From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/71054
Path: news.gmane.org!not-for-mail
From: Daniel Pittman <daniel@rimspace.net>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: tls-program
Date: Sun, 19 Sep 2010 14:20:59 +1000
Message-ID: <87vd62pdn8.fsf@rimspace.net>
References: <m3k4misn2k.fsf@quimbies.gnus.org>
	<87y6ay3c1q.fsf@news.realpath.org> <m34odmslpa.fsf@quimbies.gnus.org>
	<87sk163b6o.fsf@news.realpath.org> <m3zkver4v1.fsf@quimbies.gnus.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: dough.gmane.org 1284871218 14549 80.91.229.12 (19 Sep 2010 04:40:18 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 19 Sep 2010 04:40:18 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M19427@lists.math.uh.edu Sun Sep 19 06:40:16 2010
Return-path: <ding-owner+M19427@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M19427@lists.math.uh.edu>)
	id 1OxBhI-0008VH-5r
	for ding-account@gmane.org; Sun, 19 Sep 2010 06:40:16 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M19427@lists.math.uh.edu>)
	id 1OxBhD-0006Dz-Pz; Sat, 18 Sep 2010 23:40:11 -0500
Original-Received: from mx1.math.uh.edu ([129.7.128.32])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <postmaster@quimby.gnus.org>)
	id 1OxBhC-0006Dm-FO
	for ding@lists.math.uh.edu; Sat, 18 Sep 2010 23:40:10 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx1.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <postmaster@quimby.gnus.org>)
	id 1OxBh8-0005O6-7L
	for ding@lists.math.uh.edu; Sat, 18 Sep 2010 23:40:10 -0500
Original-Received: from lo.gmane.org ([80.91.229.12])
	by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian))
	id 1OxBh7-0003uv-00
	for <ding@gnus.org>; Sun, 19 Sep 2010 06:40:05 +0200
Original-Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <ding-account@m.gmane.org>)
	id 1OxBh6-0008Ta-Kl
	for ding@gnus.org; Sun, 19 Sep 2010 06:40:04 +0200
Original-Received: from ppp59-167-189-244.static.internode.on.net ([59.167.189.244])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Sun, 19 Sep 2010 06:40:04 +0200
Original-Received: from daniel by ppp59-167-189-244.static.internode.on.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Sun, 19 Sep 2010 06:40:04 +0200
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 47
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: ppp59-167-189-244.static.internode.on.net
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)
Cancel-Lock: sha1:uPkSwsyNwDYAPZbvVuvtyaqTrg4=
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:71054
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/71054>

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
> Sebastian Krause <sebastian@realpath.org> writes:
>
>> Since I can imagine that the native TLS in Emacs 24 will probably be based
>> on GnuTLS as well (just guessing), it might be worth trying to find out
>> what's going wrong here. What happens when you try to directly connect to
>> the servers from the shell, e.g. with "gnutls-cli -p 993 imap.example.com"?
>
> Excellent point.
>
> It turns out that gnutls-cli terminates with:
>
> - The hostname in the certificate does NOT match '<host name>'
>
> So the IMAP servers have certificates that don't match their names.  I'm
> guessing that that's common?  Adding --insecure fixes this.

Probably reasonably, outside the nicer parts of the world.

> So...  what would be the nicest behaviour here?  Adding --insecure would
> probably not be nice.  But not nice to not work, either.
>
> Hang on.  Why does the openssh thing work if the certificate isn't
> valid?
>
> Ah.  It says
>
>     Verify return code: 10 (certificate has expired)
>
> and then continues merrily on.  So gnutls-cli defaults to secure, while
> openssl defaults to insecure?  That seems inconsistent.  So perhaps
> adding --insecure is the right thing, after all?

I would be inclined to do that, from a UI point of view, but it is rather
nasty.  A better approach might be to force them explicitly to secure[1],
detect the appropriate warnings, and either prompt the user, or educate them
about what has to happen?

        Daniel

Footnotes: 
[1]  Against gnutls getting a global config file and the admin changing it,
     for example.

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons