From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.bugs Subject: bug#13877: 24.3; gnutls.el: Enable Certificate Checks Date: Tue, 05 Mar 2013 11:51:33 -0500 Message-ID: <0evc953i3u.fsf@fencepost.gnu.org> References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1362502314 19575 80.91.229.3 (5 Mar 2013 16:51:54 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 5 Mar 2013 16:51:54 +0000 (UTC) Cc: 13877@debbugs.gnu.org To: Moritz Ulrich Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Mar 05 17:52:17 2013 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UCv66-0006fD-2H for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Mar 2013 17:52:14 +0100 Original-Received: from localhost ([::1]:49591 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCv5k-0005bM-IA for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Mar 2013 11:51:52 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:53976) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCv5g-0005az-7t for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 11:51:49 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UCv5a-00038o-2K for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 11:51:48 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:56787) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCv5Z-00038k-Vh for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 11:51:41 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1UCv5u-00055t-GO for bug-gnu-emacs@gnu.org; Tue, 05 Mar 2013 11:52:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Glenn Morris Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 05 Mar 2013 16:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 13877 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 13877-submit@debbugs.gnu.org id=B13877.136250231919573 (code B ref 13877); Tue, 05 Mar 2013 16:52:02 +0000 Original-Received: (at 13877) by debbugs.gnu.org; 5 Mar 2013 16:51:59 +0000 Original-Received: from localhost ([127.0.0.1]:60896 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UCv5p-00055c-TH for submit@debbugs.gnu.org; Tue, 05 Mar 2013 11:51:59 -0500 Original-Received: from fencepost.gnu.org ([208.118.235.10]:46244 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UCv5m-00055U-Vd for 13877@debbugs.gnu.org; Tue, 05 Mar 2013 11:51:55 -0500 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1UCv5R-00023F-Cc; Tue, 05 Mar 2013 11:51:33 -0500 X-Spook: Ft. Meade underground Jyllandsposten target X-Ran: |rW7eTWw9~NDrlfBC6SxhAjfv2;0axO,Qlm?5wx%F7loDv&eD[:jZOBEkJ#)%:#`RZ8<)G X-Hue: magenta X-Attribution: GM In-Reply-To: (Moritz Ulrich's message of "Tue, 05 Mar 2013 11:40:09 +0100") User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:72115 Archived-At: Moritz Ulrich wrote: > Currently, gnutls.el doesn't check certificate signatures when used via > `open-network-stream' with :type 'tls or `open-gnutls-stream'. Please see http://debbugs.gnu.org/13374 It was considered too complicated to fix this properly for 24.3. > There is NO way to set :verify-host, :verify-flags, etc. for this call > to `gnutls-negotiate' when using gnutls via high-level functions like > `open-network-stream'. > > I consider this a bug, as Emacs won't check any certificates and > therefore allow man in the middle attacks without even documenting this. > > It should at least be possible to pass :verify-* from > `open-network-stream' down to `gnutls-negotiate'. That would be a simple > yet effective solution.