From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: David Engster Newsgroups: gmane.emacs.bugs Subject: bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane Date: Thu, 18 Dec 2014 22:40:56 +0100 Message-ID: <87lhm4myaf.fsf@engster.org> References: <86ppbhrx9a.fsf@yandex.ru> <838ui5uf27.fsf@gnu.org> <83vbl8uau2.fsf@gnu.org> <871tnwoglm.fsf@engster.org> <83ioh8u1cs.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1418938942 25313 80.91.229.3 (18 Dec 2014 21:42:22 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 18 Dec 2014 21:42:22 +0000 (UTC) Cc: 19404@debbugs.gnu.org, larsi@gnus.org, dgutov@yandex.ru To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Dec 18 22:42:17 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y1ipr-0004bG-FN for geb-bug-gnu-emacs@m.gmane.org; Thu, 18 Dec 2014 22:42:15 +0100 Original-Received: from localhost ([::1]:55828 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1ipq-0000lJ-Ts for geb-bug-gnu-emacs@m.gmane.org; Thu, 18 Dec 2014 16:42:14 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44974) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1ipj-0000lB-NC for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 16:42:12 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y1ipf-0007MT-7b for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 16:42:07 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:41231) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1ipf-0007ML-3N for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 16:42:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y1ipe-0003BH-O6 for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 16:42:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: David Engster Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 18 Dec 2014 21:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19404 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 19404-submit@debbugs.gnu.org id=B19404.141893887212164 (code B ref 19404); Thu, 18 Dec 2014 21:42:02 +0000 Original-Received: (at 19404) by debbugs.gnu.org; 18 Dec 2014 21:41:12 +0000 Original-Received: from localhost ([127.0.0.1]:50597 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y1iop-0003A7-8L for submit@debbugs.gnu.org; Thu, 18 Dec 2014 16:41:11 -0500 Original-Received: from randomsample.de ([5.45.97.173]:46929) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y1ioe-00039P-9E for 19404@debbugs.gnu.org; Thu, 18 Dec 2014 16:41:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=randomsample.de; s=a; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From; bh=EB6m0HN1+6XQpHbjqJXxx39vBgWCSitauTnpsAnPacc=; b=jhyOZewQ1JD9/JSbYkxjqK5sxJzT8GdNJcbMs2t/P0ml3f5jX/2sCRhKO0C5ifmIdMi5KTZpL8Yo+ghVATJMaE6ZVPfNv6/DhwR47sDxCHmjIUOoinLzbiK8W7Zqg0Hy; Original-Received: from ip4d154cb9.dynamic.kabel-deutschland.de ([77.21.76.185] helo=spaten) by randomsample.de with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1Y1ioc-0006r6-Mh; Thu, 18 Dec 2014 22:40:58 +0100 In-Reply-To: <83ioh8u1cs.fsf@gnu.org> (Eli Zaretskii's message of "Thu, 18 Dec 2014 22:52:51 +0200") User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.91 (gnu/linux) Mail-Copies-To: never X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:97552 Archived-At: Eli Zaretskii writes: >> From: David Engster >> Cc: Eli Zaretskii , 19404@debbugs.gnu.org, dgutov@yandex= .ru >> Date: Thu, 18 Dec 2014 21:20:05 +0100 > >>=20 >> Just to make a few things clear: A 'self-signed' certificate simply >> means that a certificate is signed with its own private key. You can >> easily identify them by looking at the 'Issuer' and 'Subject' - they are >> identical: >>=20 >> openssl s_client -connect news.gmane.org:563 >>=20 >> [...] >>=20 >> Certificate chain >> 0 s:/C=3DNO/ST=3DSome-State/O=3DGmane/CN=3Dnews.gmane.org >> i:/C=3DNO/ST=3DSome-State/O=3DGmane/CN=3Dnews.gmane.org >>=20 >> If you connect to a service secured with such a certificate, you'll be >> greeted with a certificate chain with a depth of '0', only containing >> this one certificate (so it's actually not a chain). Self-signed >> certificates are by default never trustworthy, since anyone can create >> them. > > Do you understand why I got the same "self-signed" indication for a > certificate whose chain couldn't be verified because the root > certificates were not available? E.g., remove or rename your bundle, > then try "M-x eww" to some HTTPS address -- you will see the > "self-signed" indication in that case as well. Why does this happen? I see now that :self-signed is mapped to GNUTLS_CERT_SIGNER_NOT_FOUND. This however does not mean that a certificate is self-signed. See http://www.gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fstatus_= 005ft It simply means: "The certificate=E2=80=99s issuer is not known. This is the case if the issuer is not included in the trusted certificate list." It *could* be self-signed. I don't know the best way in libgnutls to detect this. You probably have to compare issuer and subject, or similar. -David