From: David Engster <deng@randomsample.de>
To: Eli Zaretskii <eliz@gnu.org>
Cc: 19404@debbugs.gnu.org, larsi@gnus.org, dgutov@yandex.ru
Subject: bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane
Date: Thu, 18 Dec 2014 22:40:56 +0100 [thread overview]
Message-ID: <87lhm4myaf.fsf@engster.org> (raw)
In-Reply-To: <83ioh8u1cs.fsf@gnu.org> (Eli Zaretskii's message of "Thu, 18 Dec 2014 22:52:51 +0200")
Eli Zaretskii writes:
>> From: David Engster <deng@randomsample.de>
>> Cc: Eli Zaretskii <eliz@gnu.org>, 19404@debbugs.gnu.org, dgutov@yandex.ru
>> Date: Thu, 18 Dec 2014 21:20:05 +0100
>
>>
>> Just to make a few things clear: A 'self-signed' certificate simply
>> means that a certificate is signed with its own private key. You can
>> easily identify them by looking at the 'Issuer' and 'Subject' - they are
>> identical:
>>
>> openssl s_client -connect news.gmane.org:563
>>
>> [...]
>>
>> Certificate chain
>> 0 s:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org
>> i:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org
>>
>> If you connect to a service secured with such a certificate, you'll be
>> greeted with a certificate chain with a depth of '0', only containing
>> this one certificate (so it's actually not a chain). Self-signed
>> certificates are by default never trustworthy, since anyone can create
>> them.
>
> Do you understand why I got the same "self-signed" indication for a
> certificate whose chain couldn't be verified because the root
> certificates were not available? E.g., remove or rename your bundle,
> then try "M-x eww" to some HTTPS address -- you will see the
> "self-signed" indication in that case as well. Why does this happen?
I see now that :self-signed is mapped to
GNUTLS_CERT_SIGNER_NOT_FOUND. This however does not mean that a
certificate is self-signed. See
http://www.gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fstatus_005ft
It simply means: "The certificate’s issuer is not known. This is the
case if the issuer is not included in the trusted certificate list."
It *could* be self-signed. I don't know the best way in libgnutls to
detect this. You probably have to compare issuer and subject, or
similar.
-David
next prev parent reply other threads:[~2014-12-18 21:40 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-18 11:52 bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane Dmitry Gutov
2014-12-18 14:49 ` Lars Magne Ingebrigtsen
2014-12-18 15:00 ` Dmitry Gutov
2014-12-18 15:56 ` Eli Zaretskii
2014-12-18 16:06 ` Lars Magne Ingebrigtsen
2014-12-18 17:28 ` Eli Zaretskii
2014-12-18 17:53 ` Lars Magne Ingebrigtsen
2014-12-18 17:56 ` Eli Zaretskii
2014-12-18 18:57 ` Lars Magne Ingebrigtsen
2014-12-18 19:10 ` Ivan Shmakov
2014-12-18 20:30 ` Eli Zaretskii
2014-12-18 20:20 ` David Engster
2014-12-18 20:52 ` Eli Zaretskii
2014-12-18 21:40 ` David Engster [this message]
2014-12-18 21:50 ` David Engster
2014-12-18 22:04 ` Ivan Shmakov
2014-12-18 22:47 ` David Engster
2014-12-19 17:32 ` Ivan Shmakov
2014-12-19 8:28 ` Eli Zaretskii
2014-12-19 8:30 ` Eli Zaretskii
2014-12-19 12:11 ` Lars Ingebrigtsen
2014-12-19 12:20 ` Dmitry Gutov
2014-12-19 14:46 ` Eli Zaretskii
2014-12-19 14:40 ` Eli Zaretskii
2014-12-19 16:55 ` David Engster
2014-12-19 17:17 ` David Engster
2014-12-21 17:16 ` David Engster
2014-12-18 17:56 ` Dmitry Gutov
2014-12-20 14:17 ` Ted Zlatanov
2014-12-20 14:47 ` Eli Zaretskii
2014-12-20 21:44 ` Lars Ingebrigtsen
2014-12-24 13:11 ` Ted Zlatanov
2015-01-15 14:45 ` Ted Zlatanov
2015-01-16 0:23 ` Lars Magne Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lhm4myaf.fsf@engster.org \
--to=deng@randomsample.de \
--cc=19404@debbugs.gnu.org \
--cc=dgutov@yandex.ru \
--cc=eliz@gnu.org \
--cc=larsi@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.