From: Vincent Bernat <bernat@luffy.cx>
To: ding@gnus.org
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Mon, 04 Nov 2013 20:54:26 +0100 [thread overview]
Message-ID: <m3zjpkndsd.fsf@neo.luffy.cx> (raw)
In-Reply-To: <87txftsnub.fsf@flea.lifelogs.com> (Ted Zlatanov's message of "Sun, 03 Nov 2013 06:53:48 -0500")
❦ 3 novembre 2013 12:53 CET, Ted Zlatanov <tzz@lifelogs.com> :
> `verify-error', however, is missing from the docstring of
> gnutls.c:gnutls-boot and there's just a commented-out line in the
> function:
>
> /* Lisp_Object verify_error; */
>
> and the verification code, as you observed, does all the peer
> verification based on `verify-hostname-error'. I think this is my
> error; this code:
>
> if (peer_verification != 0)
> {
> if (NILP (verify_hostname_error))
> GNUTLS_LOG2 (1, max_log_level, "certificate validation failed:",
> c_hostname);
> else
> {
> emacs_gnutls_deinit (proc);
> error ("Certificate validation failed %s, verification code %d",
> c_hostname, peer_verification);
> }
> }
>
> should have been using `verify_error' instead.
>
> Could you double-check my investigation and confirm? If you agree, I
> will make the change and update the bug report.
I agree with you but I find odd to have two verification algorithms. I
don't see the point of verifying the hostname if the certificate is
invalid on some other points and I don't see the point of not verifying
the hostname.
I mean, if you accept any valid certificate, it is trivial for me to
present you with the certificate of my website. If you accept any
invalid certificate with the right hostname, it is also trivial for me
to build a self-signed certificate with the right hostname.
Now, if `:trustfiles` is set to a non standard location, the first case
may makes sense: I don't check the hostname but the certificate should
only be valid if signed by some other certificate that I specify
exactly. However, in which case could this be useful? Either you have
signed yourself the certificate and it is trivial to set the appropriate
name or you bought it and I could buy a certificate from the same shop
with another name.
So, for me, there should be only one verification algorithm. We are not
in the ideal case for this because we only have one algorithm but its
name does not exactly describe it.
Maybe you could just alias verify-error and verify-hostname-error and
say in the documentation that they do the same and that
verify-hostname-error will be removed at some point?
--
printk("Illegal format on cdrom. Pester manufacturer.\n");
2.2.16 /usr/src/linux/fs/isofs/inode.c
next prev parent reply other threads:[~2013-11-04 19:54 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 11:22 Vincent Bernat
2013-11-02 11:27 ` Julien Danjou
2013-11-02 17:40 ` Vincent Bernat
2013-11-02 21:09 ` Vincent Bernat
2013-11-03 11:53 ` Ted Zlatanov
2013-11-04 19:54 ` Vincent Bernat [this message]
2013-11-04 21:10 ` Ted Zlatanov
2013-11-04 22:38 ` Vincent Bernat
2013-11-11 15:45 ` Ted Zlatanov
2013-11-16 11:18 ` Vincent Bernat
2013-11-16 13:11 ` Julien Danjou
2013-12-08 4:22 ` Ted Zlatanov
2013-12-08 8:39 ` Vincent Bernat
2013-12-08 16:08 ` Ted Zlatanov
2013-12-14 18:06 ` Ted Zlatanov
2013-12-16 1:39 ` Katsumi Yamaoka
2013-12-16 6:31 ` Herbert J. Skuhra
2013-12-16 13:51 ` Tassilo Horn
2013-12-16 15:25 ` Ted Zlatanov
2013-12-16 15:24 ` Ted Zlatanov
2013-12-16 15:27 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3zjpkndsd.fsf@neo.luffy.cx \
--to=bernat@luffy.cx \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).