From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#19404: 25.0.50;
	Gnus shows self-signed certificate warning when connecting to Gmane
Date: Wed, 24 Dec 2014 08:11:34 -0500
Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?=
	=?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @
	Cienfuegos
Message-ID: <m2y4px9oqh.fsf_-_@lifelogs.com>
References: <86ppbhrx9a.fsf@yandex.ru> <83ioh8u1cs.fsf@gnu.org>
	<87lhm4myaf.fsf@engster.org> <83d27gt52m.fsf@gnu.org>
	<87h9wrj0u5.fsf@building.gnus.org> <m3zjakq1z0.fsf@stories.gnus.org>
	<87ioh6s8wu.fsf_-_@lifelogs.com> <86ppbhrx9a.fsf@yandex.ru>
	<m361d9t3ld.fsf@stories.gnus.org> <838ui5uf27.fsf@gnu.org>
	<m3k31prlhp.fsf@stories.gnus.org> <83vbl8uau2.fsf@gnu.org>
	<m3zjakq1z0.fsf@stories.gnus.org> <871tnwoglm.fsf@engster.org>
	<83ioh8u1cs.fsf@gnu.org> <87lhm4myaf.fsf@engster.org>
	<83d27gt52m.fsf@gnu.org> <87h9wrj0u5.fsf@building.gnus.org>
	<87vbl7lgug.fsf@engster.org> <87ioh7lftp.fsf@engster.org>
	<874msqq9m1.fsf@building.gnus.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: ger.gmane.org 1419426743 331 80.91.229.3 (24 Dec 2014 13:12:23 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 24 Dec 2014 13:12:23 +0000 (UTC)
Cc: 19404@debbugs.gnu.org, David Engster <deng@randomsample.de>,
	dgutov@yandex.ru
To: Lars Ingebrigtsen <larsi@gnus.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Dec 24 14:12:17 2014
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Y3ljc-0003Nx-Rb
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 24 Dec 2014 14:12:17 +0100
Original-Received: from localhost ([::1]:48298 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Y3ljc-0005IG-0a
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 24 Dec 2014 08:12:16 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50695)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y3ljU-0005Hn-Ds
	for bug-gnu-emacs@gnu.org; Wed, 24 Dec 2014 08:12:12 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y3ljP-00036h-AP
	for bug-gnu-emacs@gnu.org; Wed, 24 Dec 2014 08:12:08 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:46985)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y3ljO-00036d-T4
	for bug-gnu-emacs@gnu.org; Wed, 24 Dec 2014 08:12:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y3ljO-00067U-Iv
	for bug-gnu-emacs@gnu.org; Wed, 24 Dec 2014 08:12:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Ted Zlatanov <tzz@lifelogs.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 24 Dec 2014 13:12:02 +0000
Resent-Message-ID: <handler.19404.B19404.141942670623496@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 19404
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 19404-submit@debbugs.gnu.org id=B19404.141942670623496
	(code B ref 19404); Wed, 24 Dec 2014 13:12:02 +0000
Original-Received: (at 19404) by debbugs.gnu.org; 24 Dec 2014 13:11:46 +0000
Original-Received: from localhost ([127.0.0.1]:56351 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Y3lj4-00066p-9m
	for submit@debbugs.gnu.org; Wed, 24 Dec 2014 08:11:45 -0500
Original-Received: from mail-ig0-f179.google.com ([209.85.213.179]:37507)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <tzz@lifelogs.com>) id 1Y3liz-00066d-Ke
	for 19404@debbugs.gnu.org; Wed, 24 Dec 2014 08:11:41 -0500
Original-Received: by mail-ig0-f179.google.com with SMTP id r2so6957860igi.12
	for <19404@debbugs.gnu.org>; Wed, 24 Dec 2014 05:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
	h=from:to:cc:subject:organization:references:mail-copies-to
	:gmane-reply-to-list:date:in-reply-to:message-id:user-agent
	:mime-version:content-type;
	bh=i+xkNEVYUqTvJmxRBp/qoLQbXSpr1njWTUn149vkaRY=;
	b=ZbmxuFS974NfChxbk//6KjXXsVvkwJdMiRLDDoA9RL21j+u0d0M7YiaCkC6o0TcLxa
	mDvS9SCVYdzFsWY1GP/T4jbIA7ecnQ0PAvMh8SSrNbTbnjsjkvU33s3WyA28o1LXddP8
	DA55tIsWvCfcMdCgG9DGSb1EDrfYmKHMShk44=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:organization:references
	:mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
	:user-agent:mime-version:content-type;
	bh=i+xkNEVYUqTvJmxRBp/qoLQbXSpr1njWTUn149vkaRY=;
	b=VAXhcLLA3y8bYIRPfLDBQCIITvDFGlsVMb4MQyD0yMfcIwcE4UIaB3a16x47DXioQd
	1IMDyKXPYC8TArIZj9ZS5AygNoJ0idlJNMX1o8bNS6Y351x6FTQ3B/lZXak+RoJTe/8Y
	LPOgvZZMAHXK1YbE4MocQMgGAB9I5I7DO43Hzj5FY3MBannPT5xa/qOKyvnF2t0hnBXl
	Um9W6S011TkNngbSkhQxO3XFZDe7C4UNYKKRaR08wbcmmOgF9gdmWw6ZDiRwPG/L0FfZ
	8pA4H56GZ8SHk0HnmHChP3qkZ+svSZElGUzwcbSV8RNdtmpvlNEhw4TLIXyS/OQS8iiz
	3UYA==
X-Gm-Message-State: ALoCoQn2E0cz+NqNcQ5xYvEaNrBbK+QBKIUvaDqKKTKQI0CYxGDBQooVeZlrAMKjlkEEWIiXi6c5
X-Received: by 10.42.103.7 with SMTP id k7mr26093908ico.33.1419426697057;
	Wed, 24 Dec 2014 05:11:37 -0800 (PST)
Original-Received: from bug.local ([50.153.236.5])
	by mx.google.com with ESMTPSA id f7sm7758982igc.22.2014.12.24.05.11.35
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 24 Dec 2014 05:11:36 -0800 (PST)
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
In-Reply-To: <874msqq9m1.fsf@building.gnus.org> (Lars Ingebrigtsen's message
	of "Sat, 20 Dec 2014 22:44:54 +0100, Sun, 21 Dec 2014 18:16:35 +0100")
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (darwin)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:97704
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/97704>

--=-=-=
Content-Type: text/plain

On Sat, 20 Dec 2014 22:44:54 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> If I understand correctly, it seems 1) the :self-signed message and
>> symbol need to be changed, and 2) we're waiting for the GnuTLS
>> developers to tell us the best way to detect a self-signed certificate.
>> 
>> For (1) I propose using :unknown-ca and "the certificate was signed by
>> an unknown and therefore untrusted authority"

LI> Sounds good.

On Sun, 21 Dec 2014 18:16:35 +0100 David Engster <deng@randomsample.de> wrote: 

DE> Nick answered, and it's really simple: call gnutls_x509_crt_check_issuer
DE> on the certificate itself (meaning: provide the certificate in question
DE> for both arguments).

Please try the attached patch. I'm not able to test it myself because
I'm traveling, but it should be fairly trivial and addresses both
issues. Feel free to commit it with any changes you want, it's a tiny
change.

gnutls_x509_crt_check_issuer() has been in GnuTLS for all the versions
we support, so there was no need for a version check.

(there was a third issue, the expiration date was wrong, but that's not
as urgent)

Ted


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline; filename=self-signed.patch

diff --git a/src/gnutls.c b/src/gnutls.c
index bf9f132..500dbf3 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -154,6 +154,8 @@ enum extra_peer_verification
 	       (gnutls_session_t, gnutls_push_func));
 DEF_GNUTLS_FN (int, gnutls_x509_crt_check_hostname,
 	       (gnutls_x509_crt_t, const char *));
+DEF_GNUTLS_FN (int, gnutls_x509_crt_check_issuer,
+	       (gnutls_x509_crt_t, gnutls_x509_crt_t));
 DEF_GNUTLS_FN (void, gnutls_x509_crt_deinit, (gnutls_x509_crt_t));
 DEF_GNUTLS_FN (int, gnutls_x509_crt_import,
 	       (gnutls_x509_crt_t, const gnutls_datum_t *,
@@ -269,6 +271,7 @@ enum extra_peer_verification
   LOAD_GNUTLS_FN (library, gnutls_transport_set_pull_function);
   LOAD_GNUTLS_FN (library, gnutls_transport_set_push_function);
   LOAD_GNUTLS_FN (library, gnutls_x509_crt_check_hostname);
+  LOAD_GNUTLS_FN (library, gnutls_x509_crt_check_issuer);
   LOAD_GNUTLS_FN (library, gnutls_x509_crt_deinit);
   LOAD_GNUTLS_FN (library, gnutls_x509_crt_import);
   LOAD_GNUTLS_FN (library, gnutls_x509_crt_init);
@@ -365,6 +368,7 @@ enum extra_peer_verification
 #define fn_gnutls_strerror			gnutls_strerror
 #define fn_gnutls_transport_set_ptr2		gnutls_transport_set_ptr2
 #define fn_gnutls_x509_crt_check_hostname	gnutls_x509_crt_check_hostname
+#define fn_gnutls_x509_crt_check_issuer         gnutls_x509_crt_check_issuer
 #define fn_gnutls_x509_crt_deinit		gnutls_x509_crt_deinit
 #define fn_gnutls_x509_crt_get_activation_time  gnutls_x509_crt_get_activation_time
 #define fn_gnutls_x509_crt_get_dn               gnutls_x509_crt_get_dn
@@ -985,6 +989,10 @@ enum extra_peer_verification
   if (EQ (status_symbol, intern (":self-signed")))
     return build_string ("certificate signer was not found (self-signed)");
 
+  if (EQ (status_symbol, intern (":unknown-ca")))
+    return build_string ("the certificate was signed by an unknown "
+                         "and therefore untrusted authority");
+
   if (EQ (status_symbol, intern (":not-ca")))
     return build_string ("certificate signer is not a CA");
 
@@ -1029,7 +1037,7 @@ enum extra_peer_verification
     warnings = Fcons (intern (":revoked"), warnings);
 
   if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
-    warnings = Fcons (intern (":self-signed"), warnings);
+    warnings = Fcons (intern (":unknown-ca"), warnings);
 
   if (verification & GNUTLS_CERT_SIGNER_NOT_CA)
     warnings = Fcons (intern (":not-ca"), warnings);
@@ -1047,6 +1055,13 @@ enum extra_peer_verification
       CERTIFICATE_NOT_MATCHING)
     warnings = Fcons (intern (":no-host-match"), warnings);
 
+  /* This could get called in the INIT stage, when the certificate is
+     not yet set. */
+  if (XPROCESS (proc)->gnutls_certificate != NULL &&
+      gnutls_x509_crt_check_issuer(XPROCESS (proc)->gnutls_certificate,
+                                   XPROCESS (proc)->gnutls_certificate))
+    warnings = Fcons (intern (":self-signed"), warnings);
+
   if (!NILP (warnings))
     result = list2 (intern (":warnings"), warnings);
 

--=-=-=--