From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83848 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.gnus.general Subject: Re: Builtin GnuTLS support and certificate verification Date: Mon, 04 Nov 2013 16:10:49 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87li13q3dy.fsf@flea.lifelogs.com> References: <87iowbt5dq.fsf@guybrush.luffy.cx> <878ux782na.fsf@dex.adm.naquadah.org> <874n7uu2gg.fsf@guybrush.luffy.cx> <87txftsnub.fsf@flea.lifelogs.com> Reply-To: ding@gnus.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1383599456 26647 80.91.229.3 (4 Nov 2013 21:10:56 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 4 Nov 2013 21:10:56 +0000 (UTC) To: ding@gnus.org Original-X-From: ding-owner+M32104@lists.math.uh.edu Mon Nov 04 22:10:59 2013 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VdRQH-0004CB-MQ for ding-account@gmane.org; Mon, 04 Nov 2013 22:10:58 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1VdRPq-0004TD-Gy; Mon, 04 Nov 2013 15:10:30 -0600 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1VdRPo-0004T2-Tj for ding@lists.math.uh.edu; Mon, 04 Nov 2013 15:10:28 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1VdRPn-0002Qi-5s for ding@lists.math.uh.edu; Mon, 04 Nov 2013 15:10:28 -0600 Original-Received: from plane.gmane.org ([80.91.229.3]) by quimby.gnus.org with esmtp (Exim 4.80) (envelope-from ) id 1VdRPl-0002n8-5Z for ding@gnus.org; Mon, 04 Nov 2013 22:10:25 +0100 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VdRPl-0002x5-0o for ding@gnus.org; Mon, 04 Nov 2013 22:10:25 +0100 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 04 Nov 2013 22:10:25 +0100 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 04 Nov 2013 22:10:25 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: ding@gnus.org Original-Lines: 34 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:Z4TI+q08vpTnrqlQmkLSvI1FEG0= X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:83848 Archived-At: On Mon, 04 Nov 2013 20:54:26 +0100 Vincent Bernat wrote: VB> I agree with you but I find odd to have two verification algorithms. I VB> don't see the point of verifying the hostname if the certificate is VB> invalid on some other points and I don't see the point of not verifying VB> the hostname. IIRC, the hostname is an optional part of a certificate and certificates are not the only form of authentication. So there are two cases (verify connection and verify certificate hostname). VB> I mean, if you accept any valid certificate, it is trivial for me to VB> present you with the certificate of my website. If you accept any VB> invalid certificate with the right hostname, it is also trivial for me VB> to build a self-signed certificate with the right hostname. I think verifying the hostname is a subset of verifying the remote in general. I just didn't express it well. VB> So, for me, there should be only one verification algorithm. We are not VB> in the ideal case for this because we only have one algorithm but its VB> name does not exactly describe it. VB> Maybe you could just alias verify-error and verify-hostname-error and VB> say in the documentation that they do the same and that VB> verify-hostname-error will be removed at some point? I think :verify-error should be a list; when it contains 'x509-hostname then we behave like :verify-hostname-error does now, for backwards compatibility. But otherwise we'll add extra checks to the list, not as top-level options to `gnutls-boot'. It's easy to put a Customize interface on top of that. Ted