From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83842 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.gnus.general Subject: Re: Builtin GnuTLS support and certificate verification Date: Sun, 03 Nov 2013 06:53:48 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87txftsnub.fsf@flea.lifelogs.com> References: <87iowbt5dq.fsf@guybrush.luffy.cx> <878ux782na.fsf@dex.adm.naquadah.org> <874n7uu2gg.fsf@guybrush.luffy.cx> Reply-To: ding@gnus.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: ger.gmane.org 1383479616 29336 80.91.229.3 (3 Nov 2013 11:53:36 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 3 Nov 2013 11:53:36 +0000 (UTC) To: ding@gnus.org Original-X-From: ding-owner+M32098@lists.math.uh.edu Sun Nov 03 12:53:41 2013 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VcwFQ-0000Bs-Ez for ding-account@gmane.org; Sun, 03 Nov 2013 12:53:40 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1VcwFD-0004JZ-OG; Sun, 03 Nov 2013 05:53:27 -0600 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1VcwFB-0004JN-W4 for ding@lists.math.uh.edu; Sun, 03 Nov 2013 05:53:25 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1VcwFA-0004Nf-Jp for ding@lists.math.uh.edu; Sun, 03 Nov 2013 05:53:25 -0600 Original-Received: from plane.gmane.org ([80.91.229.3]) by quimby.gnus.org with esmtp (Exim 4.80) (envelope-from ) id 1VcwF8-0006OS-UT for ding@gnus.org; Sun, 03 Nov 2013 12:53:22 +0100 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VcwF8-0008TX-NQ for ding@gnus.org; Sun, 03 Nov 2013 12:53:22 +0100 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 03 Nov 2013 12:53:22 +0100 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 03 Nov 2013 12:53:22 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: ding@gnus.org Original-Lines: 100 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:D2dQrECGzJkcZMU8s5SN4ywfpdc= X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:83842 Archived-At: On Sat, 02 Nov 2013 18:40:31 +0100 Vincent Bernat wrote: VB> ❦ 2 novembre 2013 12:27 CET, Julien Danjou  : >>> Is there a way to enable certificate verification for Gnus? If not, is >>> there a way to force the old way to do TLS (by using an external >>> program)? >> >> This has been on my TODO list a year. There was a thread I launched on >> emacs-devel about that a year ago with Ted: >> >> http://lists.gnu.org/archive/html/emacs-devel/2012-09/msg00154.html >> http://lists.gnu.org/archive/html/emacs-devel/2012-12/msg00575.html >> >> I didn't have time to dig since then, but I'd appreciate any hint on >> this subject. :) VB> OK, I have just tested myself with: VB> #v+ VB> (gnutls-negotiate VB> :process (open-network-stream "test" nil "www.dailymotion.com" 443) VB> :hostname "www.dailymotion.com" VB> :verify-hostname-error t VB> :verify-error t) VB> #v- VB> I don't know what "verify-error" is for since verify-hostname-error VB> seems to handle any error like certificate expired, mismatched name or VB> unknown root certificate. According to gnutls.el:gnutls-negotiate: When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised when the hostname does not match the presented certificate's host name. The exact verification algorithm is a basic implementation of the matching described in RFC2818 (HTTPS), which takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension. See GnuTLS' gnutls_x509_crt_check_hostname for details. When VERIFY-HOSTNAME-ERROR is nil, only a warning will be issued. When VERIFY-ERROR is not nil, an error will be raised when the peer certificate verification fails as per GnuTLS' gnutls_certificate_verify_peers2. Otherwise, only warnings will be shown about the verification failure. `verify-error', however, is missing from the docstring of gnutls.c:gnutls-boot and there's just a commented-out line in the function: /* Lisp_Object verify_error; */ and the verification code, as you observed, does all the peer verification based on `verify-hostname-error'. I think this is my error; this code: if (peer_verification != 0) { if (NILP (verify_hostname_error)) GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:", c_hostname); else { emacs_gnutls_deinit (proc); error ("Certificate validation failed %s, verification code %d", c_hostname, peer_verification); } } should have been using `verify_error' instead. Could you double-check my investigation and confirm? If you agree, I will make the change and update the bug report. VB> It works for me. Now, if I understand correctly, you are also trying to VB> use `:trustfiles`. VB> #v+ VB> (gnutls-negotiate VB> :process (open-network-stream "test" nil "awesome.naquadah.org" 443) VB> :hostname "awesome.naquadah.org" VB> :verify-hostname-error t VB> :verify-error t) VB> #v- VB> I get an error. Now, I extract the certificate and specify it with VB> trustfiles option: VB> #v+ VB> (gnutls-negotiate VB> :process (open-network-stream "test" nil "awesome.naquadah.org" 443) VB> :hostname "awesome.naquadah.org" VB> :trustfiles '("/home/bernat/tmp/root.crt") VB> :verify-hostname-error t VB> :verify-error t) VB> #v- VB> And it works. There is a default list of trustfiles in `gnutls-trustfiles'. It will be used in the first case you show. Ted