From: arno@natisbad.org (Arnaud Ebalard)
To: Matthias Andree <matthias.andree@gmx.de>
Cc: Simon Josefsson <simon@josefsson.org>,
Daiki Ueno <ueno@unixuser.org>,
RISKO Gergely <risko@debian.org>,
ding@gnus.org
Subject: Re: Bug#499774: starttls is a joke
Date: Wed, 08 Oct 2008 13:55:34 +0200 [thread overview]
Message-ID: <87fxn7qp1l.fsf@natisbad.org> (raw)
In-Reply-To: <48EC8F3D.1080908@gmx.de> (Matthias Andree's message of "Wed, 08 Oct 2008 12:45:17 +0200")
Hi,
Matthias Andree <matthias.andree@gmx.de> writes:
> Comments:
> - the command line (l. 3) does not define trust anchors.
> Particularly, there is no "--x509cafile /path/to/file.pem" option.
> - gnutls-cli v2.4.1 figures that it doesn't trust the issuer, ll. 8 & 9.
> - at that point in time, gnutls-cli should drop the connection. Instead, it
> continues.
>
> Desired behaviour/Goals:
> - gnutls-cli should drop the connect somewhen between lines 9 and 16, and
> should NOT enter forwarding/simple client state.
> - if clients want unsafe behaviour, they should be made to specify that in
> some way, and the program defaults should be "safest possible" mode
> - it may make sense that gnutls-cli doesn't even try to connect/handshake
> if it has
> * neither "trust anchors" such as the --x509cafile
> * nor some --unsafely-skip-cert-validation command line option.
> - man page, help output and manual should be consistent, example (2.4.1
> manpage of gnutls-cli):
>
> --x509cafile FILE
> Certificate file to use.
>
> --x509certfile FILE
> X.509 Certificate file to use.
>
> --x509fmtder
> Use DER format for certificates
>
> --x509keyfile FILE
> X.509 key file to use.
>
> This is pure crap^W^Wutterly unintelligible. What's the difference between
> --x509cafile and --x509certfile? It should read something like
> "--x509cafile: file that lists all Certification Authority (CA)
> certificates that gnutls-cli is allowed to trust. If this option is
> omitted, gnutls-cli will accept unsafe connections and trust any CA
> certificate. For secure operation, be sure to specify this option."
It would be better to have it fail when someone does not provide a
set of trust anchors. Then adding something --verify-peer (is there
something like that already?) with a default to "yes" that can be set to
"no" or something else when someone _*explicitly*_ asks for an insecure
behavior. I know for sure that GnuTLS internally support such a knob.
> Further consideration:
> - if the defaults are changed to "safe" mode, it may be sensible to rename
> the tool to gnutls-safe-client or something better.
Worst case scenario would that things would be safer.
Cheers,
a+
next prev parent reply other threads:[~2008-10-08 11:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-22 8:52 Arnaud Ebalard
2008-09-22 9:13 ` RISKO Gergely
2008-09-22 9:49 ` Arnaud Ebalard
2008-09-22 10:43 ` Arnaud Ebalard
2008-09-22 16:15 ` Reiner Steib
2008-09-22 16:38 ` Simon Josefsson
2008-09-22 17:48 ` Arnaud Ebalard
2008-10-02 10:04 ` Simon Josefsson
2008-10-07 20:43 ` Matthias Andree
2008-10-07 22:41 ` Simon Josefsson
2008-10-08 10:45 ` Matthias Andree
2008-10-08 11:55 ` Arnaud Ebalard [this message]
2008-10-07 20:41 ` Matthias Andree
2008-10-08 5:54 ` Arnaud Ebalard
2008-09-23 17:18 ` Riskó Gergely
2008-09-23 14:43 ` Uwe Brauer
2008-09-24 3:39 ` Sebastian Krause
2008-09-26 13:19 ` Uwe Brauer
2008-09-26 13:25 ` Sebastian Krause
2008-09-26 21:16 ` Uwe Brauer
2008-09-26 23:27 ` Sebastian Krause
2008-09-26 15:09 ` Magnus Henoch
2008-09-26 21:14 ` Uwe Brauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fxn7qp1l.fsf@natisbad.org \
--to=arno@natisbad.org \
--cc=ding@gnus.org \
--cc=matthias.andree@gmx.de \
--cc=risko@debian.org \
--cc=simon@josefsson.org \
--cc=ueno@unixuser.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).