From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#9017: 24.0.50;
	gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate
	has been detected.
Date: Wed, 25 Jan 2012 16:32:52 -0600
Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?=
	=?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @
	Cienfuegos
Message-ID: <87wr8fbegb.fsf@lifelogs.com>
References: <87ei22yzz3.fsf@niu.edu>
	<19995.450.645561.299970@gargle.gargle.HOWL>
	<m3d3hgx5x7.fsf@quimbies.gnus.org>
	<19995.2276.68599.608421@gargle.gargle.HOWL>
	<m3mxgkubk3.fsf@quimbies.gnus.org>
	<19995.3751.825437.128524@gargle.gargle.HOWL>
	<m3k4boq29t.fsf@quimbies.gnus.org>
	<19995.6586.299315.729607@gargle.gargle.HOWL>
	<m362n8n7hu.fsf@quimbies.gnus.org>
	<19997.45936.636066.132554@gargle.gargle.HOWL>
	<m3liw22ob3.fsf@quimbies.gnus.org>
	<19997.49819.733446.452844@gargle.gargle.HOWL>
	<87hb6n7ars.fsf@lifelogs.com> <m3sjq7fobb.fsf@quimbies.gnus.org>
	<20002.11953.120421.334092@gargle.gargle.HOWL>
	<m34o2ld9cw.fsf@quimbies.gnus.org>
	<20002.54164.83168.584630@gargle.gargle.HOWL>
	<m3wrfgopc7.fsf@quimbies.gnus.org>
	<20003.40556.788680.652938@gargle.gargle.HOWL>
	<87fwf3frvp.fsf@lifelogs.com> <87ipjzinar.fsf@gnus.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1327527229 30680 80.91.229.12 (25 Jan 2012 21:33:49 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Wed, 25 Jan 2012 21:33:49 +0000 (UTC)
Cc: 9017@debbugs.gnu.org, Roland Winkler <winkler@gnu.org>
To: Lars Ingebrigtsen <larsi@gnus.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Jan 25 22:33:42 2012
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([140.186.70.17])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1RqATO-0005D3-3X
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 25 Jan 2012 22:33:42 +0100
Original-Received: from localhost ([::1]:50465 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1RqATN-0004yE-K6
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 25 Jan 2012 16:33:41 -0500
Original-Received: from eggs.gnu.org ([140.186.70.92]:54878)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RqATK-0004ur-76
	for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 16:33:39 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RqATG-0005WI-Md
	for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 16:33:38 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:38613)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RqATG-0005W1-Kl
	for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 16:33:34 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RqATi-00088v-3m
	for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 16:34:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Ted Zlatanov <tzz@lifelogs.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 25 Jan 2012 21:34:02 +0000
Resent-Message-ID: <handler.9017.B9017.132752723931292@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 9017
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 9017-submit@debbugs.gnu.org id=B9017.132752723931292
	(code B ref 9017); Wed, 25 Jan 2012 21:34:02 +0000
Original-Received: (at 9017) by debbugs.gnu.org; 25 Jan 2012 21:33:59 +0000
Original-Received: from localhost ([127.0.0.1]:44000 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1RqATe-00088e-9P
	for submit@debbugs.gnu.org; Wed, 25 Jan 2012 16:33:58 -0500
Original-Received: from cer-mailmxol2.jumptrading.com ([208.78.214.25]:18090)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <tzz@lifelogs.com>) id 1RqATc-00088Q-GT
	for 9017@debbugs.gnu.org; Wed, 25 Jan 2012 16:33:57 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ap0EAGMjIE/AqF0N/2dsb2JhbABDr0OBcgEBBXkQCw0UGgsPAQRJDgXAKIkrAgEKAiIFg3gGgzUEiD+SWIx3
Original-Received: from unknown (HELO chiexchange02.w2k.jumptrading.com)
	([192.168.93.13])
	by cer-mailmxol2.jumptrading.com with ESMTP; 25 Jan 2012 21:34:48 +0000
Original-Received: from internalsmtp.w2k.jumptrading.com (10.2.4.29) by
	chiexchange02.w2k.jumptrading.com (10.2.4.71) with Microsoft SMTP
	Server id 8.2.176.0; Wed, 25 Jan 2012 15:33:22 -0600
Original-Received: from tzlatanov-ubuntu-desktop.jumptrading.com ([10.2.27.110]) by
	internalsmtp.w2k.jumptrading.com with Microsoft SMTPSVC(6.0.3790.1830); 
	Wed, 25 Jan 2012 15:33:22 -0600
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
In-Reply-To: <87ipjzinar.fsf@gnus.org> (Lars Ingebrigtsen's message of "Wed,
	25 Jan 2012 20:39:56 +0100")
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux)
X-OriginalArrivalTime: 25 Jan 2012 21:33:22.0383 (UTC)
	FILETIME=[F6856DF0:01CCDBA8]
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2)
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:56006
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/56006>

On Wed, 25 Jan 2012 20:39:56 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate
>> has been detected.
>> 
>> we should at least tell the user "hey, maybe 
>> 
>> (setq gnutls-algorithm-priority "normal:-dhe-rsa"
>> 
>> would work for you.  Do you want to try it?"
>> 
>> I don't think it should be tried automatically.  That's convenient but
>> insecure.  The priority string above basically disables security.

LI> Oh, I thought it just disabled the dhe-rsa-algorithm?  Which would then
LI> allow gnutls to fall back on different algos?

>From Nikos' reply recommending -dhe-rsa:

"This certificate restricts its usage to key encipherment. For TLS this
is restricted to only the RSA key exchange. By misconfiguration however
the server allows you to connect with a ciphersuite that violates this
usage and that's why gnutls-cli fails to connect."

I may be misunderstanding the intent, but I thought globally you're
saying you'll allow restricted certificates.  I'm not sure that's ideal
and I think it is insecure, but I'm not so sure anymore after thinking
about it more carefully.

Either way it seems that `gnutls-algorithm-priority' will have to be one
of those string-or-alist-or-function variables, so you can disable
security altogether for specific hosts that need it.  I can add that
support if you think it's reasonable.

Ted