/hmac-md5
/home/larsi/mgnus/lisp/dig hides /home/larsi/src/emacs/nsm/lisp/net/dig
/home/larsi/mgnus/lisp/sasl hides /home/larsi/src/emacs/nsm/lisp/net/sasl
/home/larsi/mgnus/lisp/uudecode hides /home/larsi/src/emacs/nsm/lisp/mail/uudecode
/home/larsi/mgnus/lisp/hashcash hides /home/larsi/src/emacs/nsm/lisp/mail/hashcash
/home/larsi/mgnus/lisp/binhex hides /home/larsi/src/emacs/nsm/lisp/mail/binhex
/home/larsi/mgnus/lisp/nndoc hides /home/larsi/src/emacs/nsm/lisp/gnus/nndoc
/home/larsi/mgnus/lisp/mm-partial hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-partial
/home/larsi/mgnus/lisp/gnus-srvr hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-srvr
/home/larsi/mgnus/lisp/mailcap hides /home/larsi/src/emacs/nsm/lisp/gnus/mailcap
/home/larsi/mgnus/lisp/gnus-range hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-range
/home/larsi/mgnus/lisp/rfc1843 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc1843
/home/larsi/mgnus/lisp/nneething hides /home/larsi/src/emacs/nsm/lisp/gnus/nneething
/home/larsi/mgnus/lisp/gnus-logic hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-logic
/home/larsi/mgnus/lisp/spam-wash hides /home/larsi/src/emacs/nsm/lisp/gnus/spam-wash
/home/larsi/mgnus/lisp/nnmail hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmail
/home/larsi/mgnus/lisp/nnmbox hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmbox
/home/larsi/mgnus/lisp/gssapi hides /home/larsi/src/emacs/nsm/lisp/gnus/gssapi
/home/larsi/mgnus/lisp/gnus-agent hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-agent
/home/larsi/mgnus/lisp/mail-parse hides /home/larsi/src/emacs/nsm/lisp/gnus/mail-parse
/home/larsi/mgnus/lisp/mml-smime hides /home/larsi/src/emacs/nsm/lisp/gnus/mml-smime
/home/larsi/mgnus/lisp/gnus-msg hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-msg
/home/larsi/mgnus/lisp/gnus-icalendar hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-icalendar
/home/larsi/mgnus/lisp/gnus-fun hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-fun
/home/larsi/mgnus/lisp/mail-source hides /home/larsi/src/emacs/nsm/lisp/gnus/mail-source
/home/larsi/mgnus/lisp/mm-encode hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-encode
/home/larsi/mgnus/lisp/gnus-cache hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-cache
/home/larsi/mgnus/lisp/mm-util hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-util
/home/larsi/mgnus/lisp/mm-archive hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-archive
/home/larsi/mgnus/lisp/nnnil hides /home/larsi/src/emacs/nsm/lisp/gnus/nnnil
/home/larsi/mgnus/lisp/mml2015 hides /home/larsi/src/emacs/nsm/lisp/gnus/mml2015
/home/larsi/mgnus/lisp/nnoo hides /home/larsi/src/emacs/nsm/lisp/gnus/nnoo
/home/larsi/mgnus/lisp/messcompat hides /home/larsi/src/emacs/nsm/lisp/gnus/messcompat
/home/larsi/mgnus/lisp/gnus-sync hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-sync
/home/larsi/mgnus/lisp/nnweb hides /home/larsi/src/emacs/nsm/lisp/gnus/nnweb
/home/larsi/mgnus/lisp/nnrss hides /home/larsi/src/emacs/nsm/lisp/gnus/nnrss
/home/larsi/mgnus/lisp/legacy-gnus-agent hides /home/larsi/src/emacs/nsm/lisp/gnus/legacy-gnus-agent
/home/larsi/mgnus/lisp/nnspool hides /home/larsi/src/emacs/nsm/lisp/gnus/nnspool
/home/larsi/mgnus/lisp/compface hides /home/larsi/src/emacs/nsm/lisp/gnus/compface
/home/larsi/mgnus/lisp/smime hides /home/larsi/src/emacs/nsm/lisp/gnus/smime
/home/larsi/mgnus/lisp/ietf-drums hides /home/larsi/src/emacs/nsm/lisp/gnus/ietf-drums
/home/larsi/mgnus/lisp/yenc hides /home/larsi/src/emacs/nsm/lisp/gnus/yenc
/home/larsi/mgnus/lisp/gnus-delay hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-delay
/home/larsi/mgnus/lisp/gnus-async hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-async
/home/larsi/mgnus/lisp/nnmh hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmh
/home/larsi/mgnus/lisp/mm-url hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-url
/home/larsi/mgnus/lisp/gnus-picon hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-picon
/home/larsi/mgnus/lisp/gnus-bookmark hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-bookmark
/home/larsi/mgnus/lisp/gnus-diary hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-diary
/home/larsi/mgnus/lisp/html2text hides /home/larsi/src/emacs/nsm/lisp/gnus/html2text
/home/larsi/mgnus/lisp/nndraft hides /home/larsi/src/emacs/nsm/lisp/gnus/nndraft
/home/larsi/mgnus/lisp/auth-source hides /home/larsi/src/emacs/nsm/lisp/gnus/auth-source
/home/larsi/mgnus/lisp/gnus-bcklg hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-bcklg
/home/larsi/mgnus/lisp/gnus-win hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-win
/home/larsi/mgnus/lisp/gnus-salt hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-salt
/home/larsi/mgnus/lisp/rfc2045 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2045
/home/larsi/mgnus/lisp/gnus-draft hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-draft
/home/larsi/mgnus/lisp/gnus-spec hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-spec
/home/larsi/mgnus/lisp/nnir hides /home/larsi/src/emacs/nsm/lisp/gnus/nnir
/home/larsi/mgnus/lisp/mm-uu hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-uu
/home/larsi/mgnus/lisp/rfc2104 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2104
/home/larsi/mgnus/lisp/nngateway hides /home/larsi/src/emacs/nsm/lisp/gnus/nngateway
/home/larsi/mgnus/lisp/gnus-sum hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-sum
/home/larsi/mgnus/lisp/mail-prsvr hides /home/larsi/src/emacs/nsm/lisp/gnus/mail-prsvr
/home/larsi/mgnus/lisp/gnus-dup hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-dup
/home/larsi/mgnus/lisp/score-mode hides /home/larsi/src/emacs/nsm/lisp/gnus/score-mode
/home/larsi/mgnus/lisp/starttls hides /home/larsi/src/emacs/nsm/lisp/gnus/starttls
/home/larsi/mgnus/lisp/plstore hides /home/larsi/src/emacs/nsm/lisp/gnus/plstore
/home/larsi/mgnus/lisp/gnus-topic hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-topic
/home/larsi/mgnus/lisp/gnus-notifications hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-notifications
/home/larsi/mgnus/lisp/registry hides /home/larsi/src/emacs/nsm/lisp/gnus/registry
/home/larsi/mgnus/lisp/mml-sec hides /home/larsi/src/emacs/nsm/lisp/gnus/mml-sec
/home/larsi/mgnus/lisp/nnmaildir hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmaildir
/home/larsi/mgnus/lisp/nnbabyl hides /home/larsi/src/emacs/nsm/lisp/gnus/nnbabyl
/home/larsi/mgnus/lisp/sieve hides /home/larsi/src/emacs/nsm/lisp/gnus/sieve
/home/larsi/mgnus/lisp/qp hides /home/larsi/src/emacs/nsm/lisp/gnus/qp
/home/larsi/mgnus/lisp/nnregistry hides /home/larsi/src/emacs/nsm/lisp/gnus/nnregistry
/home/larsi/mgnus/lisp/gnus-art hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-art
/home/larsi/mgnus/lisp/gnus-dired hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-dired
/home/larsi/mgnus/lisp/gnus-util hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-util
/home/larsi/mgnus/lisp/nnheader hides /home/larsi/src/emacs/nsm/lisp/gnus/nnheader
/home/larsi/mgnus/lisp/gnus-demon hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-demon
/home/larsi/mgnus/lisp/message hides /home/larsi/src/emacs/nsm/lisp/gnus/message
/home/larsi/mgnus/lisp/rfc2231 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2231
/home/larsi/mgnus/lisp/canlock hides /home/larsi/src/emacs/nsm/lisp/gnus/canlock
/home/larsi/mgnus/lisp/mm-extern hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-extern
/home/larsi/mgnus/lisp/gnus-undo hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-undo
/home/larsi/mgnus/lisp/mm-bodies hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-bodies
/home/larsi/mgnus/lisp/gnus-score hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-score
/home/larsi/mgnus/lisp/gnus-mh hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-mh
/home/larsi/mgnus/lisp/nnvirtual hides /home/larsi/src/emacs/nsm/lisp/gnus/nnvirtual
/home/larsi/mgnus/lisp/spam-report hides /home/larsi/src/emacs/nsm/lisp/gnus/spam-report
/home/larsi/mgnus/lisp/nndiary hides /home/larsi/src/emacs/nsm/lisp/gnus/nndiary
/home/larsi/mgnus/lisp/sieve-manage hides /home/larsi/src/emacs/nsm/lisp/gnus/sieve-manage
/home/larsi/mgnus/lisp/mml1991 hides /home/larsi/src/emacs/nsm/lisp/gnus/mml1991
/home/larsi/mgnus/lisp/gnus-eform hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-eform
/home/larsi/mgnus/lisp/mml hides /home/larsi/src/emacs/nsm/lisp/gnus/mml
/home/larsi/mgnus/lisp/gravatar hides /home/larsi/src/emacs/nsm/lisp/gnus/gravatar
/home/larsi/mgnus/lisp/nntp hides /home/larsi/src/emacs/nsm/lisp/gnus/nntp
/home/larsi/mgnus/lisp/ecomplete hides /home/larsi/src/emacs/nsm/lisp/gnus/ecomplete
/home/larsi/mgnus/lisp/rtree hides /home/larsi/src/emacs/nsm/lisp/gnus/rtree
/home/larsi/mgnus/lisp/gnus-int hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-int
/home/larsi/mgnus/lisp/gnus-sieve hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-sieve
/home/larsi/mgnus/lisp/smiley hides /home/larsi/src/emacs/nsm/lisp/gnus/smiley
/home/larsi/mgnus/lisp/gnus hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus
/home/larsi/mgnus/lisp/gnus-cus hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-cus
/home/larsi/mgnus/lisp/nnfolder hides /home/larsi/src/emacs/nsm/lisp/gnus/nnfolder
/home/larsi/mgnus/lisp/nnmairix hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmairix
/home/larsi/mgnus/lisp/pop3 hides /home/larsi/src/emacs/nsm/lisp/gnus/pop3
/home/larsi/mgnus/lisp/gnus-start hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-start
/home/larsi/mgnus/lisp/nnml hides /home/larsi/src/emacs/nsm/lisp/gnus/nnml
/home/larsi/mgnus/lisp/gnus-vm hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-vm
/home/larsi/mgnus/lisp/gnus-mlspl hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-mlspl
/home/larsi/mgnus/lisp/gnus-registry hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-registry
/home/larsi/mgnus/lisp/gnus-ml hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-ml
/home/larsi/mgnus/lisp/gnus-gravatar hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-gravatar
/home/larsi/mgnus/lisp/spam hides /home/larsi/src/emacs/nsm/lisp/gnus/spam
/home/larsi/mgnus/lisp/gnus-cite hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-cite
/home/larsi/mgnus/lisp/flow-fill hides /home/larsi/src/emacs/nsm/lisp/gnus/flow-fill
/home/larsi/mgnus/lisp/mm-view hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-view
/home/larsi/mgnus/lisp/gnus-html hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-html
/home/larsi/mgnus/lisp/gnus-uu hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-uu
/home/larsi/mgnus/lisp/deuglify hides /home/larsi/src/emacs/nsm/lisp/gnus/deuglify
/home/larsi/mgnus/lisp/spam-stat hides /home/larsi/src/emacs/nsm/lisp/gnus/spam-stat
/home/larsi/mgnus/lisp/nndir hides /home/larsi/src/emacs/nsm/lisp/gnus/nndir
/home/larsi/mgnus/lisp/gnus-kill hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-kill
/home/larsi/mgnus/lisp/gnus-ems hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-ems
/home/larsi/mgnus/lisp/gnus-group hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-group
/home/larsi/mgnus/lisp/nnagent hides /home/larsi/src/emacs/nsm/lisp/gnus/nnagent
/home/larsi/mgnus/lisp/sieve-mode hides /home/larsi/src/emacs/nsm/lisp/gnus/sieve-mode
/home/larsi/mgnus/lisp/rfc2047 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2047
/home/larsi/mgnus/lisp/gmm-utils hides /home/larsi/src/emacs/nsm/lisp/gnus/gmm-utils
/home/larsi/mgnus/lisp/utf7 hides /home/larsi/src/emacs/nsm/lisp/gnus/utf7
/home/larsi/mgnus/lisp/nnimap hides /home/larsi/src/emacs/nsm/lisp/gnus/nnimap
/home/larsi/mgnus/lisp/mm-decode hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-decode
/home/larsi/mgnus/lisp/time-date hides /home/larsi/src/emacs/nsm/lisp/calendar/time-date
/home/larsi/mgnus/lisp/parse-time hides /home/larsi/src/emacs/nsm/lisp/calendar/parse-time

Features:
(shadow emacsbug vc-bzr vc-sccs vc-svn vc-rcs vc-dir ewoc thingatpt
texinfo shell pcomplete grep compile comint flow-fill pp mailalias
smtpmail sendmail bug-reference log-edit ring pcvs-util whitespace
diff-mode vc vc-dispatcher apropos eieio-opt speedbar sb-image ezimage
dframe find-func misearch multi-isearch shr-color color canlock hashcash
ecomplete eww copyright vc-cvs url-queue mule-util gnus-html url-cache
shr mm-archive gnus-picon sort smiley ansi-color gnus-cite gnus-async
gnus-dup qp gnus-ml gmane spam-gmane dns mm-url disp-table gnus-fun
gnus-mdrtn gnus-topic pop3 nndoc nnmbox nndraft utf-7 help-mode nnmh
nnml nnfolder gnutls network-stream nsm starttls nnir spam-report spam
spam-stat gnus-uu yenc gnus-agent gnus-srvr gnus-score score-mode
nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view mml-smime smime dig
nntp gnus-cache gnus-sum gnus-group gnus-undo gnus-start gnus-cloud
nnimap nnmail mail-source utf7 netrc nnoo parse-time gnus-spec gnus-int
gnus-range message format-spec rfc822 mml mml-sec mailabbrev gmm-utils
mailheader gnus-win gnus-load gnus gnus-ems gnus-compat nnheader
mail-utils vc-git package epg-config debug debbugs-gnu easy-mmode
derived debbugs soap-client mm-decode mm-bodies mm-encode url-http tls
url-auth mail-parse rfc2231 rfc2047 rfc2045 ietf-drums url-gw url
url-proxy url-privacy url-expand url-methods url-history url-cookie
url-domsuf url-util url-parse auth-source eieio byte-opt bytecomp
byte-compile cl-extra cconv eieio-core gnus-util mm-util help-fns
mail-prsvr password-cache url-vars mailcap warnings xml ido flyspell
ispell benchmark w3m browse-url doc-view dired image-mode easymenu
timezone w3m-hist w3m-fb w3m-ems wid-edit w3m-ccl ccl w3m-favicon
w3m-image w3m-proc w3m-util cl-macs add-log mail-extr jka-compr cl gv
cl-loaddefs cl-lib time-date tooltip electric uniquify ediff-hook
vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew
greek romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process gfilenotify
dynamic-setting system-font-setting font-render-setting x-toolkit x
multi-tty emacs)

Memory information:
((conses 16 706035 121227)
 (symbols 48 166335 29)
 (miscs 40 590 3166)
 (strings 32 224229 24050)
 (string-bytes 1 8107911)
 (vectors 16 39915)
 (vector-slots 8 1702537 199318)
 (floats 8 6807 2470)
 (intervals 56 24607 1215)
 (buffers 960 125)
 (heap 1024 117932 43945))

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Ted Zlatanov]

On Tue, 18 Nov 2014 19:01:33 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> The new NSM code uncovered this problem:

LMI> --------
LMI> Certificate issued by GeoTrust SSL CA - G3
LMI> Issued to Tumblr, Inc.
LMI> Certificate host name: *.media.tumblr.com
LMI> Public key: RSA, signature: RSA-SHA256, security level: Low
LMI> Valid from: 2014-09-30, valid to: 2016-04-08

LMI> The TLS connection to 33.media.tumblr.com:443 is insecure
LMI> for the following reason:

LMI> certificate could not be verified
LMI> --------

LMI> So the host checking code in, I think, gnutls-negotiate should be
LMI> extended to understand things like "*.media.tumblr.com".

For the hostname check, we use gnutls_x509_crt_check_hostname() which,
according to the docs, will handle wildcards.  But that's not the source
of this error :)

The error you cite comes from gnutls.c:

#+begin_src c
  ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification);
#+end_src

and is caused by the GNUTLS_CERT_INVALID flag. But I don't see a hint
anywhere that it does not work with wildcard certs (you have to
explicitly disable them, so the assumption is that they work by
default).  Also, if you set `gnutls-verify-error' to t, do you get the
corresponding error in the non-NSM flow?  "$HOSTNAME certificate could
not be verified."

Finally, can you verify the cert with gnutls-cli? If it's valid, I'll
ask on the GnuTLS mailing list because I'm probably missing something.
For me it fails:

#+begin_src text
% gnutls-cli 33.media.tumblr.com                                                                                         [nsm] 
Resolving '33.media.tumblr.com'...
Connecting to '209.197.3.20:443'...
- Certificate type: X.509
 - Got a certificate list of 4 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=New York,L=New York,O=Tumblr\, Inc.,CN=*.media.tumblr.com', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-09-30 00:00:00 UTC', expires `2016-04-08 23:59:59 UTC', SHA-1 fingerprint `099be258615288fba254ee2cf428422be6c8f3ca'
 - Certificate[1] info:
  - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
 - Certificate[2] info:
  - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
 - Certificate[3] info:
  - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2022-05-21 04:00:00 UTC', SHA-1 fingerprint `de28f4a4ffe5b92fa3c503d1a349a7f9962a8212'
- The hostname in the certificate matches '33.media.tumblr.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: SHA1
- Compression: NULL
- Handshake was completed
#+end_src

Ted

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> and is caused by the GNUTLS_CERT_INVALID flag. But I don't see a hint
> anywhere that it does not work with wildcard certs (you have to
> explicitly disable them, so the assumption is that they work by
> default).  Also, if you set `gnutls-verify-error' to t, do you get the
> corresponding error in the non-NSM flow?  "$HOSTNAME certificate could
> not be verified."

Yes:

Debugger entered--Lisp error: (error "Certificate validation failed 33.media.tumblr.com, verification code 2")
  gnutls-boot(#<process nntpd<4>> gnutls-x509pki (:priority "NORMAL" :hostname "33.media.tumblr.com" :loglevel 0 :min-prime-bits 256 :trustfiles ("/etc/ssl/certs/ca-certificates.crt") :crlfiles nil :keylist nil :verify-flags nil :verify-error t :callbacks nil))

So I think the certificate just couldn't be verified, so this bug report
is, like, totally bogus, man.

Closing.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Ted Zlatanov]

On Mon, 08 Dec 2014 21:11:49 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> So I think the certificate just couldn't be verified, so this bug report
LMI> is, like, totally bogus, man.

Excellent.

LMI> Closing.

I didn't see a CC to 19098-done@debbugs.gnu.org so I'm doing it here.
If you did it in some other backchannel, how am I supposed to know?
HOW!?!?!?!?! :)

Ted

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> LMI> Closing.
>
> I didn't see a CC to 19098-done@debbugs.gnu.org so I'm doing it here.
> If you did it in some other backchannel, how am I supposed to know?
> HOW!?!?!?!?! :)

I use the `C' command in the summary mode of debbugs, which sends a
message to control@debbugs or something...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Ted Zlatanov]

On Wed, 10 Dec 2014 17:27:16 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
LMI> Closing.
>> 
>> I didn't see a CC to 19098-done@debbugs.gnu.org so I'm doing it here.
>> If you did it in some other backchannel, how am I supposed to know?
>> HOW!?!?!?!?! :)

LMI> I use the `C' command in the summary mode of debbugs, which sends a
LMI> message to control@debbugs or something...

I usually don't use debbugs, but instead read nntp+news.gmane.org:gmane.emacs.bugs

It would be nice if I could add something to Gnus to tell me the state
of the bug, even outside of debbugs.

Ted

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> It would be nice if I could add something to Gnus to tell me the state
> of the bug, even outside of debbugs.

The debbugs interface is basically one mbox file per bug.  The state of
the bug is in the first "email" in that mbox file.  So Gnus would have
to pull down that mbox file to determine the state of the bug.

I think the right solution here is "just use debbugs-gnu".  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/

bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates

[Ted Zlatanov]

On Sun, 21 Dec 2014 13:10:59 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> It would be nice if I could add something to Gnus to tell me the state
>> of the bug, even outside of debbugs.

LI> The debbugs interface is basically one mbox file per bug.  The state of
LI> the bug is in the first "email" in that mbox file.  So Gnus would have
LI> to pull down that mbox file to determine the state of the bug.

LI> I think the right solution here is "just use debbugs-gnu".  :-)

...but it's sooooo close to being a proper Gnus backend!  Have mercy!

(Hmmm, could it be a plugin backend?  I think that would be a first.)

Ted