From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.bugs Subject: bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate has been detected. Date: Wed, 25 Jan 2012 23:35:35 +0100 Message-ID: <87mx9bh0lk.fsf@gnus.org> References: <87ei22yzz3.fsf@niu.edu> <19995.2276.68599.608421@gargle.gargle.HOWL> <19995.3751.825437.128524@gargle.gargle.HOWL> <19995.6586.299315.729607@gargle.gargle.HOWL> <19997.45936.636066.132554@gargle.gargle.HOWL> <19997.49819.733446.452844@gargle.gargle.HOWL> <87hb6n7ars.fsf@lifelogs.com> <20002.11953.120421.334092@gargle.gargle.HOWL> <20002.54164.83168.584630@gargle.gargle.HOWL> <20003.40556.788680.652938@gargle.gargle.HOWL> <87fwf3frvp.fsf@lifelogs.com> <87ipjzinar.fsf@gnus.org> <87wr8fbegb.fsf@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1327531004 26578 80.91.229.12 (25 Jan 2012 22:36:44 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 25 Jan 2012 22:36:44 +0000 (UTC) Cc: 9017@debbugs.gnu.org To: Roland Winkler Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Jan 25 23:36:39 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RqBSJ-0008Mg-4e for geb-bug-gnu-emacs@m.gmane.org; Wed, 25 Jan 2012 23:36:39 +0100 Original-Received: from localhost ([::1]:46382 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RqBSI-0001Im-OI for geb-bug-gnu-emacs@m.gmane.org; Wed, 25 Jan 2012 17:36:38 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:59350) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RqBSG-0001IV-40 for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 17:36:37 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RqBSE-0005VF-DA for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 17:36:36 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:38649) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RqBSE-0005Ux-AL for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 17:36:34 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1RqBSf-0001BG-H6 for bug-gnu-emacs@gnu.org; Wed, 25 Jan 2012 17:37:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Lars Ingebrigtsen Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 25 Jan 2012 22:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 9017 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 9017-submit@debbugs.gnu.org id=B9017.13275309744484 (code B ref 9017); Wed, 25 Jan 2012 22:37:01 +0000 Original-Received: (at 9017) by debbugs.gnu.org; 25 Jan 2012 22:36:14 +0000 Original-Received: from localhost ([127.0.0.1]:44036 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1RqBRu-0001AH-D9 for submit@debbugs.gnu.org; Wed, 25 Jan 2012 17:36:14 -0500 Original-Received: from hermes.netfonds.no ([80.91.224.195]:47862) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1RqBRr-0001A7-Rr for 9017@debbugs.gnu.org; Wed, 25 Jan 2012 17:36:12 -0500 Original-Received: from 93-41-173-241.ip82.fastwebnet.it ([93.41.173.241] helo=rusty) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1RqBRJ-0002z4-8c; Wed, 25 Jan 2012 23:35:37 +0100 In-Reply-To: <87wr8fbegb.fsf@lifelogs.com> (Ted Zlatanov's message of "Wed, 25 Jan 2012 16:32:52 -0600") User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux) X-MailScanner-ID: 1RqBRJ-0002z4-8c MailScanner-NULL-Check: 1328135737.72082@xZC8DKuh3IyW8OZ0HtYDyw X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:56009 Archived-At: Ted Zlatanov writes: > "This certificate restricts its usage to key encipherment. For TLS this > is restricted to only the RSA key exchange. By misconfiguration however > the server allows you to connect with a ciphersuite that violates this > usage and that's why gnutls-cli fails to connect." I'm afraid I don't understand what this is saying at all. :-) > I may be misunderstanding the intent, but I thought globally you're > saying you'll allow restricted certificates. I'm not sure that's ideal > and I think it is insecure, but I'm not so sure anymore after thinking > about it more carefully. > > Either way it seems that `gnutls-algorithm-priority' will have to be one > of those string-or-alist-or-function variables, so you can disable > security altogether for specific hosts that need it. I can add that > support if you think it's reasonable. I think the nice way to handle this would be to prompt the user here. With something like "The server provides buggy dhe-rsa credentials; connect anyway?" or something, which would result in "-dhe-rsa" being added to the variable. But as you point out, it should be on a per-host basis, probably... -- (domestic pets only, the antidote for overdose, milk.) http://lars.ingebrigtsen.no * Sent from my Rome