From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/79671
Path: news.gmane.org!not-for-mail
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Built-in TLS vs. nnimap security
Date: Thu, 18 Aug 2011 02:30:05 +0200
Organization: Programmerer Ingebrigtsen
Message-ID: <m3mxf7tvci.fsf@stories.gnus.org>
References: <87pqkgf7pw.fsf@silenus.orebokech.com>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1313628021 26191 80.91.229.12 (18 Aug 2011 00:40:21 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Thu, 18 Aug 2011 00:40:21 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M27965@lists.math.uh.edu Thu Aug 18 02:40:18 2011
Return-path: <ding-owner+M27965@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M27965@lists.math.uh.edu>)
	id 1Qtqee-0003bR-Cd
	for ding-account@gmane.org; Thu, 18 Aug 2011 02:40:16 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M27965@lists.math.uh.edu>)
	id 1QtqeZ-000886-IH; Wed, 17 Aug 2011 19:40:11 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <ding-account@m.gmane.org>)
	id 1QtqeX-00087d-U3
	for ding@lists.math.uh.edu; Wed, 17 Aug 2011 19:40:09 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.76)
	(envelope-from <ding-account@m.gmane.org>)
	id 1QtqeW-00089E-Tz
	for ding@lists.math.uh.edu; Wed, 17 Aug 2011 19:40:09 -0500
Original-Received: from lo.gmane.org ([80.91.229.12])
	by quimby.gnus.org with esmtp (Exim 4.72)
	(envelope-from <ding-account@m.gmane.org>)
	id 1QtqeV-00087O-IA
	for ding@gnus.org; Thu, 18 Aug 2011 02:40:07 +0200
Original-Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <ding-account@m.gmane.org>)
	id 1QtqeT-0003We-9O
	for ding@gnus.org; Thu, 18 Aug 2011 02:40:05 +0200
Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Thu, 18 Aug 2011 02:40:05 +0200
Original-Received: from larsi by cm-84.215.51.58.getinternet.no with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Thu, 18 Aug 2011 02:40:05 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: ding@gnus.org
Original-Lines: 25
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: cm-84.215.51.58.getinternet.no
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAElBMVEVwbGkXEhAJBgVCPjw2
 MS8oIyEpRNtVAAACf0lEQVQ4jT1UwXYbIQxUHva9bM0HQOo7Dtr7Joi78aL//5WOwC32IWYYaTSS
 Qikl772GXWrJdLkMxQmqhPtti95+juwKi+g8lDa/eY8n0k4ppUiRhnsPBg4YTaRKcQCY9zaBuIGi
 38IN7xFsr1ft3QBLr01PJC+OhVV60BVKa2XEZ8eIJSfrG4h4feBeqiulsnNTlQFMJWeutQJlSOAp
 N8V4EMmAlMb4NEWRQlNsJo5+sOTSZEjz/5JH2kN2hFPKEJ2104b7O8tB77NbIG3DGMgieTGIrqNZ
 ijpzQNbzEAZ08ANmKhdeBX7ykdk42X3Ag4F6APza0m1GmcGcsnQDfsyr3/a2XAxziiJRKKF9KQ1T
 Wldyb10BEAO/Urf41wl8eFBcJrKubjfUkT/yBEKoxWImjdu9fD8fj/tkPIKveQKppphdk1d64j4/
 Qh/FUYa7MXmiL0j4JFfy43a5VXRhFgh3v2DAHwCA3KiZy+x5fNIrpfsJc3eEOwuZ3ORfKe7g3U44
 CUF0sT5CrgE/Zv7Ib+sxGILK+2Z5Nh/kf0/QZzBCMMT317cxXK50rdrJ5rbbaIX96yzcti09r3VX
 MzG0jtFSeWAiMa09VYycAdrVz5H5jpvxvV8A/sAO6EBHsTJ4ULVhGOAuXmFodJwsDeuBL/NJa5kU
 szEE+m22RYQHQi1ggDWsdTbXtbYpdx08zM5NAPNAc2dGW0h1ZhdO3afcZp+BNTQLYWARANGStG6M
 k9Efi3a0Aq9sZa26YWOD3mbIgnpjhCULU4b2WXLUM4GJyLBFw97akVl58G9JxoDvs0QwYtCZg1eo
 bLIW4FdyeScnW/WVHLcdlQj+CSzgkNL+AmV+ztnP6Mp9AAAAAElFTkSuQmCC
Mail-Copies-To: never
X-Now-Playing: Black Engine's _Ku Klux Klowns_: "Ku Klux Klowns"
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux)
Cancel-Lock: sha1:7CBVOVvgraOLP/TK7sWJc/ZOL+s=
X-Spam-Score: -6.0 (------)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:79671
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/79671>

Romain Francoise <romain@orebokech.com> writes:

> Is it a feature or a bug that when the built-in GnuTLS support is loaded
> in Emacs, nnimap happily connects to my test imaps server even though the
> certificate is self-signed and doesn't match the hostname?

It's a ... er ... missing feature.  :-)

> Actually, shouldn't `open-gnutls-stream' do these checks by default
> anyway? It's a new implementation, it doesn't have to follow the (poor)
> historical defaults set by tls.el.

Yes, it's meant to do that, but nobody has actually implemented the
needed callbacks, I seem to remember?  Or did Ted do that, and I missed
it?  I was going to do the `open-network-stream' querying thing after
the required callbacks were in place.  The last thing I seem to vaguely
recall was Ted saying something about different verification callback
structures in different versions of the gnutls libraries, which made
things awkward.

But I may be misremembering.  Anybody?  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/