From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/71115
Path: news.gmane.org!not-for-mail
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: tls-program
Date: Sun, 19 Sep 2010 19:47:23 +0200
Organization: Programmerer Ingebrigtsen
Message-ID: <m37hihzkus.fsf@quimbies.gnus.org>
References: <m3k4misn2k.fsf@quimbies.gnus.org>
	<87y6ay3c1q.fsf@news.realpath.org> <m34odmslpa.fsf@quimbies.gnus.org>
	<87sk163b6o.fsf@news.realpath.org> <m3zkver4v1.fsf@quimbies.gnus.org>
	<87vd62pdn8.fsf@rimspace.net> <m3iq21zzqy.fsf@quimbies.gnus.org>
	<871v8pq374.fsf@dod.no> <m38w2xx3qs.fsf@quimbies.gnus.org>
	<87k4mh1vfv.fsf@randomsample.de>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1284918613 9857 80.91.229.12 (19 Sep 2010 17:50:13 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 19 Sep 2010 17:50:13 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M19488@lists.math.uh.edu Sun Sep 19 19:50:11 2010
Return-path: <ding-owner+M19488@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M19488@lists.math.uh.edu>)
	id 1OxO1j-00039T-9w
	for ding-account@gmane.org; Sun, 19 Sep 2010 19:50:11 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M19488@lists.math.uh.edu>)
	id 1OxO1i-0001i7-1x; Sun, 19 Sep 2010 12:50:10 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <postmaster@quimby.gnus.org>)
	id 1OxO1g-0001ho-IO
	for ding@lists.math.uh.edu; Sun, 19 Sep 2010 12:50:08 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <postmaster@quimby.gnus.org>)
	id 1OxO1c-0002hY-A2
	for ding@lists.math.uh.edu; Sun, 19 Sep 2010 12:50:08 -0500
Original-Received: from lo.gmane.org ([80.91.229.12])
	by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian))
	id 1OxO1b-0005Gq-00
	for <ding@gnus.org>; Sun, 19 Sep 2010 19:50:03 +0200
Original-Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <ding-account@m.gmane.org>)
	id 1OxO1b-00036K-De
	for ding@gnus.org; Sun, 19 Sep 2010 19:50:03 +0200
Original-Received: from cm-84.215.34.171.getinternet.no ([84.215.34.171])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Sun, 19 Sep 2010 19:50:03 +0200
Original-Received: from larsi by cm-84.215.34.171.getinternet.no with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Sun, 19 Sep 2010 19:50:03 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: ding@gnus.org
Original-Lines: 22
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: cm-84.215.34.171.getinternet.no
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAALVBMVEWfnJv7+vjQzczf2NTl
 4N19dXMaFRXz8e3////+//79/f3Fwb+PjIqwrar+/v3goG/KAAABUElEQVQ4jWN40YEAlQhmJwNI
 orOjcwWIV4GkiGEm75k9B86eiQRxJJAlZjAcuMBw9MwJTAllZ20nJesKDImXvDEX9sRGd2BKHGBl
 2MN7CMyRQzFqs9EmJaC7MCV4jm49DeWgSty9cPs2NomO3ZfucjOA2e2OL5AlYk7fiYVICJtYIEl0
 am/ZorR71Uqghkslfsg6ZsKYTSyCW5Al4KD7Srk1dgmWiXslsEm8DRK0qcAmIcpduMcCm0RpUKGK
 JVYJZuWLWHWYhrvv9MQqweKiiV3H4eqdWO24s6XY0wObhM/tox5YJY7F8M7AZnl7WlrqDGyWt4Sl
 pVVgddWctDQJrK4SwyVRmpamiSTxAmF7bRon1iBpKWSrwirRKFXdiVWiD5hSsEqsWoFD4iXQHV7Y
 JICgEyTRBZGYgSKDS0eHIy4J0nXglOggX6IPt8QL7BLzAMKlTrt2lMRIAAAAAElFTkSuQmCC
Mail-Copies-To: never
X-Now-Playing: Circlesquare's _Songs About Dancing And Drugs_: "Timely"
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/24.0.50 (gnu/linux)
Cancel-Lock: sha1:togDef5NshMagWkAEhhlFBrcEW8=
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:71115
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/71115>

David Engster <deng@randomsample.de> writes:

> gnutls-cli accepts self-signed certificates by default:
>
> - The hostname in the certificate matches 'mydomain.foobar'.
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted

One of the servers had a self-signed expired certificate, which made
gnutls-cli abort...

> However, a hostname mismatch is not tolerated, and can only be
> overridden with --insecure. This shouldn't be the default,
> though. Openssl indeed always continues by default, but I think a
> hostname mismatch should at least be warned about.

Querying the user, and then saving the result of the query would be the
best compromise between usability and security here, I think.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen