From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83834
Path: news.gmane.org!not-for-mail
From: Vincent Bernat <bernat@luffy.cx>
Newsgroups: gmane.emacs.gnus.general
Subject: Builtin GnuTLS support and certificate verification
Date: Sat, 02 Nov 2013 12:22:41 +0100
Message-ID: <87iowbt5dq.fsf@guybrush.luffy.cx>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1383391440 12054 80.91.229.3 (2 Nov 2013 11:24:00 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 2 Nov 2013 11:24:00 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M32090@lists.math.uh.edu Sat Nov 02 12:24:04 2013
Return-path: <ding-owner+M32090@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M32090@lists.math.uh.edu>)
	id 1VcZJE-0008Vn-J0
	for ding-account@gmane.org; Sat, 02 Nov 2013 12:24:04 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M32090@lists.math.uh.edu>)
	id 1VcZI5-00081S-93; Sat, 02 Nov 2013 06:22:53 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <bernat@luffy.cx>)
	id 1VcZI2-00081D-VY
	for ding@lists.math.uh.edu; Sat, 02 Nov 2013 06:22:50 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1:AES128-SHA:128)
	(Exim 4.76)
	(envelope-from <bernat@luffy.cx>)
	id 1VcZI1-0000pO-Ln
	for ding@lists.math.uh.edu; Sat, 02 Nov 2013 06:22:50 -0500
Original-Received: from bart.luffy.cx ([78.47.78.131])
	by quimby.gnus.org with esmtp (Exim 4.80)
	(envelope-from <bernat@luffy.cx>)
	id 1VcZHz-0004J4-6R
	for ding@gnus.org; Sat, 02 Nov 2013 12:22:47 +0100
Original-Received: from bart.luffy.cx (localhost [127.0.0.1])
	by bart.luffy.cx (Postfix) with ESMTP id 6D9AA14948
	for <ding@gnus.org>; Sat,  2 Nov 2013 12:22:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject
	:date:message-id:mime-version:content-type; s=postfix; bh=9tx3HO
	1f1wqSBBrbt9XHXLtbhJg=; b=RWQH9iB5ugd+NE5Tk6gl3QZ4gvByd/fmfmhnr8
	FFdLYLdfwWOl1BnGvX4TBrNzQct0rehnQbfsu8u3SdZxyGGdKrq21Q/xiSrWfFac
	cUu94IaUXM5ISX8WMrR/lc7TmZEBBT/m8+5f/YNkS29VZ6zeHLoCjl/L2JjMbdY5
	wkjXs=
DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject
	:date:message-id:mime-version:content-type; q=dns; s=postfix; b=
	GWvokd2Tt+mVEL7tYNQYGCyi+DgQcnUs6krchb+KTzVvZDHNzjtGoh2foNfDXSyx
	LE5hmpJQWmrEzZzQH0ORmVQ0TWAKO8rsqeiLtBgdXVAaTIbmvs4oHl5cYxEW4CQY
	ljjgXNx9y0MIoFtKDEplUf9mjwa9pDC+7k232K85c9A=
Original-Received: from guybrush.luffy.cx (108.26.90.92.rev.sfr.net [92.90.26.108])
	by bart.luffy.cx (Postfix) with ESMTPS id 10B0F14943
	for <ding@gnus.org>; Sat,  2 Nov 2013 12:22:46 +0100 (CET)
Original-Received: by guybrush.luffy.cx (Postfix, from userid 1000)
	id 6E5AD1D6; Sat,  2 Nov 2013 12:22:41 +0100 (CET)
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)
X-Spam-Score: 0.4 (/)
X-Spam-Report: SpamAssassin (3.3.1 2010-03-16) analysis follows
 Bayesian score:   0.2148
 Ham tokens:       0.000-257--1971h-0s--0d--H*u:Emacs, 0.000-186--1428h-0s--0d--H*u:Gnus, 0.000-186--1428h-0s--0d--H*UA:Gnus, 0.000-177--1353h-0s--0d--H*u:linux, 0.000-177--1353h-0s--0d--H*UA:linux
 Spam tokens:      0.993-15227--627h-62309s--0d--H*Ad:D*gnus.org, 0.992-10604--476h-43546s--0d--HX-Spam-Relays-External:quimby.gnus.org, 0.992-15590--764h-64272s--0d--HTo:D*gnus.org, 0.991-16202--821h-66901s--0d--H*RU:quimby.gnus.org, 0.989-16024--999h-66902s--0d--HX-Spam-Relays-Internal:quimby.gnus.org
 Autolearn status: no
 -0.5 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
  1.0 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                             [92.90.26.108 listed in psbl.surriel.com]
 -0.0 BAYES_40               BODY: Bayes spam probability is 20 to 40%
                             [score: 0.2148]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                             domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:83834
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/83834>

Hi!

Now that Gnus is able to use the builtin TLS support shipped with Emacs,
we have no way to verify the remote certificate which leaves us open to
man-in-the-middle attacks.

Previously, changing `tls-program` to not use the `--insecure` switch
mades the deal.  Emacs builtin GNU TLS support allows certificate
verification but each application needs to enable it explicitely. I
didn't find any user switch to enable it globally or per application. Of
all the applications using GNU TLS, I have not found any that enables
this certificate verification stuff.

Is there a way to enable certificate verification for Gnus? If not, is
there a way to force the old way to do TLS (by using an external
program)?
-- 
Make sure all variables are initialised before use.
            - The Elements of Programming Style (Kernighan & Plauger)