bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#16784: 24.3; Problems opening NNTP connection: failing starttls beca


From: Ted Zlatanov
Subject: bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate
Date: Thu, 20 Mar 2014 10:48:25 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)

On Tue, 18 Feb 2014 10:43:00 -0500 Ted Zlatanov <address@hidden> wrote: 

TZ> On Mon, 17 Feb 2014 18:50:32 +0100 address@hidden wrote: 
s> Entering news.gmane.no nntp groups in gnus fails on Windows, because it
s> tries to upgrade the connection using STARTTLS and fails because the
s> news.gmane.org certificate is self signed.

SB> I would like one of the following solutions:
SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
SB> NNTP connections

I think Lars has to give an opinion here.

SB> 2. The possibility to tell GNU-TLS not to be so stringent about
SB> certificate verification

The latest Emacs trunk has this:

(defcustom gnutls-verify-error nil
  "If non-nil, this should be a list of checks per hostname regex or t."
  :group 'gnutls
  :version "24.4"
  :type '(choice
          (const t)
          (repeat :tag "List of hostname regexps with flags for each"
           (list
            (choice :tag "Hostname"
                    (const ".*" :tag "Any hostname")
                    regexp)
            (set (const :trustfiles)
                 (const :hostname))))))

So basically customize that variable and add :trustfiles and :hostname
for the respective verifications, or nil to disable them.

Also note that internally, we use some default flags for
`gnutls-negotiate'.  From the docstring:

VERIFY-FLAGS is a numeric OR of verification flags only for
`gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
here's a recent version of the list.

    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256

It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.

This is the current default, except as modified by the GnuTLS priority
string.  I would expect callers such as Gnus to modify this, but not
normal users.

Ted





reply via email to

[Prev in Thread] Current Thread [Next in Thread]