From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/71112
Path: news.gmane.org!not-for-mail
From: David Engster <deng@randomsample.de>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: tls-program
Date: Sun, 19 Sep 2010 19:42:44 +0200
Message-ID: <87k4mh1vfv.fsf@randomsample.de>
References: <m3k4misn2k.fsf@quimbies.gnus.org>
	<87y6ay3c1q.fsf@news.realpath.org> <m34odmslpa.fsf@quimbies.gnus.org>
	<87sk163b6o.fsf@news.realpath.org> <m3zkver4v1.fsf@quimbies.gnus.org>
	<87vd62pdn8.fsf@rimspace.net> <m3iq21zzqy.fsf@quimbies.gnus.org>
	<871v8pq374.fsf@dod.no> <m38w2xx3qs.fsf@quimbies.gnus.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1284918193 8224 80.91.229.12 (19 Sep 2010 17:43:13 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 19 Sep 2010 17:43:13 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M19485@lists.math.uh.edu Sun Sep 19 19:43:11 2010
Return-path: <ding-owner+M19485@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M19485@lists.math.uh.edu>)
	id 1OxNuw-0000M6-PO
	for ding-account@gmane.org; Sun, 19 Sep 2010 19:43:11 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M19485@lists.math.uh.edu>)
	id 1OxNuv-0001Zf-NF; Sun, 19 Sep 2010 12:43:09 -0500
Original-Received: from mx1.math.uh.edu ([129.7.128.32])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <postmaster@quimby.gnus.org>)
	id 1OxNuu-0001ZT-Gq
	for ding@lists.math.uh.edu; Sun, 19 Sep 2010 12:43:08 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx1.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <postmaster@quimby.gnus.org>)
	id 1OxNut-000817-1N
	for ding@lists.math.uh.edu; Sun, 19 Sep 2010 12:43:08 -0500
Original-Received: from m61s02.vlinux.de ([83.151.21.164])
	by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian))
	id 1OxNus-00059k-00
	for <ding@gnus.org>; Sun, 19 Sep 2010 19:43:06 +0200
Original-Received: from dslc-082-083-041-146.pools.arcor-ip.net ([82.83.41.146] helo=spaten)
	by m61s02.vlinux.de with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.69)
	(envelope-from <deng@randomsample.de>)
	id 1OxNur-0002Tb-Od
	for ding@gnus.org; Sun, 19 Sep 2010 19:43:05 +0200
In-Reply-To: <m38w2xx3qs.fsf@quimbies.gnus.org> (Lars Magne Ingebrigtsen's
	message of "Sun, 19 Sep 2010 15:27:39 +0200")
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux)
Mail-Copies-To: never
Mail-Followup-To: ding@gnus.org
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:71112
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/71112>

Lars Magne Ingebrigtsen writes:
> Steinar Bang <sb@dod.no> writes:
>
>> So they are the typical case for someone with a private dovecot imap
>> server, running on a debian box somewhere.
>
> Yes, that's what I would have imagined.

gnutls-cli accepts self-signed certificates by default:

- The hostname in the certificate matches 'mydomain.foobar'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted

but it continues anyway. I think it only balks when you explicitly
specify your trusted CAs through --x509cafile or something similar. If
you specify your trusted CAs, it seems you can set tls-checktrust to
'ask and get a similar behavior like Thunderbird's et al.

However, a hostname mismatch is not tolerated, and can only be
overridden with --insecure. This shouldn't be the default,
though. Openssl indeed always continues by default, but I think a
hostname mismatch should at least be warned about.

-David