From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 24 Jun 2018 18:10:13 +0100
Message-ID: <988de2f1-ec9a-4986-1ae5-ae435c736ac0@gmail.com>
References: <m236xe5vo2.fsf@mobilecat.lan>
	<eba313cf-104d-50dd-f1cd-4acb15864c0f@cs.ucla.edu>
	<CAM-tV--kcS34bGfMdDNziFp9S8LE5fjeT0V6n-QfM7Gnkde+rA@mail.gmail.com>
	<83po0iuhs7.fsf@gnu.org>
	<CAM-tV--iwqEJgQgijY4f_7uecXUGPLPPdU1-6mPh5DGAzu1Lpg@mail.gmail.com>
	<83lgb4tg92.fsf@gnu.org> <m3lgb4fe2e.fsf@gnus.org>
	<CAM-tV--DngfGugjVmRf=D7yBcTqu4uEfmACA8k=0vwxzbN=j7A@mail.gmail.com>
	<838t74td5t.fsf@gnu.org> <m3efgwf7gd.fsf@gnus.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1529860104 5770 195.159.176.226 (24 Jun 2018 17:08:24 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sun, 24 Jun 2018 17:08:24 +0000 (UTC)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
	Gecko/20100101 Thunderbird/52.8.0
Cc: eggert@cs.ucla.edu, Noam Postavsky <npostavs@gmail.com>,
	emacs-devel@gnu.org
To: Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jun 24 19:08:19 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fX8Ut-0001Ni-8z
	for ged-emacs-devel@m.gmane.org; Sun, 24 Jun 2018 19:08:19 +0200
Original-Received: from localhost ([::1]:42586 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fX8Wy-0002M5-QD
	for ged-emacs-devel@m.gmane.org; Sun, 24 Jun 2018 13:10:28 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38675)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wyuenho@gmail.com>) id 1fX8Ws-0002Lw-TH
	for emacs-devel@gnu.org; Sun, 24 Jun 2018 13:10:23 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wyuenho@gmail.com>) id 1fX8Wn-0006Gu-QJ
	for emacs-devel@gnu.org; Sun, 24 Jun 2018 13:10:22 -0400
Original-Received: from mail-wr0-x234.google.com ([2a00:1450:400c:c0c::234]:46795)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <wyuenho@gmail.com>)
	id 1fX8Wn-0006Fx-BS; Sun, 24 Jun 2018 13:10:17 -0400
Original-Received: by mail-wr0-x234.google.com with SMTP id l14-v6so6186796wrq.13;
	Sun, 24 Jun 2018 10:10:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date
	:user-agent:mime-version:in-reply-to:content-transfer-encoding
	:content-language;
	bh=pTJ0C10Ed7Ut0axjijU10vVnfze7jHm005WYYGazWXg=;
	b=V6HqETqQ+ehyftlrdzdb9zn+4+6BQ4nxCMZH/IxUGhfWPEO0gQgLsPNJgdncxweV07
	DoExuLC/Pcp63PSADVZzOIWVQwlHmKXout2ius0/vivurNhTz1OqI75oc15NJNQHYkLW
	lqudeOm2i55EgFLrNuA9SpLRBvya6HajAqu4Uwi9z+z5rtdg920BQkDPWlk4YknRX8bz
	MLzpsn3jy1K2qJnn/Y0xcvBqvj4v1Qa7u4O4BOtul1VLmkWOBWP8hHwER1Lcn6mh47I4
	SApCUDeSUtA1TVmJmP7UGN0BNvclgLklLJpADlqTJm2zhCwaU1DLgKoNlSSOyTKpLQ43
	kqnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt
	:message-id:date:user-agent:mime-version:in-reply-to
	:content-transfer-encoding:content-language;
	bh=pTJ0C10Ed7Ut0axjijU10vVnfze7jHm005WYYGazWXg=;
	b=NkHcjnRHrQR0b4NBh+yZpej0hu+OdYEQBUcME5OjlXXfb9jBOvgjRs8pemzls1MViP
	DoSraX5rFipjLCB2+cZJK+SQymjrlPkz1jmpCILGO3gGNBGFVFe8cCnI3ibl/0WXBB/5
	1D1WjQKADaAmfyzr+EcYFNh95XZgqPTEAe6VHM1ITFYXDWdw68N5/86npPVtTdtSCXbB
	gl1uZLCAgG4NkWeG2wN0y4sprcBt4CuyKIxvMYnnuOsWLSV2HyQFzzkpFlGv6Pum+RPE
	7hHVuHmK192iAg5yj8xni2LPp1gXjfS8Svx1Ps7w8wDNv/iQ8LqXYsxy7kVQbkId5oCL
	yEtw==
X-Gm-Message-State: APt69E1NSwazCIoL1jA8gUmEELKL2TiRY16WzvEtUWBtuZtw0jUnVQ0S
	Ppa6JTpE+HBQYgJceA8mcGKsW9Vw
X-Google-Smtp-Source: ADUXVKLvg4oSgqxMG81TnHAtVCLDkjKF59AJRV8pSXSl9d+/d2NED7wgXeQEHf2q29OFpGASvaEGjg==
X-Received: by 2002:adf:b007:: with SMTP id f7-v6mr7913008wra.75.1529860215525;
	Sun, 24 Jun 2018 10:10:15 -0700 (PDT)
Original-Received: from mobilecat.lan ([88.98.208.53]) by smtp.gmail.com with ESMTPSA id
	x5-v6sm14967391wrr.3.2018.06.24.10.10.14
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 24 Jun 2018 10:10:14 -0700 (PDT)
Openpgp: preference=signencrypt
Autocrypt: addr=wyuenho@gmail.com; prefer-encrypt=mutual; keydata=
	xsFNBFrSFY8BEADPCwJ+z3krWkYRMNlw3UkxtYlj3v5fuPzjxvpzegH7x0breoiF782EY1j6
	Xr3U3yV6WKBRVNgCkF6xibSl1BXFYQMw+k/27OGr/v+7NB+HOORAKxMvYeepR9nMpQuIB5+4
	BT2Jyk2bmnpS27eXscDFlS4KmUPztg1odVGlMwe0ltrNgmEb5AZ7OSGw9doq4KfwBLJ0K+YQ
	Se0LltI8DP/TTNgl/srmWxWER4DhNB7c5+Eu8k+OLSED1bborTZPOBN6xYVupv8KolQNMg3c
	EvQ11jvVCa5vDV1o/2IR2UT18fp2XjFQbJSHd6dKuXnBNlkyqhtgJzDBk6YtBhRlh+/2DcKA
	VCaxIFNjWAl1SmTb79rPYIVRHCN7WCj2wV+rjBb3DAQ4TAWjOiEBkBQIdWIA2Cv7nOsni4cT
	/s9yb7ZU0KUGdoFs5vVCk0z9fDKvzZKifPerT5zPzeEq6k7CvU2Gfkk7CMWUcmi/2gjKspXv
	POL2c5Wl+lTwrOYs4ZEwy1QHXq7DIdod0wjWBc8LmiezW8kdYJMNjBq6+4nRdQHgjh92oYjF
	Xn0NZy77wlpzq3AMRMCRe2KPfEFfe2JolsTpDG0JLQZ3YO2zEqGJS9l0lpJh8wRvnQgK8ZIb
	XkG4fnj84wnm3pQ2P8qmpeLcVeeBIZ+N6zLiw1PMCKbcYshYCQARAQABzSVKaW1teSBXb25n
	IDxqaW1teS53b25nQGhvbWV0YXN0eS5jb20+wsF3BBMBCAArBQJa0hWPCRAnMIcQEcWsLwIb
	AwUJCWYBgAULCQgHAg 
In-Reply-To: <m3efgwf7gd.fsf@gnus.org>
Content-Language: en-GB
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2a00:1450:400c:c0c::234
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:226665
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/226665>

I have just been looking at how to add OCSP as well, I noticed
`gnutls-boot` already accepts `:crlfiles`, I have a `gnutls.el` patch
that'll supply it to `gnutls-boot-parameters`. I'm testing it now, but
I'm haven't a bit of trouble generating a CRL in PEM. Anyway, do you
think it's worth it as a quick win to include in either master to 26.2
if it works?


On 24/06/2018 17:57, Lars Ingebrigtsen wrote:
> Eli Zaretskii <eliz@gnu.org> writes:
>
>> When the changes are pushed to master, we could look at them and
>> consider whether they (or some of their parts) are safe enough for
>> emacs-26.
> Yup.
>
> I'm going through the current recommendations for TLS security, and mos=
t
> of them are straightforward and require just some added NSM checks.
> However, the check for intermediary sha1 certificates checks requires a=

> C-level change: gnutls.c doesn't expose to Lisp the certificate chain,
> so I'll have to add that, too.
>
> It's not a complicated addition, but it's C level, so you'll have to
> decide whether something that has the potential for crashing Emacs is
> worth the risk for Emacs 26.2.  But I guess we'll see once I've
> implemented this (hopefully next week).
>