From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/79620
Path: news.gmane.org!not-for-mail
From: Romain Francoise <romain@orebokech.com>
Newsgroups: gmane.emacs.gnus.general
Subject: Built-in TLS vs. nnimap security
Date: Mon, 08 Aug 2011 13:44:43 +0200
Organization: orebokech dot com
Message-ID: <87pqkgf7pw.fsf@silenus.orebokech.com>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1312813931 31008 80.91.229.12 (8 Aug 2011 14:32:11 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 8 Aug 2011 14:32:11 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M27916@lists.math.uh.edu Mon Aug 08 16:32:07 2011
Return-path: <ding-owner+M27916@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M27916@lists.math.uh.edu>)
	id 1QqQs8-0005wv-Ez
	for ding-account@gmane.org; Mon, 08 Aug 2011 16:32:04 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M27916@lists.math.uh.edu>)
	id 1QqQrJ-00053M-38; Mon, 08 Aug 2011 09:31:13 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <romain@orebokech.com>)
	id 1QqOGL-0004Ph-J7
	for ding@lists.math.uh.edu; Mon, 08 Aug 2011 06:44:53 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.76)
	(envelope-from <romain@orebokech.com>)
	id 1QqOGJ-0007Ms-UW
	for ding@lists.math.uh.edu; Mon, 08 Aug 2011 06:44:52 -0500
Original-Received: from smtp6-g21.free.fr ([212.27.42.6])
	by quimby.gnus.org with esmtp (Exim 4.72)
	(envelope-from <romain@orebokech.com>)
	id 1QqOGH-0006Zp-3R
	for ding@gnus.org; Mon, 08 Aug 2011 13:44:49 +0200
Original-Received: from silenus.orebokech.com (unknown [82.67.41.165])
	by smtp6-g21.free.fr (Postfix) with ESMTP id BDA3282257
	for <ding@gnus.org>; Mon,  8 Aug 2011 13:44:44 +0200 (CEST)
Original-Received: by silenus.orebokech.com (Postfix, from userid 1000)
	id 781002E012B; Mon,  8 Aug 2011 13:44:43 +0200 (CEST)
X-Face: }9mYu,e_@+e!`Z-P5kVXa3\_b:hdJ"B)ww[&=b<2=awG:GOIM</2q'*t@MNa)R`k0h1KbUu "Ek%gXCQA(?k=Uf9}qgF_x#7/+Ql\R!NJ9[Z[ky\CTYI<H(kc][?[m%*rsf!OG11|f&H[VgX;),"!N JG6IziY\~""3M
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:79620
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/79620>

Is it a feature or a bug that when the built-in GnuTLS support is loaded
in Emacs, nnimap happily connects to my test imaps server even though the
certificate is self-signed and doesn't match the hostname? Apparently it's
because nnimap uses `open-gnutls-stream' (via network-stream.el), which
doesn't enable any of the verification flags...

In the old world of tls.el, it was possible to get a secure connection by
setting `tls-checktrust' and removing --insecure from the `tls-program'
invocation. How can I get that back?

Actually, shouldn't `open-gnutls-stream' do these checks by default
anyway? It's a new implementation, it doesn't have to follow the (poor)
historical defaults set by tls.el.