[Gnus] Connecting to Eternal September with TLS?

all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* [Gnus] Connecting to Eternal September with TLS?
@ 2016-03-16  8:00 Anssi Saari
  2016-03-16 10:53 ` Lars Magne Ingebrigtsen
  0 siblings, 1 reply; 2+ messages in thread
From: Anssi Saari @ 2016-03-16  8:00 UTC (permalink / raw)
  To: help-gnu-emacs

Last week I was able to connect to Eternal September nntp server with
this:

(setq gnus-select-method '(nntp "news.eternal-september.org"
                                (nntp-open-connection-function
                                nntp-open-tls-stream)
                                (nntp-port-number 563)
                                (nntp-address
                                "news.eternal-september.org")))

The computer was rebooted during the weekend, presumably some updates
were installed. It's running Ubuntu 14.04.3 LTS, GNU Emacs 24.3.1, Gnus
v5.13 (not administrated by me).

Today I get this:

gnutls.c: [0] (Emacs) fatal error: The signature algorithm is not
supported.
gnutls.el: (err=[-106] The signature algorithm is not supported.) boot:
(:priority NORMAL :hostname news.eternal-september.org :loglev\
el 0 :min-prime-bits 256 :trustfiles
(/etc/ssl/certs/ca-certificates.crt) :crlfiles nil :keylist nil
:verify-flags nil :verify-error n\
il :verify-hostname-error nil :callbacks nil)

With more loglevel I got this:

gnutls.c: [1] (Emacs) allocating credentials
gnutls.c: [2] (Emacs) allocating x509 credentials
gnutls.c: [2] (Emacs) using default verification flags
gnutls.c: [1] (Emacs) setting the trustfile:
/etc/ssl/certs/ca-certificates.crt
gnutls.c: [1] (Emacs) gnutls callbacks
gnutls.c: [1] (Emacs) gnutls_init
gnutls.c: [1] (Emacs) got non-default priority string: NORMAL
gnutls.c: [1] (Emacs) setting the priority string
gnutls.c: [2] ASSERT: gnutls_constate.c:695

gnutls.c: [2] EXT[0x3f9bdd0]: Sending extension SAFE RENEGOTIATION (1
bytes)

gnutls.c: [2] EXT[SIGA]: sent signature algo (4.2) DSA-SHA256

gnutls.c: [2] EXT[SIGA]: sent signature algo (4.1) RSA-SHA256

gnutls.c: [2] EXT[SIGA]: sent signature algo (2.1) RSA-SHA1

gnutls.c: [2] EXT[SIGA]: sent signature algo (2.2) DSA-SHA1

gnutls.c: [2] EXT[0x3f9bdd0]: Sending extension SIGNATURE ALGORITHMS (10
bytes)

gnutls.c: [1] (Emacs) non-fatal error: Resource temporarily unavailable,
try again. [75 times]
gnutls.c: [2] EXT[0x3f9bdd0]: Parsing extension 'SAFE
RENEGOTIATION/65281' (1 bytes)

gnutls.c: [2] ASSERT: auth_cert.c:1127

gnutls.c: [2] ASSERT: gnutls_kx.c:705

gnutls.c: [2] ASSERT: gnutls_handshake.c:2777

gnutls.c: [0] (Emacs) fatal error: The signature algorithm is not
supported.
gnutls.el: (err=[-106] The signature algorithm is not supported.) boot:
(:priority NORMAL :hostname news.eternal-september.org :loglevel 2
:min-prime-bits 256 :trustfiles (/etc/ssl/certs/ca-certificates.crt)
:crlfiles nil :keylist nil :verify-flags nil :verify-error nil
:verify-hostname-error nil :callbacks nil)
gnutls.c: [2] (Emacs) Deallocating x509 credentials
>>> (gnutls-error nntpd -106)

And with a wild guess after visiting an ssl checker website I think I
might need MD5 for signature checking. gnutls.el mentions
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 but I don't know how to specify that
from Gnus.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Gnus] Connecting to Eternal September with TLS?
  2016-03-16  8:00 [Gnus] Connecting to Eternal September with TLS? Anssi Saari
@ 2016-03-16 10:53 ` Lars Magne Ingebrigtsen
  0 siblings, 0 replies; 2+ messages in thread
From: Lars Magne Ingebrigtsen @ 2016-03-16 10:53 UTC (permalink / raw)
  To: help-gnu-emacs

Anssi Saari <as@sci.fi> writes:

> And with a wild guess after visiting an ssl checker website I think I
> might need MD5 for signature checking. gnutls.el mentions
> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 but I don't know how to specify that
> from Gnus.

Here's an easy test case:

(open-network-stream
 "nntpd" (get-buffer-create "*foo*")
 "news.eternal-september.org" "nntp"
 :type 'starttls
 :end-of-command "^\\([2345]\\|[.]\\).*\n"
 :capability-command "HELP\r\n"
 :success "^3"
 :starttls-function
 (lambda (capabilities)
   (if (not (string-match "STARTTLS" capabilities))
       nil
     "STARTTLS\r\n")))

First of all, I think the error message is lacking.  It should say more
about what's failing.

As to the bug -- gnutls by default now refuses to deal with MD5
certificates.  We could override that, and instead let the network
security manager notify the user that the connection isn't safe.

I think that's a better solution, but others may differ.

(I've reported this with `M-x report-emacs-bug'.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-03-16 10:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-16  8:00 [Gnus] Connecting to Eternal September with TLS? Anssi Saari
2016-03-16 10:53 ` Lars Magne Ingebrigtsen

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.