On Sun, 08 Dec 2013 09:39:23 +0100 Vincent Bernat wrote: VB> ❦ 8 décembre 2013 05:22 CET, Ted Zlatanov  : >>>> Verification options could be: >>>> >>>> - `expired-certificate` >>>> - `revoked-certificate` >>>> - `untrusted-certificate` >>>> - `hostname-mismatch` >> >> I'm not sure this granularity is necessary. I just have :trustfiles and >> :hostname as options right now. Anyone else with an opinion? VB> I thought you wanted something granular, hence the proposition. I don't VB> know of any other software proposing granular verification. So, no VB> problem with dropping this. Yeah, I went back and forth. I think two (:trustfiles and :hostname) verification options is the right balance for now. I couldn't think of any cases where I'd want more granularity, but that's why I'm asking :) >> My concern is that suddenly connections will start failing for our users >> and bug reports will flow, and I don't have time to explain to everyone >> why their self-signed certificates need exceptions. This can be really, >> really annoying. But logging in *Messages* is not very useful either, >> users don't read it. So what's the right thing? How about a default >> behavior of flashing a warning, then sit-for 3 seconds? A hard error >> can be optional but not the default. VB> For a first release, just default to the previous behaviour. However, VB> some day, it would be nice to be "secure by default". http://debbugs.gnu.org/13374 and other related bugs are about enabling "secure by default" and I would like to make that change now, before the Emacs code freeze. It feels like the sit-for option is safest. It preserves the current behavior while forcing the user to notice something's wrong. In the next release, based on user feedback, we can turn verify-error on. If no one disagrees, I will implement it on top of the patch attached here. >> I'm also not sure I like the look and feel of the `gnutls-verify-error' >> defcustom. It's kind of awkward. VB> I am don't know defcustom enough to know if this would give something VB> like this: VB> '((".*\\.internal" :hostname) VB> (".*" :trustfiles :hostname)) VB> If yes, this seems fine for me. Just add the possible values for tags in VB> the document string. Yes, except the cdr is a nested list because I use the "set" customization type. So it's '((".*" (:hostname :trustfiles))) >> I'd like to get this done before the Emacs code freeze next week or so. >> Please give me your opinions and test the code. VB> I'll try to test later this day. Thanks. Posting patch to emacs-devel as well for review and feedback. Ted