gnutls-verify-error issues

gnutls-verify-error issues

[Hubert Chathi]

There seems to be something weird going on with the gnutls-verify-error
variable.  It is initially set to:

(("muchlearning\\.org"
      (:trustfiles))
     ("news\\.gmane\\.org" nil)
     (".*"
      (:trustfiles :hostname)))

i.e. it verifies all domains strictly except for a couple of domains
that need to be more lax.

However, after it's made a few connections, the value changes, and
eventually becomes unusable for some domains.  e.g. it may look like this:

(("muchlearning\\.org"
   (:trustfiles))
  ("news\\.gmane\\.org" nil
   (:trustfiles :hostname)
   (:trustfiles :hostname)
   . #2)
  (".*"
   (:trustfiles :hostname)
   . #1))

and it won't be able to connect to news.gmane.org any more.

I'm currently using emacs 24.4 from Debian (package version 24.4+1-5,
which is the current version from Debian stable).

-- 
Hubert Chathi - Email/Jabber: hubert@uhoreg.ca - https://www.uhoreg.ca/
PGP/GnuPG key: 4096R/113A1368 (Key available at pool.sks-keyservers.net)
Fingerprint: F24C F749 6C73 DDB8 DCB8  72DE B2DE 88D3 113A 1368

Re: gnutls-verify-error issues

[Emanuel Berg]

Hubert Chathi <hubert@uhoreg.ca> writes:

> There seems to be something weird going on
> with the gnutls-verify-error variable.

This is not in any way an answer to you
question, however I'd like to mention I've had
problems with the TLS the past two months and
it might be related - all details:

    https://lists.gnu.org/archive/html/info-gnus-english/2016-05/msg00002.html

-- 
underground experts united .... http://user.it.uu.se/~embe8573
Emacs Gnus Blogomatic ......... http://user.it.uu.se/~embe8573/blogomatic
                   - so far: 56 Blogomatic articles -                   

Re: gnutls-verify-error issues

[Ted Zlatanov]

On Mon, 11 Jul 2016 21:35:57 -0400 Hubert Chathi <hubert@uhoreg.ca> wrote: 

HC> There seems to be something weird going on with the gnutls-verify-error
HC> variable.  It is initially set to:

HC> (("muchlearning\\.org"
HC>       (:trustfiles))
HC>      ("news\\.gmane\\.org" nil)
HC>      (".*"
HC>       (:trustfiles :hostname)))

HC> i.e. it verifies all domains strictly except for a couple of domains
HC> that need to be more lax.

HC> However, after it's made a few connections, the value changes, and
HC> eventually becomes unusable for some domains.  e.g. it may look like this:

HC> (("muchlearning\\.org"
HC>    (:trustfiles))
HC>   ("news\\.gmane\\.org" nil
HC>    (:trustfiles :hostname)
HC>    (:trustfiles :hostname)
HC>    . #2)
HC>   (".*"
HC>    (:trustfiles :hostname)
HC>    . #1))

HC> and it won't be able to connect to news.gmane.org any more.

HC> I'm currently using emacs 24.4 from Debian (package version 24.4+1-5,
HC> which is the current version from Debian stable).

I am not aware of any code in Emacs that would modify
`gnutls-verify-error' and haven't seen this issue. But it could be a
bug. In particular this line *could* be the cuplrit in gnutls.el:

    (when verify-hostname-error
      (push :hostname verify-error))

Are you able to put a debug statement in there and try again?

Or give a recipe to duplicate the issue?

Ted

Re: gnutls-verify-error issues

[Hubert Chathi]

On Tue, 12 Jul 2016 10:00:41 -0400, Ted Zlatanov <tzz@lifelogs.com> said:

> I am not aware of any code in Emacs that would modify
> `gnutls-verify-error' and haven't seen this issue. But it could be a
> bug. In particular this line *could* be the cuplrit in gnutls.el:

>     (when verify-hostname-error (push :hostname verify-error))

> Are you able to put a debug statement in there and try again?

I changed those lines to:
    (when verify-hostname-error
      (message "hostname error")
      (push :hostname verify-error))

But there was no extra message in *Messages*.

But then I tried modifying the lambda in the (let* ... (verify-error
...)) expression in gnutls-negotiate to read

                              (lambda (check)
                                (when (string-match (car check) hostname)
                                  (copy-sequence (cdr check))))

(I added the copy-sequence call), and now it seems to be working as it
should, so it looks like *something* in that function is modifying the
value.

> Or give a recipe to duplicate the issue?

For me, just setting the value of gnutls-verify-error to (("muchlearning\\.org"
  (:trustfiles))
 ("news\\.gmane\\.org" nil
  (:trustfiles :hostname))
 (".*"
  (:trustfiles :hostname))), and then accessing news.gmane.org in Gnus
via NNTP over TLS results in the value of gnutls-verify-error changing.

-- 
Hubert Chathi - Email/Jabber: hubert@uhoreg.ca - https://www.uhoreg.ca/
PGP/GnuPG key: 4096R/113A1368 (Key available at pool.sks-keyservers.net)
Fingerprint: F24C F749 6C73 DDB8 DCB8  72DE B2DE 88D3 113A 1368