* bug#21227: 24.5; tls connections not verified by default
@ 2015-08-10 2:30 ` Glyph
2015-08-10 15:53 ` Glenn Morris
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Glyph @ 2015-08-10 2:30 UTC (permalink / raw)
To: 21227
In order to have HTTPS connections verified, one must customize the
behavior of tls.el in a highly non-obvious way:
'(tls-checktrust t)
'(tls-program
(quote
("gnutls-cli --x509cafile $A_CERT_BUNDLE -p %p %h")))
leaving the user to determine an appropriate location for
$A_CERT_BUNDLE.
The whole point of TLS is to ensure the authenticity of connections.
Skipping that step is worse than useless - at least if the user *knows*
they're making a plaintext connection they might guess that they don't
have any security. So Emacs should use a command-line which
authoritatively makes connections correctly, linking against gnutls
itself if necessary.
In GNU Emacs 24.5.1 (x86_64-apple-darwin13.4.0, NS apple-appkit-1265.21)
of 2015-04-10 on builder10-9.porkrind.org
Windowing system distributor `Apple', version 10.3.1348
Configured using:
`configure --with-ns '--enable-locallisppath=/Library/Application
Support/Emacs/${version}/site-lisp:/Library/Application
Support/Emacs/site-lisp''
Important settings:
locale-coding-system: utf-8-unix
Major mode: Custom
Minor modes in effect:
ecb-minor-mode: t
server-mode: t
global-undo-tree-mode: t
undo-tree-mode: t
global-auto-complete-mode: t
global-quiet-mousewheel-mode: t
quiet-mousewheel-mode: t
async-bytecomp-package-mode: t
shell-dirtrack-mode: t
global-semanticdb-minor-mode: t
global-semantic-idle-scheduler-mode: t
which-function-mode: t
show-paren-mode: t
semantic-mode: t
icomplete-mode: t
global-auto-revert-mode: t
electric-pair-mode: t
delete-selection-mode: t
tooltip-mode: t
electric-indent-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
temp-buffer-resize-mode: t
column-number-mode: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
"Beep."
Quit
Making completion list...
Mark set
"Beep."
Quit
Saving file /Users/glyph/.emacs.d/url/cookies...
Wrote /Users/glyph/.emacs.d/url/cookies
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug sendmail timezone parse-time vc-git
add-log mm-archive message rfc822 mml mml-sec mailabbrev gmm-utils
mailheader mm-decode mm-bodies mm-encode mail-utils network-stream
starttls url-http tls mail-parse rfc2231 rfc2047 rfc2045 ietf-drums
url-gw url-cache url-auth url-handlers ido debug eieio-opt find-func
misearch multi-isearch package-x apropos help-mode winner mule-util
flymake python-patches python json quickhack ecb-layout-defs cus-edit
warnings ecb ecb-symboldef ecb-analyse ecb-compatibility
ecb-winman-support ecb-autogen autoload lisp-mnt ecb-tod ecb-cycle
ecb-eshell ecb-help ecb-jde ecb-method-browser hideshow
ecb-semantic-wrapper ecb-semantic ecb-file-browser ecb-speedbar
ecb-layout ecb-create-layout ecb-compilation ecb-common-browser speedbar
sb-image dframe ecb-navigate ecb-mode-line ecb-face tree-buffer
ecb-upgrade ecb-cedet-wrapper semantic/db-find semantic/db-ref
semantic/analyze semantic/sort semantic/scope semantic/analyze/fcn
wid-edit ecb-util python-docstring server undo-tree diff pelican-mode
rainbow-delimiters disp-table auto-complete-config auto-complete popup
quiet-mousewheel-mode backandforth obb-mode combinator goto-definition
adaptive-wrap helm-C-x-b helm-imenu helm-command helm-elisp helm-eval
edebug eldoc helm-mode helm-cmd-t helm-files rx image-dired dired-x
dired-aux ffap thingatpt helm-buffers helm-elscreen helm-tags
helm-bookmark helm-adaptive helm-info bookmark pp helm-locate helm-help
helm-match-plugin helm-grep helm-regexp helm-plugin grep helm-external
helm-net browse-url xml url url-proxy url-privacy url-expand url-methods
url-history url-cookie url-domsuf url-util url-parse url-vars mailcap
helm-utils dired compile helm easy-mmode helm-source helm-config
helm-easymenu edmacro kmacro async-bytecomp async helm-aliases tramp
tramp-compat auth-source gnus-util mm-util mail-prsvr password-cache
tramp-loaddefs trampver shell pcomplete comint ansi-color ring
format-spec semantic/db-mode semantic/db eieio-base semantic/idle
semantic/format ezimage semantic/tag-ls semantic/find semantic/ctxt
jka-compr vale-theme which-func imenu paren semantic/util-modes
semantic/util semantic semantic/tag semantic/lex semantic/fw eieio
byte-opt bytecomp byte-compile cl-extra cconv eieio-core mode-local
cedet icomplete autorevert filenotify elec-pair delsel cus-start
cus-load info easymenu package epg-config glyph-setup advice help-fns
cl-macs cl cl-loaddefs cl-lib gv time-date tooltip electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win tool-bar dnd fontset
image regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode
register page menu-bar rfn-eshadow timer select scroll-bar mouse
jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
cocoa ns multi-tty emacs)
Memory information:
((conses 16 371323 77866)
(symbols 48 42820 0)
(miscs 40 1349 592)
(strings 32 90979 8531)
(string-bytes 1 2908972)
(vectors 16 36096)
(vector-slots 8 658448 37677)
(floats 8 430 918)
(intervals 56 5019 171)
(buffers 960 41))
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#21227: 24.5; tls connections not verified by default
2015-08-10 2:30 ` bug#21227: 24.5; tls connections not verified by default Glyph
@ 2015-08-10 15:53 ` Glenn Morris
2015-12-29 13:46 ` Lars Ingebrigtsen
[not found] ` <handler.21227.C.14513968459139.notifdonectrl.0@debbugs.gnu.org>
2 siblings, 0 replies; 7+ messages in thread
From: Glenn Morris @ 2015-08-10 15:53 UTC (permalink / raw)
To: Glyph; +Cc: 21227
Glyph wrote:
> have any security. So Emacs should use a command-line which
> authoritatively makes connections correctly, linking against gnutls
> itself if necessary.
Emacs can be linked with Gnutls since Emacs 24.1. You have to compile it
that way though. I think this is perhaps part of the reason why a bunch
of bugs related to the old non-builtin TLS support are piling up. Eg
19283, 19284, 20078. IMO these issues really need to be addressed before
the next release.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#21227: 24.5; tls connections not verified by default
2015-08-10 2:30 ` bug#21227: 24.5; tls connections not verified by default Glyph
2015-08-10 15:53 ` Glenn Morris
@ 2015-12-29 13:46 ` Lars Ingebrigtsen
[not found] ` <handler.21227.C.14513968459139.notifdonectrl.0@debbugs.gnu.org>
2 siblings, 0 replies; 7+ messages in thread
From: Lars Ingebrigtsen @ 2015-12-29 13:46 UTC (permalink / raw)
To: Glyph; +Cc: 21227
Glyph <glyph@twistedmatrix.com> writes:
> In order to have HTTPS connections verified, one must customize the
> behavior of tls.el in a highly non-obvious way:
>
> '(tls-checktrust t)
> '(tls-program
> (quote
> ("gnutls-cli --x509cafile $A_CERT_BUNDLE -p %p %h")))
>
> leaving the user to determine an appropriate location for
> $A_CERT_BUNDLE.
This has been fixed in Emacs 25.1.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#21227: acknowledged by developer (control message for bug #21227)
[not found] ` <handler.21227.C.14513968459139.notifdonectrl.0@debbugs.gnu.org>
@ 2015-12-30 11:39 ` Glyph Lefkowitz
2015-12-30 11:44 ` Lars Magne Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Glyph Lefkowitz @ 2015-12-30 11:39 UTC (permalink / raw)
To: 21227
I'm curious - has this been fixed by default for both configurations? i.e. built with gnutls and without?
-glyph
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#21227: acknowledged by developer (control message for bug #21227)
2015-12-30 11:39 ` bug#21227: acknowledged by developer (control message for bug #21227) Glyph Lefkowitz
@ 2015-12-30 11:44 ` Lars Magne Ingebrigtsen
2016-01-03 8:39 ` Glyph Lefkowitz
0 siblings, 1 reply; 7+ messages in thread
From: Lars Magne Ingebrigtsen @ 2015-12-30 11:44 UTC (permalink / raw)
To: Glyph Lefkowitz; +Cc: 21227
Glyph Lefkowitz <glyph@twistedmatrix.com> writes:
> I'm curious - has this been fixed by default for both configurations?
> i.e. built with gnutls and without?
This was a fix for non-GnuTLS builds.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#21227: acknowledged by developer (control message for bug #21227)
2015-12-30 11:44 ` Lars Magne Ingebrigtsen
@ 2016-01-03 8:39 ` Glyph Lefkowitz
2016-01-03 8:43 ` Lars Magne Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Glyph Lefkowitz @ 2016-01-03 8:39 UTC (permalink / raw)
To: Lars Magne Ingebrigtsen; +Cc: 21227
[-- Attachment #1: Type: text/plain, Size: 202 bytes --]
> On Dec 30, 2015, at 3:44 AM, Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
>
> This was a fix for non-GnuTLS builds.
Is there a separate bug number for GnuTLS builds by any chance?
-glyph
[-- Attachment #2: Type: text/html, Size: 1356 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#21227: acknowledged by developer (control message for bug #21227)
2016-01-03 8:39 ` Glyph Lefkowitz
@ 2016-01-03 8:43 ` Lars Magne Ingebrigtsen
0 siblings, 0 replies; 7+ messages in thread
From: Lars Magne Ingebrigtsen @ 2016-01-03 8:43 UTC (permalink / raw)
To: Glyph Lefkowitz; +Cc: 21227
Glyph Lefkowitz <glyph@twistedmatrix.com> writes:
> On Dec 30, 2015, at 3:44 AM, Lars Magne Ingebrigtsen <larsi@gnus.org>
> wrote:
>
> This was a fix for non-GnuTLS builds.
>
> Is there a separate bug number for GnuTLS builds by any chance?
I don't understand the question. This was a problem that related to
non-GnuTLS builds. This problem doesn't exist in GnuTLS builds.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-01-03 8:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <871ta5icyx.fsf@gnus.org>
2015-08-10 2:30 ` bug#21227: 24.5; tls connections not verified by default Glyph
2015-08-10 15:53 ` Glenn Morris
2015-12-29 13:46 ` Lars Ingebrigtsen
[not found] ` <handler.21227.C.14513968459139.notifdonectrl.0@debbugs.gnu.org>
2015-12-30 11:39 ` bug#21227: acknowledged by developer (control message for bug #21227) Glyph Lefkowitz
2015-12-30 11:44 ` Lars Magne Ingebrigtsen
2016-01-03 8:39 ` Glyph Lefkowitz
2016-01-03 8:43 ` Lars Magne Ingebrigtsen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).