* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates @ 2014-11-18 18:01 Lars Magne Ingebrigtsen 2014-11-19 21:03 ` Ted Zlatanov 0 siblings, 1 reply; 8+ messages in thread From: Lars Magne Ingebrigtsen @ 2014-11-18 18:01 UTC (permalink / raw) To: 19098 The new NSM code uncovered this problem: -------- Certificate issued by GeoTrust SSL CA - G3 Issued to Tumblr, Inc. Certificate host name: *.media.tumblr.com Public key: RSA, signature: RSA-SHA256, security level: Low Valid from: 2014-09-30, valid to: 2016-04-08 The TLS connection to 33.media.tumblr.com:443 is insecure for the following reason: certificate could not be verified -------- So the host checking code in, I think, gnutls-negotiate should be extended to understand things like "*.media.tumblr.com". In GNU Emacs 24.4.51.61 (x86_64-unknown-linux-gnu, X toolkit, Xaw scroll bars) of 2014-11-18 on stories Repository revision: f924c7deeb96d2caf0d0e4fabc6008204984feeb Windowing system distributor `The X.Org Foundation', version 11.0.11204000 System Description: Debian GNU/Linux 7.6 (wheezy) Important settings: value of $LANG: en_US locale-coding-system: iso-latin-1-unix Major mode: Help Minor modes in effect: shell-dirtrack-mode: t diff-auto-refine-mode: t tooltip-mode: t electric-indent-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t buffer-read-only: t line-number-mode: t Recent messages: Reading active file from archive via nnfolder...done Reading active file from archive via nnfolder...done Reading active file via nndraft...done Reading active file via nnmbox...done Checking new news...done Auto-saving...done mouse-2: show the MIME part; down-mouse-3: more options Type "q" in help window to restore its previous buffer. Mark set [2 times] Making completion list... Load-path shadows: /home/larsi/.emacs.d/elpa/debbugs-0.6/debbugs-gnu hides ~/src/elpa/elpa/packages/debbugs/debbugs-gnu /home/larsi/.emacs.d/elpa/debbugs-0.6/debbugs-pkg hides ~/src/elpa/elpa/packages/debbugs/debbugs-pkg /home/larsi/.emacs.d/elpa/debbugs-0.6/debbugs hides ~/src/elpa/elpa/packages/debbugs/debbugs /home/larsi/mgnus/lisp/compface hides ~/pgnus/contrib/compface /home/larsi/src/clock.el/clock hides /home/larsi/lisp/clock /home/larsi/src/cddb.el/expect hides /home/larsi/lisp/expect /home/larsi/src/pvr.el/pvr hides /home/larsi/lisp/pvr ~/pgnus/contrib/vcard hides /home/larsi/lisp/vcard /home/larsi/src/cddb.el/captitle hides /home/larsi/lisp/captitle ~/lisp/zenirc-2.112/src/zenirc-example hides /home/larsi/lisp/zenirc-example /home/larsi/mgnus/lisp/format-spec hides /home/larsi/src/emacs/nsm/lisp/format-spec /home/larsi/mgnus/lisp/hex-util hides /home/larsi/src/emacs/nsm/lisp/hex-util /home/larsi/mgnus/lisp/color hides /home/larsi/src/emacs/nsm/lisp/color /home/larsi/mgnus/lisp/md4 hides /home/larsi/src/emacs/nsm/lisp/md4 /home/larsi/mgnus/lisp/password-cache hides /home/larsi/src/emacs/nsm/lisp/password-cache /home/larsi/mgnus/lisp/dns-mode hides /home/larsi/src/emacs/nsm/lisp/textmodes/dns-mode /home/larsi/mgnus/lisp/sasl-ntlm hides /home/larsi/src/emacs/nsm/lisp/net/sasl-ntlm /home/larsi/mgnus/lisp/dns hides /home/larsi/src/emacs/nsm/lisp/net/dns /home/larsi/mgnus/lisp/hmac-def hides /home/larsi/src/emacs/nsm/lisp/net/hmac-def /home/larsi/mgnus/lisp/ntlm hides /home/larsi/src/emacs/nsm/lisp/net/ntlm /home/larsi/mgnus/lisp/tls hides /home/larsi/src/emacs/nsm/lisp/net/tls /home/larsi/mgnus/lisp/sasl-digest hides /home/larsi/src/emacs/nsm/lisp/net/sasl-digest /home/larsi/mgnus/lisp/netrc hides /home/larsi/src/emacs/nsm/lisp/net/netrc /home/larsi/mgnus/lisp/sasl-cram hides /home/larsi/src/emacs/nsm/lisp/net/sasl-cram /home/larsi/mgnus/lisp/hmac-md5 hides /home/larsi/src/emacs/nsm/lisp/net/hmac-md5 /home/larsi/mgnus/lisp/dig hides /home/larsi/src/emacs/nsm/lisp/net/dig /home/larsi/mgnus/lisp/sasl hides /home/larsi/src/emacs/nsm/lisp/net/sasl /home/larsi/mgnus/lisp/uudecode hides /home/larsi/src/emacs/nsm/lisp/mail/uudecode /home/larsi/mgnus/lisp/hashcash hides /home/larsi/src/emacs/nsm/lisp/mail/hashcash /home/larsi/mgnus/lisp/binhex hides /home/larsi/src/emacs/nsm/lisp/mail/binhex /home/larsi/mgnus/lisp/nndoc hides /home/larsi/src/emacs/nsm/lisp/gnus/nndoc /home/larsi/mgnus/lisp/mm-partial hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-partial /home/larsi/mgnus/lisp/gnus-srvr hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-srvr /home/larsi/mgnus/lisp/mailcap hides /home/larsi/src/emacs/nsm/lisp/gnus/mailcap /home/larsi/mgnus/lisp/gnus-range hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-range /home/larsi/mgnus/lisp/rfc1843 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc1843 /home/larsi/mgnus/lisp/nneething hides /home/larsi/src/emacs/nsm/lisp/gnus/nneething /home/larsi/mgnus/lisp/gnus-logic hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-logic /home/larsi/mgnus/lisp/spam-wash hides /home/larsi/src/emacs/nsm/lisp/gnus/spam-wash /home/larsi/mgnus/lisp/nnmail hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmail /home/larsi/mgnus/lisp/nnmbox hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmbox /home/larsi/mgnus/lisp/gssapi hides /home/larsi/src/emacs/nsm/lisp/gnus/gssapi /home/larsi/mgnus/lisp/gnus-agent hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-agent /home/larsi/mgnus/lisp/mail-parse hides /home/larsi/src/emacs/nsm/lisp/gnus/mail-parse /home/larsi/mgnus/lisp/mml-smime hides /home/larsi/src/emacs/nsm/lisp/gnus/mml-smime /home/larsi/mgnus/lisp/gnus-msg hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-msg /home/larsi/mgnus/lisp/gnus-icalendar hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-icalendar /home/larsi/mgnus/lisp/gnus-fun hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-fun /home/larsi/mgnus/lisp/mail-source hides /home/larsi/src/emacs/nsm/lisp/gnus/mail-source /home/larsi/mgnus/lisp/mm-encode hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-encode /home/larsi/mgnus/lisp/gnus-cache hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-cache /home/larsi/mgnus/lisp/mm-util hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-util /home/larsi/mgnus/lisp/mm-archive hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-archive /home/larsi/mgnus/lisp/nnnil hides /home/larsi/src/emacs/nsm/lisp/gnus/nnnil /home/larsi/mgnus/lisp/mml2015 hides /home/larsi/src/emacs/nsm/lisp/gnus/mml2015 /home/larsi/mgnus/lisp/nnoo hides /home/larsi/src/emacs/nsm/lisp/gnus/nnoo /home/larsi/mgnus/lisp/messcompat hides /home/larsi/src/emacs/nsm/lisp/gnus/messcompat /home/larsi/mgnus/lisp/gnus-sync hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-sync /home/larsi/mgnus/lisp/nnweb hides /home/larsi/src/emacs/nsm/lisp/gnus/nnweb /home/larsi/mgnus/lisp/nnrss hides /home/larsi/src/emacs/nsm/lisp/gnus/nnrss /home/larsi/mgnus/lisp/legacy-gnus-agent hides /home/larsi/src/emacs/nsm/lisp/gnus/legacy-gnus-agent /home/larsi/mgnus/lisp/nnspool hides /home/larsi/src/emacs/nsm/lisp/gnus/nnspool /home/larsi/mgnus/lisp/compface hides /home/larsi/src/emacs/nsm/lisp/gnus/compface /home/larsi/mgnus/lisp/smime hides /home/larsi/src/emacs/nsm/lisp/gnus/smime /home/larsi/mgnus/lisp/ietf-drums hides /home/larsi/src/emacs/nsm/lisp/gnus/ietf-drums /home/larsi/mgnus/lisp/yenc hides /home/larsi/src/emacs/nsm/lisp/gnus/yenc /home/larsi/mgnus/lisp/gnus-delay hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-delay /home/larsi/mgnus/lisp/gnus-async hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-async /home/larsi/mgnus/lisp/nnmh hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmh /home/larsi/mgnus/lisp/mm-url hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-url /home/larsi/mgnus/lisp/gnus-picon hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-picon /home/larsi/mgnus/lisp/gnus-bookmark hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-bookmark /home/larsi/mgnus/lisp/gnus-diary hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-diary /home/larsi/mgnus/lisp/html2text hides /home/larsi/src/emacs/nsm/lisp/gnus/html2text /home/larsi/mgnus/lisp/nndraft hides /home/larsi/src/emacs/nsm/lisp/gnus/nndraft /home/larsi/mgnus/lisp/auth-source hides /home/larsi/src/emacs/nsm/lisp/gnus/auth-source /home/larsi/mgnus/lisp/gnus-bcklg hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-bcklg /home/larsi/mgnus/lisp/gnus-win hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-win /home/larsi/mgnus/lisp/gnus-salt hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-salt /home/larsi/mgnus/lisp/rfc2045 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2045 /home/larsi/mgnus/lisp/gnus-draft hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-draft /home/larsi/mgnus/lisp/gnus-spec hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-spec /home/larsi/mgnus/lisp/nnir hides /home/larsi/src/emacs/nsm/lisp/gnus/nnir /home/larsi/mgnus/lisp/mm-uu hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-uu /home/larsi/mgnus/lisp/rfc2104 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2104 /home/larsi/mgnus/lisp/nngateway hides /home/larsi/src/emacs/nsm/lisp/gnus/nngateway /home/larsi/mgnus/lisp/gnus-sum hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-sum /home/larsi/mgnus/lisp/mail-prsvr hides /home/larsi/src/emacs/nsm/lisp/gnus/mail-prsvr /home/larsi/mgnus/lisp/gnus-dup hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-dup /home/larsi/mgnus/lisp/score-mode hides /home/larsi/src/emacs/nsm/lisp/gnus/score-mode /home/larsi/mgnus/lisp/starttls hides /home/larsi/src/emacs/nsm/lisp/gnus/starttls /home/larsi/mgnus/lisp/plstore hides /home/larsi/src/emacs/nsm/lisp/gnus/plstore /home/larsi/mgnus/lisp/gnus-topic hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-topic /home/larsi/mgnus/lisp/gnus-notifications hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-notifications /home/larsi/mgnus/lisp/registry hides /home/larsi/src/emacs/nsm/lisp/gnus/registry /home/larsi/mgnus/lisp/mml-sec hides /home/larsi/src/emacs/nsm/lisp/gnus/mml-sec /home/larsi/mgnus/lisp/nnmaildir hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmaildir /home/larsi/mgnus/lisp/nnbabyl hides /home/larsi/src/emacs/nsm/lisp/gnus/nnbabyl /home/larsi/mgnus/lisp/sieve hides /home/larsi/src/emacs/nsm/lisp/gnus/sieve /home/larsi/mgnus/lisp/qp hides /home/larsi/src/emacs/nsm/lisp/gnus/qp /home/larsi/mgnus/lisp/nnregistry hides /home/larsi/src/emacs/nsm/lisp/gnus/nnregistry /home/larsi/mgnus/lisp/gnus-art hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-art /home/larsi/mgnus/lisp/gnus-dired hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-dired /home/larsi/mgnus/lisp/gnus-util hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-util /home/larsi/mgnus/lisp/nnheader hides /home/larsi/src/emacs/nsm/lisp/gnus/nnheader /home/larsi/mgnus/lisp/gnus-demon hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-demon /home/larsi/mgnus/lisp/message hides /home/larsi/src/emacs/nsm/lisp/gnus/message /home/larsi/mgnus/lisp/rfc2231 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2231 /home/larsi/mgnus/lisp/canlock hides /home/larsi/src/emacs/nsm/lisp/gnus/canlock /home/larsi/mgnus/lisp/mm-extern hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-extern /home/larsi/mgnus/lisp/gnus-undo hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-undo /home/larsi/mgnus/lisp/mm-bodies hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-bodies /home/larsi/mgnus/lisp/gnus-score hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-score /home/larsi/mgnus/lisp/gnus-mh hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-mh /home/larsi/mgnus/lisp/nnvirtual hides /home/larsi/src/emacs/nsm/lisp/gnus/nnvirtual /home/larsi/mgnus/lisp/spam-report hides /home/larsi/src/emacs/nsm/lisp/gnus/spam-report /home/larsi/mgnus/lisp/nndiary hides /home/larsi/src/emacs/nsm/lisp/gnus/nndiary /home/larsi/mgnus/lisp/sieve-manage hides /home/larsi/src/emacs/nsm/lisp/gnus/sieve-manage /home/larsi/mgnus/lisp/mml1991 hides /home/larsi/src/emacs/nsm/lisp/gnus/mml1991 /home/larsi/mgnus/lisp/gnus-eform hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-eform /home/larsi/mgnus/lisp/mml hides /home/larsi/src/emacs/nsm/lisp/gnus/mml /home/larsi/mgnus/lisp/gravatar hides /home/larsi/src/emacs/nsm/lisp/gnus/gravatar /home/larsi/mgnus/lisp/nntp hides /home/larsi/src/emacs/nsm/lisp/gnus/nntp /home/larsi/mgnus/lisp/ecomplete hides /home/larsi/src/emacs/nsm/lisp/gnus/ecomplete /home/larsi/mgnus/lisp/rtree hides /home/larsi/src/emacs/nsm/lisp/gnus/rtree /home/larsi/mgnus/lisp/gnus-int hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-int /home/larsi/mgnus/lisp/gnus-sieve hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-sieve /home/larsi/mgnus/lisp/smiley hides /home/larsi/src/emacs/nsm/lisp/gnus/smiley /home/larsi/mgnus/lisp/gnus hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus /home/larsi/mgnus/lisp/gnus-cus hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-cus /home/larsi/mgnus/lisp/nnfolder hides /home/larsi/src/emacs/nsm/lisp/gnus/nnfolder /home/larsi/mgnus/lisp/nnmairix hides /home/larsi/src/emacs/nsm/lisp/gnus/nnmairix /home/larsi/mgnus/lisp/pop3 hides /home/larsi/src/emacs/nsm/lisp/gnus/pop3 /home/larsi/mgnus/lisp/gnus-start hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-start /home/larsi/mgnus/lisp/nnml hides /home/larsi/src/emacs/nsm/lisp/gnus/nnml /home/larsi/mgnus/lisp/gnus-vm hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-vm /home/larsi/mgnus/lisp/gnus-mlspl hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-mlspl /home/larsi/mgnus/lisp/gnus-registry hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-registry /home/larsi/mgnus/lisp/gnus-ml hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-ml /home/larsi/mgnus/lisp/gnus-gravatar hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-gravatar /home/larsi/mgnus/lisp/spam hides /home/larsi/src/emacs/nsm/lisp/gnus/spam /home/larsi/mgnus/lisp/gnus-cite hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-cite /home/larsi/mgnus/lisp/flow-fill hides /home/larsi/src/emacs/nsm/lisp/gnus/flow-fill /home/larsi/mgnus/lisp/mm-view hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-view /home/larsi/mgnus/lisp/gnus-html hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-html /home/larsi/mgnus/lisp/gnus-uu hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-uu /home/larsi/mgnus/lisp/deuglify hides /home/larsi/src/emacs/nsm/lisp/gnus/deuglify /home/larsi/mgnus/lisp/spam-stat hides /home/larsi/src/emacs/nsm/lisp/gnus/spam-stat /home/larsi/mgnus/lisp/nndir hides /home/larsi/src/emacs/nsm/lisp/gnus/nndir /home/larsi/mgnus/lisp/gnus-kill hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-kill /home/larsi/mgnus/lisp/gnus-ems hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-ems /home/larsi/mgnus/lisp/gnus-group hides /home/larsi/src/emacs/nsm/lisp/gnus/gnus-group /home/larsi/mgnus/lisp/nnagent hides /home/larsi/src/emacs/nsm/lisp/gnus/nnagent /home/larsi/mgnus/lisp/sieve-mode hides /home/larsi/src/emacs/nsm/lisp/gnus/sieve-mode /home/larsi/mgnus/lisp/rfc2047 hides /home/larsi/src/emacs/nsm/lisp/gnus/rfc2047 /home/larsi/mgnus/lisp/gmm-utils hides /home/larsi/src/emacs/nsm/lisp/gnus/gmm-utils /home/larsi/mgnus/lisp/utf7 hides /home/larsi/src/emacs/nsm/lisp/gnus/utf7 /home/larsi/mgnus/lisp/nnimap hides /home/larsi/src/emacs/nsm/lisp/gnus/nnimap /home/larsi/mgnus/lisp/mm-decode hides /home/larsi/src/emacs/nsm/lisp/gnus/mm-decode /home/larsi/mgnus/lisp/time-date hides /home/larsi/src/emacs/nsm/lisp/calendar/time-date /home/larsi/mgnus/lisp/parse-time hides /home/larsi/src/emacs/nsm/lisp/calendar/parse-time Features: (shadow emacsbug vc-bzr vc-sccs vc-svn vc-rcs vc-dir ewoc thingatpt texinfo shell pcomplete grep compile comint flow-fill pp mailalias smtpmail sendmail bug-reference log-edit ring pcvs-util whitespace diff-mode vc vc-dispatcher apropos eieio-opt speedbar sb-image ezimage dframe find-func misearch multi-isearch shr-color color canlock hashcash ecomplete eww copyright vc-cvs url-queue mule-util gnus-html url-cache shr mm-archive gnus-picon sort smiley ansi-color gnus-cite gnus-async gnus-dup qp gnus-ml gmane spam-gmane dns mm-url disp-table gnus-fun gnus-mdrtn gnus-topic pop3 nndoc nnmbox nndraft utf-7 help-mode nnmh nnml nnfolder gnutls network-stream nsm starttls nnir spam-report spam spam-stat gnus-uu yenc gnus-agent gnus-srvr gnus-score score-mode nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view mml-smime smime dig nntp gnus-cache gnus-sum gnus-group gnus-undo gnus-start gnus-cloud nnimap nnmail mail-source utf7 netrc nnoo parse-time gnus-spec gnus-int gnus-range message format-spec rfc822 mml mml-sec mailabbrev gmm-utils mailheader gnus-win gnus-load gnus gnus-ems gnus-compat nnheader mail-utils vc-git package epg-config debug debbugs-gnu easy-mmode derived debbugs soap-client mm-decode mm-bodies mm-encode url-http tls url-auth mail-parse rfc2231 rfc2047 rfc2045 ietf-drums url-gw url url-proxy url-privacy url-expand url-methods url-history url-cookie url-domsuf url-util url-parse auth-source eieio byte-opt bytecomp byte-compile cl-extra cconv eieio-core gnus-util mm-util help-fns mail-prsvr password-cache url-vars mailcap warnings xml ido flyspell ispell benchmark w3m browse-url doc-view dired image-mode easymenu timezone w3m-hist w3m-fb w3m-ems wid-edit w3m-ccl ccl w3m-favicon w3m-image w3m-proc w3m-util cl-macs add-log mail-extr jka-compr cl gv cl-loaddefs cl-lib time-date tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process gfilenotify dynamic-setting system-font-setting font-render-setting x-toolkit x multi-tty emacs) Memory information: ((conses 16 706035 121227) (symbols 48 166335 29) (miscs 40 590 3166) (strings 32 224229 24050) (string-bytes 1 8107911) (vectors 16 39915) (vector-slots 8 1702537 199318) (floats 8 6807 2470) (intervals 56 24607 1215) (buffers 960 125) (heap 1024 117932 43945)) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-11-18 18:01 bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates Lars Magne Ingebrigtsen @ 2014-11-19 21:03 ` Ted Zlatanov 2014-12-08 20:11 ` Lars Magne Ingebrigtsen 0 siblings, 1 reply; 8+ messages in thread From: Ted Zlatanov @ 2014-11-19 21:03 UTC (permalink / raw) To: Lars Magne Ingebrigtsen; +Cc: 19098 On Tue, 18 Nov 2014 19:01:33 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: LMI> The new NSM code uncovered this problem: LMI> -------- LMI> Certificate issued by GeoTrust SSL CA - G3 LMI> Issued to Tumblr, Inc. LMI> Certificate host name: *.media.tumblr.com LMI> Public key: RSA, signature: RSA-SHA256, security level: Low LMI> Valid from: 2014-09-30, valid to: 2016-04-08 LMI> The TLS connection to 33.media.tumblr.com:443 is insecure LMI> for the following reason: LMI> certificate could not be verified LMI> -------- LMI> So the host checking code in, I think, gnutls-negotiate should be LMI> extended to understand things like "*.media.tumblr.com". For the hostname check, we use gnutls_x509_crt_check_hostname() which, according to the docs, will handle wildcards. But that's not the source of this error :) The error you cite comes from gnutls.c: #+begin_src c ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification); #+end_src and is caused by the GNUTLS_CERT_INVALID flag. But I don't see a hint anywhere that it does not work with wildcard certs (you have to explicitly disable them, so the assumption is that they work by default). Also, if you set `gnutls-verify-error' to t, do you get the corresponding error in the non-NSM flow? "$HOSTNAME certificate could not be verified." Finally, can you verify the cert with gnutls-cli? If it's valid, I'll ask on the GnuTLS mailing list because I'm probably missing something. For me it fails: #+begin_src text % gnutls-cli 33.media.tumblr.com [nsm] Resolving '33.media.tumblr.com'... Connecting to '209.197.3.20:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `C=US,ST=New York,L=New York,O=Tumblr\, Inc.,CN=*.media.tumblr.com', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-09-30 00:00:00 UTC', expires `2016-04-08 23:59:59 UTC', SHA-1 fingerprint `099be258615288fba254ee2cf428422be6c8f3ca' - Certificate[1] info: - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7' - Certificate[2] info: - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7' - Certificate[3] info: - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2022-05-21 04:00:00 UTC', SHA-1 fingerprint `de28f4a4ffe5b92fa3c503d1a349a7f9962a8212' - The hostname in the certificate matches '33.media.tumblr.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: SHA1 - Compression: NULL - Handshake was completed #+end_src Ted ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-11-19 21:03 ` Ted Zlatanov @ 2014-12-08 20:11 ` Lars Magne Ingebrigtsen 2014-12-10 16:08 ` Ted Zlatanov 0 siblings, 1 reply; 8+ messages in thread From: Lars Magne Ingebrigtsen @ 2014-12-08 20:11 UTC (permalink / raw) To: 19098 Ted Zlatanov <tzz@lifelogs.com> writes: > and is caused by the GNUTLS_CERT_INVALID flag. But I don't see a hint > anywhere that it does not work with wildcard certs (you have to > explicitly disable them, so the assumption is that they work by > default). Also, if you set `gnutls-verify-error' to t, do you get the > corresponding error in the non-NSM flow? "$HOSTNAME certificate could > not be verified." Yes: Debugger entered--Lisp error: (error "Certificate validation failed 33.media.tumblr.com, verification code 2") gnutls-boot(#<process nntpd<4>> gnutls-x509pki (:priority "NORMAL" :hostname "33.media.tumblr.com" :loglevel 0 :min-prime-bits 256 :trustfiles ("/etc/ssl/certs/ca-certificates.crt") :crlfiles nil :keylist nil :verify-flags nil :verify-error t :callbacks nil)) So I think the certificate just couldn't be verified, so this bug report is, like, totally bogus, man. Closing. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-12-08 20:11 ` Lars Magne Ingebrigtsen @ 2014-12-10 16:08 ` Ted Zlatanov 2014-12-10 16:27 ` Lars Magne Ingebrigtsen 0 siblings, 1 reply; 8+ messages in thread From: Ted Zlatanov @ 2014-12-10 16:08 UTC (permalink / raw) To: Lars Magne Ingebrigtsen; +Cc: 19098-done On Mon, 08 Dec 2014 21:11:49 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: LMI> So I think the certificate just couldn't be verified, so this bug report LMI> is, like, totally bogus, man. Excellent. LMI> Closing. I didn't see a CC to 19098-done@debbugs.gnu.org so I'm doing it here. If you did it in some other backchannel, how am I supposed to know? HOW!?!?!?!?! :) Ted ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-12-10 16:08 ` Ted Zlatanov @ 2014-12-10 16:27 ` Lars Magne Ingebrigtsen 2014-12-10 16:34 ` Ted Zlatanov 0 siblings, 1 reply; 8+ messages in thread From: Lars Magne Ingebrigtsen @ 2014-12-10 16:27 UTC (permalink / raw) To: 19098; +Cc: Ted Zlatanov Ted Zlatanov <tzz@lifelogs.com> writes: > LMI> Closing. > > I didn't see a CC to 19098-done@debbugs.gnu.org so I'm doing it here. > If you did it in some other backchannel, how am I supposed to know? > HOW!?!?!?!?! :) I use the `C' command in the summary mode of debbugs, which sends a message to control@debbugs or something... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-12-10 16:27 ` Lars Magne Ingebrigtsen @ 2014-12-10 16:34 ` Ted Zlatanov 2014-12-21 12:10 ` Lars Ingebrigtsen 0 siblings, 1 reply; 8+ messages in thread From: Ted Zlatanov @ 2014-12-10 16:34 UTC (permalink / raw) To: Lars Magne Ingebrigtsen; +Cc: 19098 On Wed, 10 Dec 2014 17:27:16 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: LMI> Ted Zlatanov <tzz@lifelogs.com> writes: LMI> Closing. >> >> I didn't see a CC to 19098-done@debbugs.gnu.org so I'm doing it here. >> If you did it in some other backchannel, how am I supposed to know? >> HOW!?!?!?!?! :) LMI> I use the `C' command in the summary mode of debbugs, which sends a LMI> message to control@debbugs or something... I usually don't use debbugs, but instead read nntp+news.gmane.org:gmane.emacs.bugs It would be nice if I could add something to Gnus to tell me the state of the bug, even outside of debbugs. Ted ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-12-10 16:34 ` Ted Zlatanov @ 2014-12-21 12:10 ` Lars Ingebrigtsen 2014-12-24 12:49 ` Ted Zlatanov 0 siblings, 1 reply; 8+ messages in thread From: Lars Ingebrigtsen @ 2014-12-21 12:10 UTC (permalink / raw) To: 19098 Ted Zlatanov <tzz@lifelogs.com> writes: > It would be nice if I could add something to Gnus to tell me the state > of the bug, even outside of debbugs. The debbugs interface is basically one mbox file per bug. The state of the bug is in the first "email" in that mbox file. So Gnus would have to pull down that mbox file to determine the state of the bug. I think the right solution here is "just use debbugs-gnu". :-) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates 2014-12-21 12:10 ` Lars Ingebrigtsen @ 2014-12-24 12:49 ` Ted Zlatanov 0 siblings, 0 replies; 8+ messages in thread From: Ted Zlatanov @ 2014-12-24 12:49 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: 19098 On Sun, 21 Dec 2014 13:10:59 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: LI> Ted Zlatanov <tzz@lifelogs.com> writes: >> It would be nice if I could add something to Gnus to tell me the state >> of the bug, even outside of debbugs. LI> The debbugs interface is basically one mbox file per bug. The state of LI> the bug is in the first "email" in that mbox file. So Gnus would have LI> to pull down that mbox file to determine the state of the bug. LI> I think the right solution here is "just use debbugs-gnu". :-) ...but it's sooooo close to being a proper Gnus backend! Have mercy! (Hmmm, could it be a plugin backend? I think that would be a first.) Ted ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-12-24 12:49 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-11-18 18:01 bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates Lars Magne Ingebrigtsen 2014-11-19 21:03 ` Ted Zlatanov 2014-12-08 20:11 ` Lars Magne Ingebrigtsen 2014-12-10 16:08 ` Ted Zlatanov 2014-12-10 16:27 ` Lars Magne Ingebrigtsen 2014-12-10 16:34 ` Ted Zlatanov 2014-12-21 12:10 ` Lars Ingebrigtsen 2014-12-24 12:49 ` Ted Zlatanov
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.