* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
@ 2017-09-14 12:19 Lars Ingebrigtsen
2017-09-18 12:46 ` Robert Pluim
0 siblings, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2017-09-14 12:19 UTC (permalink / raw)
To: 28458
I've been seeing some warnings about invalid TLS certificates lately
that seem kinda unlikely. I mean, it's from major sites that shouldn't
have broken TLS certificates. And the error is always that the host
name doesn't match the name of the certificate.
Which made me wonder: Does gnutls.c support SAN (subject alternate
names), which is a way to list oodles of host names in a single
certificate? I can't find any mention of this in the code...
I'll try to get a test case going, but this bug report is mainly to
remind myself not to forget this again, which I've done the previous
dozen times this has happened.
In GNU Emacs 26.0.50 (build 7, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
of 2017-09-13 built on mouse
Repository revision: bdb71dea4a478115bde5c8260f228613d6717157
Windowing system distributor 'The X.Org Foundation', version 11.0.11903000
System Description: Ubuntu 17.04
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
2017-09-14 12:19 bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)? Lars Ingebrigtsen
@ 2017-09-18 12:46 ` Robert Pluim
2017-09-18 12:52 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Robert Pluim @ 2017-09-18 12:46 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 28458
Lars Ingebrigtsen <larsi@gnus.org> writes:
> I've been seeing some warnings about invalid TLS certificates lately
> that seem kinda unlikely. I mean, it's from major sites that shouldn't
> have broken TLS certificates. And the error is always that the host
> name doesn't match the name of the certificate.
>
> Which made me wonder: Does gnutls.c support SAN (subject alternate
> names), which is a way to list oodles of host names in a single
> certificate? I can't find any mention of this in the code...
>
Good question. Example sites/certificates? (I have a vague memory of
there being more than one way to do SAN, perhaps we're looking at the
wrong field)
Regards
Robert
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
2017-09-18 12:46 ` Robert Pluim
@ 2017-09-18 12:52 ` Lars Ingebrigtsen
2017-09-18 13:07 ` Robert Pluim
0 siblings, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2017-09-18 12:52 UTC (permalink / raw)
To: Robert Pluim; +Cc: 28458
Robert Pluim <rpluim@gmail.com> writes:
> Good question. Example sites/certificates? (I have a vague memory of
> there being more than one way to do SAN, perhaps we're looking at the
> wrong field)
https://1000-sans.badssl.com/
has a lot of SANs. :-)
Of course, after reporting this bug, it hasn't happened once to me
afterwards (that Emacs has claimed that it can't verify a certificate
due to a bad host name), so I've been unable to pursue this (possible)
issue any further...
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
2017-09-18 12:52 ` Lars Ingebrigtsen
@ 2017-09-18 13:07 ` Robert Pluim
2017-09-19 11:54 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Robert Pluim @ 2017-09-18 13:07 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 28458
Lars Ingebrigtsen <larsi@gnus.org> writes:
> Robert Pluim <rpluim@gmail.com> writes:
>
>> Good question. Example sites/certificates? (I have a vague memory of
>> there being more than one way to do SAN, perhaps we're looking at the
>> wrong field)
>
> https://1000-sans.badssl.com/
>
> has a lot of SANs. :-)
>
Yes, but that one works fine for me :-)
> Of course, after reporting this bug, it hasn't happened once to me
> afterwards (that Emacs has claimed that it can't verify a certificate
> due to a bad host name), so I've been unable to pursue this (possible)
> issue any further...
I've just re-read
<https://tools.ietf.org/html/rfc5280#section-4.2.1.6> and it looks
like there is ample scope for getting things wrong there....
Regards
Robert
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
2017-09-18 13:07 ` Robert Pluim
@ 2017-09-19 11:54 ` Lars Ingebrigtsen
2017-09-19 12:22 ` Robert Pluim
0 siblings, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2017-09-19 11:54 UTC (permalink / raw)
To: Robert Pluim; +Cc: 28458
Finally, I got one of these warnings on a web site:
`M-x eww RET
http://media.boingboing.net/wp-content/uploads/2017/01/Autonomous_Design20by20Will20Staehle.jpg RET'
But! It looks like this is a genuine error: Firefox gives the same
warning... So perhaps this isn't an issue after all?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
2017-09-19 11:54 ` Lars Ingebrigtsen
@ 2017-09-19 12:22 ` Robert Pluim
2017-11-29 2:33 ` Noam Postavsky
0 siblings, 1 reply; 7+ messages in thread
From: Robert Pluim @ 2017-09-19 12:22 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: Robert Pluim, 28458
Lars Ingebrigtsen <larsi@gnus.org> writes:
> Finally, I got one of these warnings on a web site:
>
> `M-x eww RET
> http://media.boingboing.net/wp-content/uploads/2017/01/Autonomous_Design20by20Will20Staehle.jpg RET'
>
> But! It looks like this is a genuine error: Firefox gives the same
> warning... So perhaps this isn't an issue after all?
Also: that http URL redirects to https. If you access the https
version directly, it uses a different certificate than the redirected
one. Neither eww nor chrome complain about the non-redirected one.
Regards
Robert
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)?
2017-09-19 12:22 ` Robert Pluim
@ 2017-11-29 2:33 ` Noam Postavsky
0 siblings, 0 replies; 7+ messages in thread
From: Noam Postavsky @ 2017-11-29 2:33 UTC (permalink / raw)
To: Robert Pluim; +Cc: Lars Ingebrigtsen, 28458
# not an Emacs bug
tags 28458 notabug
close 28458
quit
Robert Pluim <rpluim@gmail.com> writes:
> Lars Ingebrigtsen <larsi@gnus.org> writes:
>
>> Finally, I got one of these warnings on a web site:
>>
>> `M-x eww RET
>> http://media.boingboing.net/wp-content/uploads/2017/01/Autonomous_Design20by20Will20Staehle.jpg RET'
>>
>> But! It looks like this is a genuine error: Firefox gives the same
>> warning... So perhaps this isn't an issue after all?
>
> Also: that http URL redirects to https. If you access the https
> version directly, it uses a different certificate than the redirected
> one. Neither eww nor chrome complain about the non-redirected one.
Seems to be fixed on the remote end now.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-11-29 2:33 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-14 12:19 bug#28458: 26.0.50; Does Emacs support SAN (subject alternate names)? Lars Ingebrigtsen
2017-09-18 12:46 ` Robert Pluim
2017-09-18 12:52 ` Lars Ingebrigtsen
2017-09-18 13:07 ` Robert Pluim
2017-09-19 11:54 ` Lars Ingebrigtsen
2017-09-19 12:22 ` Robert Pluim
2017-11-29 2:33 ` Noam Postavsky
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).