From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83887
Path: news.gmane.org!not-for-mail
From: Julien Danjou <julien@danjou.info>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Sat, 16 Nov 2013 14:11:33 +0100
Message-ID: <871u2g1ofu.fsf@dex.adm.naquadah.org>
References: <87iowbt5dq.fsf@guybrush.luffy.cx>
	<878ux782na.fsf@dex.adm.naquadah.org>
	<874n7uu2gg.fsf@guybrush.luffy.cx> <87txftsnub.fsf@flea.lifelogs.com>
	<m3zjpkndsd.fsf@neo.luffy.cx> <87li13q3dy.fsf@flea.lifelogs.com>
	<87a9hjaj2d.fsf@guybrush.luffy.cx> <87r4anhrh3.fsf@flea.lifelogs.com>
	<m338mwsig3.fsf@neo.luffy.cx>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
X-Trace: ger.gmane.org 1384607545 11327 80.91.229.3 (16 Nov 2013 13:12:25 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 16 Nov 2013 13:12:25 +0000 (UTC)
Cc: ding@gnus.org
To: Vincent Bernat <bernat@luffy.cx>
Original-X-From: ding-owner+M32143@lists.math.uh.edu Sat Nov 16 14:12:29 2013
Return-path: <ding-owner+M32143@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M32143@lists.math.uh.edu>)
	id 1Vhffp-0008Jp-1c
	for ding-account@gmane.org; Sat, 16 Nov 2013 14:12:29 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M32143@lists.math.uh.edu>)
	id 1VhffA-0008I7-B7; Sat, 16 Nov 2013 07:11:48 -0600
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <julien@danjou.info>)
	id 1Vhff7-0008Ht-Io
	for ding@lists.math.uh.edu; Sat, 16 Nov 2013 07:11:45 -0600
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1:AES128-SHA:128)
	(Exim 4.76)
	(envelope-from <julien@danjou.info>)
	id 1Vhff5-00053u-5T
	for ding@lists.math.uh.edu; Sat, 16 Nov 2013 07:11:44 -0600
Original-Received: from prometheus.naquadah.org ([91.121.37.122] helo=mx1.naquadah.org)
	by quimby.gnus.org with esmtp (Exim 4.80)
	(envelope-from <julien@danjou.info>)
	id 1Vhff2-0008BC-KM
	for ding@gnus.org; Sat, 16 Nov 2013 14:11:40 +0100
Original-Received: from dex.adm.naquadah.org (fes75-2-78-192-50-146.fbxo.proxad.net [78.192.50.146])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.naquadah.org (Postfix) with ESMTPSA id 5FF6EE02A6;
	Sat, 16 Nov 2013 14:11:34 +0100 (CET)
Mail-Followup-To: Vincent Bernat <bernat@luffy.cx>, ding@gnus.org
In-Reply-To: <m338mwsig3.fsf@neo.luffy.cx> (Vincent Bernat's message of "Sat,
	16 Nov 2013 12:18:52 +0100")
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:83887
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/83887>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 16 2013, Vincent Bernat wrote:

> By default, I would see that all checks are enabled by default: the
> certificate has not expired, the hostname matches and the certificate is
> signed by a known authority (certificates in `gnutls-trustfiles`).

+1

> When something goes wrong, we get a buffer with the certificate in
> "clear text" (like openssl x509 -in ... -noout -text). If needed, this
> is something that I can dig and provide C code for GNU TLS. This output
> contains the certificate fingerprint.
>
> A user has the possibility to whitelist the fingerprint and bypass any
> test. We should have both `gnutls-whitelist-certificates` variable and
> an option to override this whitelist when using gnutls-negotiate. The
> rationale is that we can't expect all gnutls-negotiate users to
> implement whitelisting.
>
> I think that whitelisting by fingerprint is an improvement over what is
> currently done by browsers which whitelist a whole domain without
> pinning the certificate.
>
> In the same way as for whitelisting, default verification options should
> be a variable with possibility to override it by using the appropriate
> option of `gnutls-negotiate`.
>
> Verification options could be:
>
>  - `expired-certificate`
>  - `revoked-certificate`
>  - `untrusted-certificate`
>  - `hostname-mismatch`

I think this is a really good idea and I'm waiting for that for a long
time. Since I don't have time to do this myself currently, consider this
message as a strong support. \o/

I'd be happy to help and test as far as I can.

=2D-=20
Julien Danjou
=2D- Free Software hacker - independent consultant
=2D- http://julien.danjou.info

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSh28FAAoJEGEbqVCLeKXCiTIQAL2+2kaNa0f23Q/ufGNKC5fB
iEe+TXEnJYnwq7J3TSc1zso8uBlGQezrVXKsMRow4wF8ITSKyzUvu7DJXTs1XL2i
LA2vKjimCecZzXJI88Ki4vjNhE8sJAX598RFjO3v4hljey4AiZU9UtJf4AGgpcnT
aO5rQd5F7Fqgv2wgHrGagO1NfB1BjSDAuveVMzUiH0SvtgDWPIn6fXg17I+2JfqK
67Knco+3JeSuk0jJslwebsfQGSlkzab3VX4hGp7oKNkOFOwNkrJTcU9Fc0opynFG
yWXqIFNhyq+TuSuxWzuQQvxE1v9y5W16wdsBiO7jNUsWijnplVtvcecPd1TDkK9i
3+W5uSLfbCjBLe2s+8kCaDFwzio9c1XQ6+L8RPssSFl8Te2GXnRxpi2agb2T9fRo
FRz2/70kF+BBJrnhbGrsUxYFBCt8HtGNqXWzUmc1IK6ZSJz7gSN7E+xjVPuqe+0D
3e+qrLaQDdZ0XUzSU0Bb434jE3QXO4o5A5P+D7w5q0bonlKZyMd2kE4L6bTVbpHR
Qb7iqIGOhJ4ozVuuoskIzXKeQmeYDIP+KnMAqMt92Eaoq8sx7A+eCTyIosEVgyOV
ki5gaFzrYQw40TBWhtkhYatvlB7SWIR6JDGZyEabQO7rFKkFwfnaEpN1r6DQ/JZ9
vfAsIRQ5GYD77KQ+xoOw
=/WuL
-----END PGP SIGNATURE-----
--=-=-=--