From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane Date: Thu, 18 Dec 2014 22:52:51 +0200 Message-ID: <83ioh8u1cs.fsf@gnu.org> References: <86ppbhrx9a.fsf@yandex.ru> <838ui5uf27.fsf@gnu.org> <83vbl8uau2.fsf@gnu.org> <871tnwoglm.fsf@engster.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1418936003 10768 80.91.229.3 (18 Dec 2014 20:53:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 18 Dec 2014 20:53:23 +0000 (UTC) Cc: 19404@debbugs.gnu.org, larsi@gnus.org, dgutov@yandex.ru To: David Engster Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Dec 18 21:53:16 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y1i4R-0003TD-R0 for geb-bug-gnu-emacs@m.gmane.org; Thu, 18 Dec 2014 21:53:15 +0100 Original-Received: from localhost ([::1]:55724 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1i4R-0003SK-A3 for geb-bug-gnu-emacs@m.gmane.org; Thu, 18 Dec 2014 15:53:15 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:34681) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1i4J-0003S7-Ku for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:53:12 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y1i4E-0001ud-TE for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:53:07 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:41221) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1i4E-0001uZ-QC for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:53:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y1i4E-0001xH-DW for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:53:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 18 Dec 2014 20:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19404 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 19404-submit@debbugs.gnu.org id=B19404.14189359807508 (code B ref 19404); Thu, 18 Dec 2014 20:53:02 +0000 Original-Received: (at 19404) by debbugs.gnu.org; 18 Dec 2014 20:53:00 +0000 Original-Received: from localhost ([127.0.0.1]:50587 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y1i4C-0001x2-82 for submit@debbugs.gnu.org; Thu, 18 Dec 2014 15:53:00 -0500 Original-Received: from mtaout20.012.net.il ([80.179.55.166]:52025) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y1i48-0001wr-Ti for 19404@debbugs.gnu.org; Thu, 18 Dec 2014 15:52:58 -0500 Original-Received: from conversion-daemon.a-mtaout20.012.net.il by a-mtaout20.012.net.il (HyperSendmail v2007.08) id <0NGS00200PX6QC00@a-mtaout20.012.net.il> for 19404@debbugs.gnu.org; Thu, 18 Dec 2014 22:52:55 +0200 (IST) Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout20.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NGS002HPQ06ML30@a-mtaout20.012.net.il>; Thu, 18 Dec 2014 22:52:55 +0200 (IST) In-reply-to: <871tnwoglm.fsf@engster.org> X-012-Sender: halo1@inter.net.il X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:97551 Archived-At: > From: David Engster > Cc: Eli Zaretskii , 19404@debbugs.gnu.org, dgutov@yandex.ru > Date: Thu, 18 Dec 2014 21:20:05 +0100 > > Just to make a few things clear: A 'self-signed' certificate simply > means that a certificate is signed with its own private key. You can > easily identify them by looking at the 'Issuer' and 'Subject' - they are > identical: > > openssl s_client -connect news.gmane.org:563 > > [...] > > Certificate chain > 0 s:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org > i:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org > > If you connect to a service secured with such a certificate, you'll be > greeted with a certificate chain with a depth of '0', only containing > this one certificate (so it's actually not a chain). Self-signed > certificates are by default never trustworthy, since anyone can create > them. Do you understand why I got the same "self-signed" indication for a certificate whose chain couldn't be verified because the root certificates were not available? E.g., remove or rename your bundle, then try "M-x eww" to some HTTPS address -- you will see the "self-signed" indication in that case as well. Why does this happen? > I don't know GnuTLS, but my guess(!) would be like this: > > > if (EQ (status_symbol, intern (":invalid"))) > > return build_string ("certificate could not be verified"); > > This means that the root CA is not trusted, or that some intermediate > certificate is missing, so that you do not have a chain of trust. > > > if (EQ (status_symbol, intern (":self-signed"))) > > return build_string ("certificate signer was not found (self-signed)"); > > Self-signed, never trusted by default. But we get both of these when the chain couldn't be verified. Why?