From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: David Engster Newsgroups: gmane.emacs.bugs Subject: bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane Date: Thu, 18 Dec 2014 21:20:05 +0100 Message-ID: <871tnwoglm.fsf@engster.org> References: <86ppbhrx9a.fsf@yandex.ru> <838ui5uf27.fsf@gnu.org> <83vbl8uau2.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1418934082 12398 80.91.229.3 (18 Dec 2014 20:21:22 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 18 Dec 2014 20:21:22 +0000 (UTC) Cc: 19404@debbugs.gnu.org, dgutov@yandex.ru To: Lars Magne Ingebrigtsen Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Dec 18 21:21:16 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y1hZU-0001GZ-62 for geb-bug-gnu-emacs@m.gmane.org; Thu, 18 Dec 2014 21:21:16 +0100 Original-Received: from localhost ([::1]:55653 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1hZT-0004HC-2u for geb-bug-gnu-emacs@m.gmane.org; Thu, 18 Dec 2014 15:21:15 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56232) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1hZL-0004H4-Nx for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:21:12 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y1hZG-0004ej-PC for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:21:07 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:41208) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y1hZG-0004ee-MD for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:21:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y1hZG-00019Z-DN for bug-gnu-emacs@gnu.org; Thu, 18 Dec 2014 15:21:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: David Engster Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 18 Dec 2014 20:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19404 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 19404-submit@debbugs.gnu.org id=B19404.14189340154361 (code B ref 19404); Thu, 18 Dec 2014 20:21:02 +0000 Original-Received: (at 19404) by debbugs.gnu.org; 18 Dec 2014 20:20:15 +0000 Original-Received: from localhost ([127.0.0.1]:50574 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y1hYU-00018H-Pf for submit@debbugs.gnu.org; Thu, 18 Dec 2014 15:20:15 -0500 Original-Received: from randomsample.de ([5.45.97.173]:46861) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y1hYS-000188-Qb for 19404@debbugs.gnu.org; Thu, 18 Dec 2014 15:20:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=randomsample.de; s=a; h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From; bh=jkQlEMj3vSFBnQgOZyBQVeItNYSrk+uSA38PkbXfclo=; b=OHrRTy05Nbx+TsvhenkcJOCMO+ogw9lcRaCDc7S0gJFO3MkXnMU0S+BFoHd8XKtc6rUHF3i5MFt5lQAqGxp7h9p1qSyRrjvQfwIoAh2O8/HMu4CnVhhwWUNcXFvotPQs; Original-Received: from ip4d154cb9.dynamic.kabel-deutschland.de ([77.21.76.185] helo=spaten) by randomsample.de with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1Y1hYQ-00068l-Gf; Thu, 18 Dec 2014 21:20:10 +0100 In-Reply-To: (Lars Magne Ingebrigtsen's message of "Thu, 18 Dec 2014 18:53:07 +0100") User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.91 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:97548 Archived-At: Lars Magne Ingebrigtsen writes: > Eli Zaretskii writes: > >> OK, let me rephrase: How can a user, a mere mortal, like myself or >> Dmitry, tell that this certificate is OK, while the one I was >> presented in my problem is not? > > That's not generally possible. Unfortunately there's no difference > between a certificate signed by a CA that you don't happen to have in > your CA bundle, and a self-signed certificate. Unless I've > misunderstood something. > > I think that's one of many unfortunate design choices made when the > certificate system was set up. > > So the "(self-signed)" string we have in our warnings should perhaps be > changed to "(possibly self-signed)". Just to make a few things clear: A 'self-signed' certificate simply means that a certificate is signed with its own private key. You can easily identify them by looking at the 'Issuer' and 'Subject' - they are identical: openssl s_client -connect news.gmane.org:563 [...] Certificate chain 0 s:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org i:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org If you connect to a service secured with such a certificate, you'll be greeted with a certificate chain with a depth of '0', only containing this one certificate (so it's actually not a chain). Self-signed certificates are by default never trustworthy, since anyone can create them. The only way to have a certificate that is trusted by default is to have it signed by a trustworthy certificate authority (CA). The issuer must hence be different from the subject. Technically, such a certificate authority presents itself also as a certificate, but one that is only used to sign other certificates; it is never used directly as a server certificate. So in this case, you will actually have *a chain* of certificates with a trusted "root CA" at the top (there can be many intermediate certificate). That CA at the top presents itself as a self-signed certificate, and it is only made trustworthy because it is marked as such by another authority (Mozilla, Debian, etc.) in some kind of certificate storage. I don't know GnuTLS, but my guess(!) would be like this: > if (EQ (status_symbol, intern (":invalid"))) > return build_string ("certificate could not be verified"); This means that the root CA is not trusted, or that some intermediate certificate is missing, so that you do not have a chain of trust. > if (EQ (status_symbol, intern (":self-signed"))) > return build_string ("certificate signer was not found (self-signed)"); Self-signed, never trusted by default. > if (EQ (status_symbol, intern (":not-ca"))) > return build_string ("certificate signer is not a CA"); The root certificate is not a CA, meaning it misses some extensions that are necessary for a CA. It's no wonder you've never seen this. I can only imagine this to happen with very old (version 1) CAs. -David