all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Ted Zlatanov <tzz@lifelogs.com>
To: Noam Postavsky <npostavs@users.sourceforge.net>
Cc: 23759@debbugs.gnu.org, Konstantin Kliakhandler <kosta@slumpy.org>
Subject: bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist
Date: Tue, 05 Jul 2016 17:17:11 -0400	[thread overview]
Message-ID: <87k2gzhjjc.fsf_-_@lifelogs.com> (raw)
In-Reply-To: <CAM-tV-80k9Ue7ECvd_vzoYzuFYLT6amf1MSQzcn1XVYVPNByhQ@mail.gmail.com> (Noam Postavsky's message of "Tue, 5 Jul 2016 10:49:38 -0400, Tue, 5 Jul 2016 19:54:53 +0300, Tue, 5 Jul 2016 13:59:39 -0400")

On Tue, 5 Jul 2016 10:49:38 -0400 Noam Postavsky <npostavs@users.sourceforge.net> wrote: 

NP> I think gnutls is broken on master for OSX currently, see
NP> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=23503

Unfortunately I don't have access to Mac OS X anymore (I did until
recently) so I can't verify or fix that issue.

On Tue, 5 Jul 2016 19:54:53 +0300 Konstantin Kliakhandler <kosta@slumpy.org> wrote: 

KK> On 5 July 2016 at 17:36, Ted Zlatanov <tzz@lifelogs.com> wrote:
>> [Kosta's patch] replaces the specific call with a generic call (no CA file
>> specified). This is probably less secure because it will use the system
>> CA trustfiles regardless of the user's preferred `gnutls-trustfiles', so
>> I'd rather not make it the first thing attempted.

KK> the patch would work just as well if instead the line without --x509cafile was
KK> at the bottom of the list. Well, it would work worse for some users, but
KK> the key word is that it would work - except that now now it would take
KK> several more attempts to connect on my computer and on OPs (instead of just
KK> not connecting at all for OP).

Unfortunately it's less secure in the default case. I agree that it's
faster and more convenient. Perhaps there can be a way to say "if this
%t is empty, remove the preceding --argument as well" in the format
string? That would simplify the whole thing, like so:

"gnutls-cli --x509cafile %T -p %p %h"

...becomes "gnutls-cli -p PORT HOST" when the %T parameter is nil. Just
an idea...

KK> Personally, I also think that the default as defined in my current patch is
KK> preferable, since anyone who messes around with the certificates would edit
KK> this variable e.g. to set there --strict-tofu or the like (I did. It is a
KK> bit more annoying to use, but since I rarely open a new domain in emacs,
KK> it's not a big deal).

Many users don't know about these settings, and many don't have the
right GnuTLS libraries installed but think they do (so they are using
this library accidentally). I think it's good to be cautious here and
provide safe defaults.

The TOFU stuff is an interesting use case. The Emacs NSM (see
`network-security-level' and friends) tries to address this area to some
degree, but there's lots of work to be done.

KK> Anyway, I do concede that the second version is more secure. Attached is a
KK> patch that I hope is more to your liking. I put the the call that do not
KK> use an explicit certificate at the bottom of the list, even below the call
KK> to openssl s_client. I'm not sure what are the implications, as I don't
KK> know the relative merits of openssl s_client vs gnutls-cli. If you are
KK> inclined to educate me, please do as a short googling did not reveal the
KK> answers.

I'd group all the gnutls-cli calls together so it's more predictable and
easier to read. Otherwise it's fine IMHO. I know we have many security
experts here, perhaps they'll comment.

I am also concerned that SSLv3 is explicitly in the defaults. See
http://disablessl3.com/ etc.--I think that should be removed if
possible. I'll bring it up on emacs-devel.

>> Once the libraries are installed, you're all set, they'll be used
>> automatically.

KK> From what both of you said, I still am not sure what is meant by "native
KK> support". However, for various reasons I don't like the version provided in
KK> homebrew. I prefer the version from https://emacsformacosx.com.

OK, talk to the people that build that version :) Homebrew is what I
used when I had access to Mac OS X, and it worked well for me.

As Noam said, if `gnutls-available-p' returns t, you've got the native C
bindings to GnuTLS working. IMHO after the 25.1 release, opening a
secure network connection without `gnutls-available-p' should be an
annoying warning. I'll bring it up on emacs-devel.

Ted





  parent reply	other threads:[~2016-07-05 21:17 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-12 21:32 bug#23759: 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist Francis Litterio
2016-06-13  3:42 ` Eli Zaretskii
2016-06-13 10:18   ` Lars Ingebrigtsen
     [not found]     ` <CAGQpP8QFu3zx9_3SLf5tVRhGC7bV0hUiA8=OJm8HpA5H-hTfwA@mail.gmail.com>
     [not found]       ` <CAGQpP8QWYaxgE0=VGshhxDW=U3yT_kXsNq178m6zPGq15Ets9g@mail.gmail.com>
2016-06-13 11:33         ` Fran
2016-06-13 11:40           ` Lars Ingebrigtsen
2016-06-13 11:49             ` Fran
2016-06-13 14:03     ` Eli Zaretskii
2016-07-02  0:09 ` bug#23759: 25.1.50; Konstantin Kliakhandler
2016-07-02  7:09 ` bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist Konstantin Kliakhandler
2016-07-05 14:36   ` Ted Zlatanov
2016-07-05 14:49     ` Noam Postavsky
2016-07-05 16:54       ` Konstantin Kliakhandler
2016-07-05 17:59         ` Noam Postavsky
2016-07-05 21:17         ` Ted Zlatanov [this message]
2016-07-06 22:24           ` Richard Stallman
2016-07-07  3:31             ` Ted Zlatanov
2016-07-07  6:11               ` Konstantin Kliakhandler
2016-07-07 22:01                 ` Richard Stallman
2016-07-07 17:10           ` Ted Zlatanov
2016-07-07 22:40             ` Konstantin Kliakhandler
2016-07-08 13:43               ` Ted Zlatanov
2019-05-13 19:42 ` bug#23759: " Lars Ingebrigtsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87k2gzhjjc.fsf_-_@lifelogs.com \
    --to=tzz@lifelogs.com \
    --cc=23759@debbugs.gnu.org \
    --cc=kosta@slumpy.org \
    --cc=npostavs@users.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.