From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.bugs Subject: bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist Date: Tue, 05 Jul 2016 17:17:11 -0400 Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos Message-ID: <87k2gzhjjc.fsf_-_@lifelogs.com> References: <87y46ahz23.fsf@gmail.com> <87wpl0gnjf.fsf@lifelogs.com> <87y46ahz23.fsf@gmail.com> <87wpl0gnjf.fsf@lifelogs.com> <87y46ahz23.fsf@gmail.com> <87wpl0gnjf.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1467753508 10614 80.91.229.3 (5 Jul 2016 21:18:28 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 5 Jul 2016 21:18:28 +0000 (UTC) Cc: 23759@debbugs.gnu.org, Konstantin Kliakhandler To: Noam Postavsky Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jul 05 23:18:16 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bKXjS-0000sB-Be for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jul 2016 23:18:14 +0200 Original-Received: from localhost ([::1]:58155 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKXjR-000383-EY for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jul 2016 17:18:13 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39373) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKXjL-00037u-EO for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 17:18:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bKXjI-0003xw-4k for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 17:18:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:54549) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKXjH-0003xb-Pj for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 17:18:04 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bKXjG-0008Vx-F3 for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 17:18:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 05 Jul 2016 21:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23759 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 23759-submit@debbugs.gnu.org id=B23759.146775345232690 (code B ref 23759); Tue, 05 Jul 2016 21:18:02 +0000 Original-Received: (at 23759) by debbugs.gnu.org; 5 Jul 2016 21:17:32 +0000 Original-Received: from localhost ([127.0.0.1]:38653 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bKXij-0008V8-2d for submit@debbugs.gnu.org; Tue, 05 Jul 2016 17:17:32 -0400 Original-Received: from mail-pf0-f172.google.com ([209.85.192.172]:33266) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bKXig-0008Uv-6C for 23759@debbugs.gnu.org; Tue, 05 Jul 2016 17:17:28 -0400 Original-Received: by mail-pf0-f172.google.com with SMTP id i123so73335256pfg.0 for <23759@debbugs.gnu.org>; Tue, 05 Jul 2016 14:17:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version; bh=gxmK5RNcY9CzoKtgNmooDjOHmd6eNpC4MYzsHc4O0Os=; b=ZRmBsJIwv4m4KdueX2DvjuPRaD/cL4Ye9VSCitU+LsS+qh2wBlMNyx2Yhlt1cB2COO MrJV3QDFoEi5aHwmOsSdbUFdrUSorg1t93EgGi8GaD0Qs9GVX7z6ZBZhE7pemIvlcqcX FFzJ4TGVHwhGVr25ZObm4CYeR5iFnXRa8vRio= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version; bh=gxmK5RNcY9CzoKtgNmooDjOHmd6eNpC4MYzsHc4O0Os=; b=DBt8qq2FS5RYeAa7+bi3qMDEhZZ9GXenD/W7Jc0kk1TFdcOYryXy037ur9uGHqcVRc pY6hZ4sngPaWFQeXM8hHi0p9Bt9gCjMt8+5+7E5J+ydShuL/s6pqK3lZQOtL1askrPF0 KZ4NcuOQB43nNxUFsDODHpnGRJ3AzSeXeWFMTQr+t2s1RtU9cqvCWhPu6dbiflE4/dIj aZBXiLWPWKZic9eQP4RQHIvW7FyO08XNhhxEL1HhpNZZHiOsb4BVkW99Od+yd9l2u0L8 BExfuGsMQ5iiFS2NSs74+tpbM2KLon11WyBZ+LNJdzfJ6FE2mTlnLcnPFDMiDXHhnKJq qFaQ== X-Gm-Message-State: ALyK8tImy24SwtT9kWZmKSvMWMeORV5T9qmaACzGMQicqZTsZh5M0J1Z/qniHosWUMCjZQ== X-Received: by 10.98.192.135 with SMTP id g7mr35889044pfk.64.1467753439900; Tue, 05 Jul 2016 14:17:19 -0700 (PDT) Original-Received: from flea (c-98-229-60-157.hsd1.ma.comcast.net. [98.229.60.157]) by smtp.gmail.com with ESMTPSA id xl1sm7289249pab.8.2016.07.05.14.17.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Jul 2016 14:17:18 -0700 (PDT) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: (Noam Postavsky's message of "Tue, 5 Jul 2016 10:49:38 -0400, Tue, 5 Jul 2016 19:54:53 +0300, Tue, 5 Jul 2016 13:59:39 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:120466 Archived-At: On Tue, 5 Jul 2016 10:49:38 -0400 Noam Postavsky wrote: NP> I think gnutls is broken on master for OSX currently, see NP> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=23503 Unfortunately I don't have access to Mac OS X anymore (I did until recently) so I can't verify or fix that issue. On Tue, 5 Jul 2016 19:54:53 +0300 Konstantin Kliakhandler wrote: KK> On 5 July 2016 at 17:36, Ted Zlatanov wrote: >> [Kosta's patch] replaces the specific call with a generic call (no CA file >> specified). This is probably less secure because it will use the system >> CA trustfiles regardless of the user's preferred `gnutls-trustfiles', so >> I'd rather not make it the first thing attempted. KK> the patch would work just as well if instead the line without --x509cafile was KK> at the bottom of the list. Well, it would work worse for some users, but KK> the key word is that it would work - except that now now it would take KK> several more attempts to connect on my computer and on OPs (instead of just KK> not connecting at all for OP). Unfortunately it's less secure in the default case. I agree that it's faster and more convenient. Perhaps there can be a way to say "if this %t is empty, remove the preceding --argument as well" in the format string? That would simplify the whole thing, like so: "gnutls-cli --x509cafile %T -p %p %h" ...becomes "gnutls-cli -p PORT HOST" when the %T parameter is nil. Just an idea... KK> Personally, I also think that the default as defined in my current patch is KK> preferable, since anyone who messes around with the certificates would edit KK> this variable e.g. to set there --strict-tofu or the like (I did. It is a KK> bit more annoying to use, but since I rarely open a new domain in emacs, KK> it's not a big deal). Many users don't know about these settings, and many don't have the right GnuTLS libraries installed but think they do (so they are using this library accidentally). I think it's good to be cautious here and provide safe defaults. The TOFU stuff is an interesting use case. The Emacs NSM (see `network-security-level' and friends) tries to address this area to some degree, but there's lots of work to be done. KK> Anyway, I do concede that the second version is more secure. Attached is a KK> patch that I hope is more to your liking. I put the the call that do not KK> use an explicit certificate at the bottom of the list, even below the call KK> to openssl s_client. I'm not sure what are the implications, as I don't KK> know the relative merits of openssl s_client vs gnutls-cli. If you are KK> inclined to educate me, please do as a short googling did not reveal the KK> answers. I'd group all the gnutls-cli calls together so it's more predictable and easier to read. Otherwise it's fine IMHO. I know we have many security experts here, perhaps they'll comment. I am also concerned that SSLv3 is explicitly in the defaults. See http://disablessl3.com/ etc.--I think that should be removed if possible. I'll bring it up on emacs-devel. >> Once the libraries are installed, you're all set, they'll be used >> automatically. KK> From what both of you said, I still am not sure what is meant by "native KK> support". However, for various reasons I don't like the version provided in KK> homebrew. I prefer the version from https://emacsformacosx.com. OK, talk to the people that build that version :) Homebrew is what I used when I had access to Mac OS X, and it worked well for me. As Noam said, if `gnutls-available-p' returns t, you've got the native C bindings to GnuTLS working. IMHO after the 25.1 release, opening a secure network connection without `gnutls-available-p' should be an annoying warning. I'll bring it up on emacs-devel. Ted