From: Noam Postavsky <npostavs@gmail.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: 31946@debbugs.gnu.org
Subject: bug#31946: 27.0.50; The NSM should warn about more TLS problems
Date: Sun, 29 Jul 2018 10:45:38 -0400 [thread overview]
Message-ID: <87effm2j8t.fsf@gmail.com> (raw)
In-Reply-To: <m3y3e3msx5.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sun, 22 Jul 2018 13:05:58 +0200")
Lars Ingebrigtsen <larsi@gnus.org> writes:
> Noam Postavsky <npostavs@gmail.com> writes:
>
>> Going by the certificate serial number, Firefox doesn't show this
>> certificate at all in the chain.
> Yeah, I didn't get any further here, and I don't know what more to
> check...
gnutls rejects SHA1 certificates by default as of 3.6.0, so I tried with
the latest stable gnutls version (3.6.3), and it does reject
sha1-intermediate.badssl.com while accepting www.usps.com. Stepping
through with gdb I see the problematic certificate is dropped in
_gnutls_verify_crt_status, the *second* time it's called from
gnutls_x509_trust_list_verify_crt2. I'm not sure yet how we can use
this from Emacs, but at least it's a direction to look in.
int
gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
[...]
{
[...]
hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
[...]
_gnutls_verify_crt_status(cert_list, cert_list_size,
list->node[hash].trusted_cas,
list->
node[hash].trusted_ca_size,
flags, purpose, func);
if (SIGNER_OLD_OR_UNKNOWN(*voutput)
[...]) {
/* if we couldn't find the issuer, try to see if the last
* certificate is in the trusted list and try to verify against
* (if it is not self signed) */
hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.
[...]
_gnutls_debug_log("issuer in verification was not found or insecure; trying against trust list\n");
*voutput =
_gnutls_verify_crt_status(cert_list, cert_list_size,
list->node[hash].trusted_cas,
list->
node[hash].trusted_ca_size,
flags, purpose, func);
unsigned int
_gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
[...]
{
[...]
/* We want to shorten the chain by removing the cert that matches
* one of the certs we trust and all the certs after that i.e. if
* cert chain is A signed-by B signed-by C signed-by D (signed-by
* self-signed E but already removed above), and we trust B, remove
* B, C and D. */
[...]
for (; i < clist_size; i++) { [...]
for (j = 0; j < tcas_size; j++) { [...]
/* we check for a certificate that may not be identical with the one
* sent by the client, but will have the same name and key. That is
* because it can happen that a CA certificate is upgraded from intermediate
* CA to self-signed CA at some point. */
if (_gnutls_check_if_same_key
(certificate_list[i], trusted_cas[j], i) != 0) {
/* explicit time check for trusted CA that we remove from
* list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
*/
[...]
clist_size = i;
next prev parent reply other threads:[~2018-07-29 14:45 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-23 10:38 bug#31946: 27.0.50; The NSM should warn about more TLS problems Lars Ingebrigtsen
2018-06-24 13:43 ` Lars Ingebrigtsen
2018-06-26 1:23 ` Noam Postavsky
2018-06-26 4:11 ` Jimmy Yuen Ho Wong
2018-06-26 6:26 ` Jimmy Yuen Ho Wong
2018-06-26 12:44 ` Noam Postavsky
2018-06-26 14:38 ` Eli Zaretskii
2018-07-03 15:08 ` Lars Ingebrigtsen
2018-07-04 1:34 ` Noam Postavsky
2018-07-08 14:20 ` Lars Ingebrigtsen
2018-07-08 14:21 ` Lars Ingebrigtsen
2018-07-08 14:22 ` Lars Ingebrigtsen
2018-07-08 18:34 ` Lars Ingebrigtsen
2018-07-08 18:50 ` Noam Postavsky
2018-07-08 20:01 ` Lars Ingebrigtsen
2018-07-10 2:04 ` Noam Postavsky
2018-07-22 11:05 ` Lars Ingebrigtsen
2018-07-29 14:45 ` Noam Postavsky [this message]
2018-07-08 18:36 ` Lars Ingebrigtsen
2018-07-08 19:20 ` Lars Ingebrigtsen
2018-07-08 14:23 ` Lars Ingebrigtsen
2018-06-26 9:27 ` Lars Ingebrigtsen
2018-06-26 14:42 ` Eli Zaretskii
2018-06-27 0:45 ` Noam Postavsky
2018-06-27 5:09 ` Jimmy Yuen Ho Wong
2018-06-27 12:07 ` Lars Ingebrigtsen
2018-06-27 12:20 ` Lars Ingebrigtsen
2018-06-27 15:16 ` Eli Zaretskii
2018-06-27 16:40 ` Jimmy Yuen Ho Wong
2018-06-28 16:10 ` Lars Ingebrigtsen
2018-06-28 0:14 ` Noam Postavsky
2018-06-28 15:58 ` Jimmy Yuen Ho Wong
2018-06-28 16:15 ` Lars Ingebrigtsen
2018-06-28 16:42 ` Jimmy Yuen Ho Wong
2018-06-28 17:01 ` Lars Ingebrigtsen
2018-06-28 18:15 ` Jimmy Yuen Ho Wong
2018-06-29 5:21 ` Jimmy Yuen Ho Wong
2018-06-29 5:25 ` Jimmy Yuen Ho Wong
2018-06-30 17:28 ` Jimmy Yuen Ho Wong
2018-06-30 20:30 ` Noam Postavsky
2018-06-30 23:15 ` Jimmy Yuen Ho Wong
2018-06-30 23:35 ` Noam Postavsky
2018-07-01 15:01 ` Eli Zaretskii
2019-08-26 4:34 ` Lars Ingebrigtsen
2019-08-26 13:13 ` Andy Moreton
2019-08-26 16:07 ` Eli Zaretskii
2019-08-26 17:45 ` Andy Moreton
2019-08-26 18:12 ` Eli Zaretskii
2019-08-26 18:19 ` Andy Moreton
2019-08-26 19:36 ` Eli Zaretskii
2019-08-26 22:56 ` Andy Moreton
2019-08-27 7:23 ` Eli Zaretskii
2019-08-27 15:25 ` Andy Moreton
2019-08-27 15:50 ` Eli Zaretskii
2019-08-27 8:01 ` bug#31946: 27.0.50; GnuTLS still crashes on MinGW Markus Weber
2019-08-27 15:00 ` Eli Zaretskii
2019-08-27 15:50 ` Eli Zaretskii
2019-08-29 8:05 ` mw
2019-08-29 12:20 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87effm2j8t.fsf@gmail.com \
--to=npostavs@gmail.com \
--cc=31946@debbugs.gnu.org \
--cc=larsi@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.