From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sun, 24 Jun 2018 22:30:50 +0100 Message-ID: References: <83po0iuhs7.fsf@gnu.org> <83lgb4tg92.fsf@gnu.org> <838t74td5t.fsf@gnu.org> <988de2f1-ec9a-4986-1ae5-ae435c736ac0@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="000000000000d7b0c9056f69fb1b" X-Trace: blaine.gmane.org 1529875797 18259 195.159.176.226 (24 Jun 2018 21:29:57 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 24 Jun 2018 21:29:57 +0000 (UTC) Cc: Eli Zaretskii , Paul Eggert , Noam Postavsky , emacs-devel@gnu.org To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jun 24 23:29:52 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fXCZz-0004dS-Mh for ged-emacs-devel@m.gmane.org; Sun, 24 Jun 2018 23:29:51 +0200 Original-Received: from localhost ([::1]:43211 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fXCc5-0003oG-9E for ged-emacs-devel@m.gmane.org; Sun, 24 Jun 2018 17:32:01 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47431) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fXCbK-0003o8-W4 for emacs-devel@gnu.org; Sun, 24 Jun 2018 17:31:16 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fXCbJ-0002yb-NA for emacs-devel@gnu.org; Sun, 24 Jun 2018 17:31:14 -0400 Original-Received: from mail-it0-x235.google.com ([2607:f8b0:4001:c0b::235]:33622) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fXCbH-0002x2-PZ; Sun, 24 Jun 2018 17:31:11 -0400 Original-Received: by mail-it0-x235.google.com with SMTP id k17-v6so10420878ita.0; Sun, 24 Jun 2018 14:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZipqFgy5yVnZYWTRyqH3KMEAvjgfybzffwioTYBuoc8=; b=oyxiHdF4PmlI9PG8v23ghQPQqZB1fJvn2aJEwTNfS8Rya1Xxauhl7+MLaoxiNxiTQW nnBo8RxkWXx4ooM2dsO5GIzqnTeHAzPs9nWUK/QD+aoP2ZU4IuRxZWnuqZZKQ7G2udE0 gEeiQV59ztx1zvGefEIxn23Khb+FO7yxJo6qFuK8dVMjnU+tpg2nHIbeTnoPhxjUHTJ9 Opw0dthYazI814Md3kG61ndbVnrGjYfk0I4XwW/GH12YEeTnA1TQiwPgIjjiQZ8TK2Nj hCHn1uOH06eEg5imQULoY2U6UaFkQSZdCv9MvrcJuqdaPIMf33lEfHENbquVXHkJLF15 8SkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZipqFgy5yVnZYWTRyqH3KMEAvjgfybzffwioTYBuoc8=; b=QH6o4IgUSt1EVTd7pNLGEK/inBpqtp1xJvNV+2TsMfoUToatw7LvwCn0p300Cln/Cj XBa43z3LKvoNQZH77QW1nnFZ4+1FLSKOYqf+5qREu1DT3Ywm7OmJTROfg2Rgke3XSYGj 28U1xeSvWxJgCngL9Y6tHIRe7HSfrG0tKeIeEouVLs0T+kg+BdJCKx5c9DX9wZdggE5I qOqBLtiAwh5Oapz6J9rYhwsYxhuZalfleHeZVNWkOulIfA2k6kFVDldj7Uf0BlkDQYqK /Gdmbl+0P8uHx5Hlvk8LTaQuGg6WnQxh+pOkqCjm2EqLbUjhTCsSI1o5D2N7DI5fqyFd ZWZg== X-Gm-Message-State: APt69E0SY41gQ/KHLDMj7EUkS7ClN1hNlJTRengKe6Y7G6+4V2JNgr5N OLw47HhP9xp3ZKGxBusSmCtXLbnO0xYHPSSDIp0= X-Google-Smtp-Source: ADUXVKKALg96J+B679QD4gTbo53JZX6P0CNxlQjIKfdj1sVk+AwhPr04J7MFRzdz8ogPDFfw0LuyUn8TNOINMkHrp9Y= X-Received: by 2002:a24:5495:: with SMTP id t143-v6mr8790781ita.31.1529875871007; Sun, 24 Jun 2018 14:31:11 -0700 (PDT) Original-Received: by 2002:a02:985d:0:0:0:0:0 with HTTP; Sun, 24 Jun 2018 14:30:50 -0700 (PDT) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c0b::235 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:226680 Archived-At: --000000000000d7b0c9056f69fb1b Content-Type: multipart/alternative; boundary="000000000000d7b0c6056f69fb19" --000000000000d7b0c6056f69fb19 Content-Type: text/plain; charset="UTF-8" Here's the patch to get GnuTLS to do CRL checking. On Debian, you can get a bunch of CRL PEM files by the following: $ sudo apt-get install igtf-policy-bundle $ sudo apt-get install fetch-crl $ sudo fetch-crl -p 8 --format pem On macOS with MacPorts: $ sudo port install igtf-ca-bundle $ sudo fetch-crl -p 8 --format pem Now if you do M-: (url-retrieve-synchronously "https://revoked.grc.com/") RET You should see a prompt from NSM. Possible improvement: Checking static CRL is still spotty. "https://revoked.badssl.com" still fails to trigger a prompt from NSM. For that we'll definitely need OCSP and some of the newer Certificate Transparency tricks. On Sun, Jun 24, 2018 at 7:29 PM, Jimmy Yuen Ho Wong wrote: > >> I'm not quite sure I follow you here. OCSP is the online query stuff, >> and is something that gnutls doesn't do, I think, and which is probably >> not something we want to do either. (Chrome doesn't, for instance.) >> >> > GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This > is how you do it > > according to the manual. > > Chrome's primary check OOTB is its own curated CRLSet, but it does use > OCSP for some EV certs, and relies on the underlying library to do OCSP > . You can also > enable it in Chrome if you want. > > > >> But a certificate revocation list is something we could consider >> distributing via ELPA, but that's a bigger project... >> >> > No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) > it looks for now, the same can be done for CRL files. Users can > periodically update their CA bundle and CRL bundle. The CA bundle on *nix > is typically Mozilla's, which is covered by the default list in > `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't > exists on most systems, but can be generated with `igtf-ca-bundle` + > `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also > be a matter of installing a few packages and running `fetch-crl`. > > >> Or do you mean OCSP stapling? There's so much going on in this area >> (because it's a clusterfuck to begin with) that it can be challenging >> keeping track. :-) >> >> > Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP > above. > > --000000000000d7b0c6056f69fb19 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Here's the patch to get GnuTLS to do CRL checking.
On Debian, you can get a bunch of CRL PEM files by the foll= owing:

=C2=A0 =C2=A0 $ sudo apt-get install igtf-p= olicy-bundle
=C2=A0 =C2=A0 $ sudo apt-get install fetch-crl
=
=C2=A0 =C2=A0 $ sudo fetch-crl -p 8 --format pem

<= div>On macOS with MacPorts:

=C2=A0 =C2=A0 $ sudo p= ort install igtf-ca-bundle
=C2=A0 =C2=A0 $ sudo fetch-crl -p 8 --= format pem

Now if you do

= =C2=A0 M-:=C2=A0(url-retrieve-synchronously "https://revoked.grc.com/") RET

You should see a= prompt from NSM.

Possible improvement:
=
Checking static CRL is still spotty. "https://revoked.badssl.com" still fails to t= rigger a prompt from NSM. For that we'll definitely need OCSP and some = of the newer Certificate Transparency tricks.


On Sun, Jun 24, 2018= at 7:29 PM, Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote:
This is how you do it according to the= manual.

Chrome's primary check OOTB is its = own curated CRLSet, but it does use OCSP for=C2=A0some EV= certs, and relies on the underlying library to do OCSP. You can also e= nable it in Chrome if you want.

= =C2=A0
But a certificate revocation list is something we could consider
distributing via ELPA, but that's a bigger project...


No. Emacs has a defined list of= CA bundle PEM files (`gnutls-trustfiles`) it looks for now, the same can b= e done for CRL files. Users can periodically update their CA bundle and CRL= bundle. The CA bundle on *nix is typically Mozilla's, which is covered= by the default list in `gnutls-trustfiles`. A complete list of CRL in PEM = format typically don't exists on most systems, but can be generated wit= h `igtf-ca-bundle` + `fetch-crl`. I just generated them on macOS via MacPor= ts, Linux should also be a matter of installing a few packages and running = `fetch-crl`.
=C2=A0
Or do you mean OCSP stapling?=C2=A0 There's so much going on in this ar= ea
(because it's a clusterfuck to begin with) that it can be challenging keeping track.=C2=A0 :-)


Nah, it's just a couple more lines of C code. See GnuTLS'= s manual on OCSP above.
=C2=A0

--000000000000d7b0c6056f69fb19-- --000000000000d7b0c9056f69fb1b Content-Type: application/octet-stream; name="0001-Check-TLS-certs-against-CRL.patch" Content-Disposition: attachment; filename="0001-Check-TLS-certs-against-CRL.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_jitc9hdz0 RnJvbSA5OTM4MzYwZjczODhmZmU5MmE2OTc5YTQwOWQ2ODRiYmIyYzVkODY3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBKaW1teSBZdWVuIEhvIFdvbmcgPHd5dWVuaG9AZ21haWwuY29t PgpEYXRlOiBTdW4sIDI0IEp1biAyMDE4IDIyOjA4OjI4ICswMTAwClN1YmplY3Q6IFtQQVRDSF0g Q2hlY2sgVExTIGNlcnRzIGFnYWluc3QgQ1JMCgoqIGxpc3AvbmV0L2dudXRscy5lbCAoZ251dGxz LWJvb3QtcGFyYW1ldGVycyk6IFJldHVybgogIGBnbnV0bHMtY3JsZmlsZXMnIGluIGA6Y3JsZmls ZXMnLgogIChnbnV0bHMtY3JsZmlsZXMpOiBOZXcgZGVmY3VzdG9tLgogIChnbnV0bHMtLWdldC1m aWxlcyk6IE5ldyBkZWZ1bi4KICAoZ251dGxzLXRydXN0ZmlsZXMsIGdudXRscy1jcmxmaWxlcyk6 IERlbGVnYXRlIHRvCiAgYGdudXRscy0tZ2V0LWZpbGVzJyB0byByZXR1cm4gYSBsaXN0IG9mIGZp bGVuYW1lcywgYWNjZXB0cyBnbG9iIHBhdHRlcm4uCi0tLQogbGlzcC9uZXQvZ251dGxzLmVsIHwg MjkgKysrKysrKysrKysrKysrKysrKysrKysrLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAyNCBpbnNl cnRpb25zKCspLCA1IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2xpc3AvbmV0L2dudXRscy5l bCBiL2xpc3AvbmV0L2dudXRscy5lbAppbmRleCAwOWRmMDE5ZTJlLi5kZmYzY2UyZWM2IDEwMDY0 NAotLS0gYS9saXNwL25ldC9nbnV0bHMuZWwKKysrIGIvbGlzcC9uZXQvZ251dGxzLmVsCkBAIC05 NiwxMiArOTYsMjUgQEAgZ251dGxzLXRydXN0ZmlsZXMKICAgICAiL2V0Yy9zc2wvY2VydC5wZW0i ICAgICAgICAgICAgICAgICAgICAgIDsgbWFjT1MKICAgICApCiAgICJMaXN0IG9mIENBIGJ1bmRs ZSBsb2NhdGlvbiBmaWxlbmFtZXMgb3IgYSBmdW5jdGlvbiByZXR1cm5pbmcgc2FpZCBsaXN0Lgor SWYgYSBmaWxlIHBhdGggY29udGFpbnMgYSBnbG9iIHBhdHRlcm4sIGl0IHdpbGwgYmUgZXhwYW5k ZWQuCiBUaGUgZmlsZXMgbWF5IGJlIGluIFBFTSBvciBERVIgZm9ybWF0LCBhcyBwZXIgdGhlIEdu dVRMUyBkb2N1bWVudGF0aW9uLgogVGhlIGZpbGVzIG1heSBub3QgZXhpc3QsIGluIHdoaWNoIGNh c2UgdGhleSB3aWxsIGJlIGlnbm9yZWQuIgogICA6Z3JvdXAgJ2dudXRscwogICA6dHlwZSAnKGNo b2ljZSAoZnVuY3Rpb24gOnRhZyAiRnVuY3Rpb24gdG8gcHJvZHVjZSBsaXN0IG9mIGJ1bmRsZSBm aWxlbmFtZXMiKQogICAgICAgICAgICAgICAgICAocmVwZWF0IChmaWxlIDp0YWcgIkJ1bmRsZSBm aWxlbmFtZSIpKSkpCiAKKyhkZWZjdXN0b20gZ251dGxzLWNybGZpbGVzCisgICcoCisgICAgIi9l dGMvZ3JpZC1zZWN1cml0eS9jZXJ0aWZpY2F0ZXMvKi5jcmwucGVtIgorICAgICkKKyAgIkxpc3Qg b2YgQ1JMIGZpbGUgcGF0aHMgb3IgYSBmdW5jdGlvbiByZXR1cm5pbmcgc2FpZCBsaXN0LgorSWYg YSBmaWxlIHBhdGggY29udGFpbnMgYSBnbG9iIHBhdHRlcm4sIGl0IHdpbGwgYmUgZXhwYW5kZWQu CitUaGUgZmlsZXMgbWF5IGJlIGluIFBFTSBvciBERVIgZm9ybWF0LCBhcyBwZXIgdGhlIEdudVRM UyBkb2N1bWVudGF0aW9uLgorVGhlIGZpbGVzIG1heSBub3QgZXhpc3QsIGluIHdoaWNoIGNhc2Ug dGhleSB3aWxsIGJlIGlnbm9yZWQuIgorICA6Z3JvdXAgJ2dudXRscworICA6dHlwZSAnKGNob2lj ZSAoZnVuY3Rpb24gOnRhZyAiRnVuY3Rpb24gdG8gcHJvZHVjZSBsaXN0IG9mIENSTCBmaWxlbmFt ZXMiKQorICAgICAgICAgICAgICAgICAocmVwZWF0IChmaWxlIDp0YWcgIkNSTCBmaWxlbmFtZSIp KSkpCisKIDs7OyMjI2F1dG9sb2FkCiAoZGVmY3VzdG9tIGdudXRscy1taW4tcHJpbWUtYml0cyAy NTYKICAgOzsgU2V2ZXJhbCBtYWlsIHNlcnZlcnMgc2VuZCBmZXdlciBiaXRzIHRoYW4gdGhlIEdu dVRMUyBkZWZhdWx0LgpAQCAtMjYzLDYgKzI3Niw3IEBAIGdudXRscy1sb2ctbGV2ZWwKIEl0IG11 c3QgYmUgb21pdHRlZCwgYSBudW1iZXIsIG9yIG5pbDsgaWYgb21pdHRlZCBvciBuaWwgaXQKIGRl ZmF1bHRzIHRvIEdOVVRMU19WRVJJRllfQUxMT1dfWDUwOV9WMV9DQV9DUlQuIgogICAobGV0KiAo KHRydXN0ZmlsZXMgKG9yIHRydXN0ZmlsZXMgKGdudXRscy10cnVzdGZpbGVzKSkpCisgICAgICAg ICAoY3JsZmlsZXMgKG9yIGNybGZpbGVzIChnbnV0bHMtY3JsZmlsZXMpKSkKICAgICAgICAgICht YXliZS1kdW1iZncgKGlmIChtZW1xICdDbGllbnRIZWxsb1wgUGFkZGluZyAoZ251dGxzLWF2YWls YWJsZS1wKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICI6JURVTUJGVyIKICAgICAgICAg ICAgICAgICAgICAgICAgICAiIikpCkBAIC0zMDQsMTMgKzMxOCwxOCBAQCBnbnV0bHMtbG9nLWxl dmVsCiAgICAgICAgICAgICAgICAgOnZlcmlmeS1lcnJvciAsdmVyaWZ5LWVycm9yCiAgICAgICAg ICAgICAgICAgOmNhbGxiYWNrcyBuaWwpKSkKIAorKGRlZnVuIGdudXRscy0tZ2V0LWZpbGVzIChm aWxlcykKKyAgKGNsLWxvb3AgZm9yIGYgaW4gZmlsZXMKKyAgICAgICAgICAgaWYgZiBkbyAoc2V0 cSBmIChpZiAoZnVuY3Rpb25wIGYpIChmdW5jYWxsIGYpIGYpKQorICAgICAgICAgICBhcHBlbmQg KGNsLWRlbGV0ZS1pZi1ub3QgIydmaWxlLWV4aXN0cy1wIChmaWxlLWV4cGFuZC13aWxkY2FyZHMg ZiB0KSkpKQorCiAoZGVmdW4gZ251dGxzLXRydXN0ZmlsZXMgKCkKICAgIlJldHVybiBhIGxpc3Qg b2YgdXNhYmxlIHRydXN0ZmlsZXMuIgotICAoZGVscSBuaWwKLSAgICAgICAgKG1hcGNhciAobGFt YmRhIChmKSAoYW5kIGYgKGZpbGUtZXhpc3RzLXAgZikgZikpCi0gICAgICAgICAgICAgICAgKGlm IChmdW5jdGlvbnAgZ251dGxzLXRydXN0ZmlsZXMpCi0gICAgICAgICAgICAgICAgICAgIChmdW5j YWxsIGdudXRscy10cnVzdGZpbGVzKQotICAgICAgICAgICAgICAgICAgZ251dGxzLXRydXN0Zmls ZXMpKSkpCisgIChnbnV0bHMtLWdldC1maWxlcyBnbnV0bHMtdHJ1c3RmaWxlcykpCisKKyhkZWZ1 biBnbnV0bHMtY3JsZmlsZXMgKCkKKyAgIlJldHVybiBhIGxpc3Qgb2YgdXNhYmxlIENSTCBmaWxl cy4iCisgIChnbnV0bHMtLWdldC1maWxlcyBnbnV0bHMtY3JsZmlsZXMpKQogCiAoZGVjbGFyZS1m dW5jdGlvbiBnbnV0bHMtZXJyb3Itc3RyaW5nICJnbnV0bHMuYyIgKGVycm9yKSkKIAotLSAKMi4x OC4wCgo= --000000000000d7b0c9056f69fb1b--