From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.bugs Subject: bug#16193: 24.3; Enable TLS certificate checking by default Date: Thu, 19 Dec 2013 15:23:23 -0500 Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos Message-ID: <87pposh9ok.fsf@flea.lifelogs.com> References: <87y53g7imz.fsf@motoko.kusanagi> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1387484591 8350 80.91.229.3 (19 Dec 2013 20:23:11 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 19 Dec 2013 20:23:11 +0000 (UTC) Cc: 16193@debbugs.gnu.org To: "William G. Gardella" Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Dec 19 21:23:17 2013 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Vtk7o-00080t-NK for geb-bug-gnu-emacs@m.gmane.org; Thu, 19 Dec 2013 21:23:16 +0100 Original-Received: from localhost ([::1]:46242 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vtk7o-0007GF-7f for geb-bug-gnu-emacs@m.gmane.org; Thu, 19 Dec 2013 15:23:16 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42740) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vtk7g-0007Ex-Kd for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 15:23:13 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vtk7a-0007t2-Vq for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 15:23:08 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:44963) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vtk7a-0007sy-RJ for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 15:23:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Vtk7a-0001d9-7A for bug-gnu-emacs@gnu.org; Thu, 19 Dec 2013 15:23:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 19 Dec 2013 20:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 16193 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 16193-submit@debbugs.gnu.org id=B16193.13874845286177 (code B ref 16193); Thu, 19 Dec 2013 20:23:02 +0000 Original-Received: (at 16193) by debbugs.gnu.org; 19 Dec 2013 20:22:08 +0000 Original-Received: from localhost ([127.0.0.1]:58982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vtk6i-0001bZ-29 for submit@debbugs.gnu.org; Thu, 19 Dec 2013 15:22:08 -0500 Original-Received: from mail-qe0-f45.google.com ([209.85.128.45]:35119) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Vtk6f-0001bO-OP for 16193@debbugs.gnu.org; Thu, 19 Dec 2013 15:22:06 -0500 Original-Received: by mail-qe0-f45.google.com with SMTP id 6so1529327qea.18 for <16193@debbugs.gnu.org>; Thu, 19 Dec 2013 12:22:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=Q02y+L1EUUkUcOwXVk0iXvomyB5xZ5tyrMLzsR+1HWg=; b=v6smbcqfkmO/mSqPZgTTNCnvo/0eabt4gffWi8icR6ePiJMwIETD2UJG3nxCJHbEW8 keZk8gT0uTcUAqmM5xL8t4MbkN7Q1V3UbjkQzfkBDKAzTNFl6B9mxwo6LjupyIbqx8tM J1rbzp4+mlC1bFRyfZLMYMbLoZQfxSHfETw3A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=Q02y+L1EUUkUcOwXVk0iXvomyB5xZ5tyrMLzsR+1HWg=; b=ZdVEOnahG7haZg28XKMHrCsVOJb88/xh3YGa+iEpHtFaSTshs5DZDYIDyh2VI/23oq dxdV8k9GXsvt+G7gjt20I2O78kvM2zhK9MQ5gpWkNfoYbACUvyO7214Cg/Wjv20ZuNPr DidzpFEWUf/m9lbj59zvhwtyGo3/bAKfZFbJ3mi8Nw64xnmjGGigtlzS9nElvypAnvNX xQ7z4FVUN6T6ETqV8f5rqs76horJU4JmUFip38y5vd+NDuPD5LIPzWQ/6CdOywofCjK1 HfF/2IDgEbFUZKrL6JOMFceVv433xZS/2VkQoAXScGK0MIt23WED96IWFwLgZWwhJGib EPLQ== X-Gm-Message-State: ALoCoQk61hqj1WYIIaHCkVMR/Tbo5Hb7w3AmYou+o31GLgOfjTI20u1vaWCH4kY21NQhc+G/9qnq X-Received: by 10.224.7.10 with SMTP id b10mr6991578qab.12.1387484525253; Thu, 19 Dec 2013 12:22:05 -0800 (PST) Original-Received: from flea.lifelogs.com (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id n14sm11563109qav.8.2013.12.19.12.22.04 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Dec 2013 12:22:04 -0800 (PST) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: <87y53g7imz.fsf@motoko.kusanagi> (William G. Gardella's message of "Thu, 19 Dec 2013 19:20:04 +0000") User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:82245 Archived-At: On Thu, 19 Dec 2013 19:20:04 +0000 "William G. Gardella" wrote: WGG> How to reproduce: use `open-network-stream' on any TLS connection to a WGG> server with an invalid, expired, or self-signed certificate. WGG> What I expect to happen: Emacs asks the user or signals on `error' or WGG> `user-error', terminating the connection attempt, or queries the user if WGG> they wish to continue. Please try setting `gnutls-verify-error' through customize in the Emacs trunk. Set it to t to always error on verification issues. I plan to change it to t (or some variation thereof, e.g. sit-for-a-bit) after the upcoming release, but didn't want to break people's setups. Also there's no way to make it interactive due to the way Emacs constructs the GnuTLS connection. It has to error out completely. WGG> Recommended solutions: WGG> 2. Ensure that `tls-checktrust' actually works on an Emacs where WGG> libgnutls is linked in. (As far as I can tell, gnutls makes no WGG> reference to this variable, although `gnutls-negotiate' does seem to WGG> have some low-level facility for checking certificates, and there is the WGG> `gnutls-trustfiles' variable). Please check that it works for you as described above. If yes, we'll close this ticket. WGG> 3. Document the default behavior in locations highly visible to users, WGG> i.e. not just in the elisp manual, which is primarily for people writing WGG> elisp, but also in the manuals of major `open-network-stream'-using WGG> packages, such as ERC and smtpmail. This is still an inferior solution WGG> as users are unlikely to consult these manuals if nothing seems to be WGG> wrong. After the upcoming release, yes. Ted