On Sat, 16 Nov 2013 14:11:33 +0100 Julien Danjou wrote: JD> On Sat, Nov 16 2013, Vincent Bernat wrote: >> In the same way as for whitelisting, default verification options should >> be a variable with possibility to override it by using the appropriate >> option of `gnutls-negotiate`. OK, I worked on this. >> Verification options could be: >> >> - `expired-certificate` >> - `revoked-certificate` >> - `untrusted-certificate` >> - `hostname-mismatch` I'm not sure this granularity is necessary. I just have :trustfiles and :hostname as options right now. Anyone else with an opinion? Note that you can also specify verification flags. From the `gnutls-boot' docs: VERIFY-FLAGS is a numeric OR of verification flags only for `gnutls-x509pki' connections. See GnuTLS' x509.h for details; here's a recent version of the list. GNUTLS_VERIFY_DISABLE_CA_SIGN = 1, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4, GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64, GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128, GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256 It must be omitted, a number, or nil; if omitted or nil it defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT. JD> I think this is a really good idea and I'm waiting for that for a long JD> time. Since I don't have time to do this myself currently, consider this JD> message as a strong support. \o/ JD> I'd be happy to help and test as far as I can. First patch attached here against Emacs trunk. It removes `:verify-hostname-error' everywhere, adds a new `gnutls-verify-error' defcustom and uses it in `gnutls-boot', and allows the user to match the hostname to a regexp and provide verification flags for each such regexp. To make verification errors abort GnuTLS negotiations, the `gnutls-verify-error' simply needs to be t (it's nil in this patch). My concern is that suddenly connections will start failing for our users and bug reports will flow, and I don't have time to explain to everyone why their self-signed certificates need exceptions. This can be really, really annoying. But logging in *Messages* is not very useful either, users don't read it. So what's the right thing? How about a default behavior of flashing a warning, then sit-for 3 seconds? A hard error can be optional but not the default. I'm also not sure I like the look and feel of the `gnutls-verify-error' defcustom. It's kind of awkward. I'd like to get this done before the Emacs code freeze next week or so. Please give me your opinions and test the code. Ted