--- Begin Message ---
Subject: |
24.3; Builtin TLS support should enable certificate verification support by default |
Date: |
Sat, 02 Nov 2013 16:05:21 +0100 |
Hi!
New builtin TLS support disables certificate verification by
default. This is a very bad practice and the default should be to check
for certificate validity.
Moreover, the end-user of a package using this builtin support has no
easy way to enable the verification of TLS certificates. For example,
Gnus does not provide anything to enable this and as a simple user, it
seems quite difficult to ensure that certificates are verified. And each
package has the responsability to enable this option. This is
cumbersome.
Previously, enabling/disabling certificate verification was easy. You
set `tls-program` variable to something that checks or don't check for
certificates. For gnutls-client, this was a matter of using or not using
the `--insecure` switch.
I didn't find a way to disable the builtin TLS support (other than to
recompile Emacs).
I propose:
1. Verify the certificates by default.
2. Prompt the user if there is a problem.
3. Add the possibility to not check for certificates by default.
I can provide a patch for the first step but I have little Emacs-fu for
the other two parts (all the more that most of the code is in C).
--
Use variable names that mean something.
- The Elements of Programming Style (Kernighan & Plauger)
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#15792: 24.3; Builtin TLS support should enable certificate verification support by default |
Date: |
Sat, 02 Nov 2013 22:07:16 +0100 |
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux) |
❦ 2 novembre 2013 19:48 CET, Glenn Morris <address@hidden> :
> See http://debbugs.gnu.org/13374 and related discussion.
Thanks! Sorry for the duplicate, I didn't find this bug report.
--
printk("??? No FDIV bug? Lucky you...\n");
2.2.16 /usr/src/linux/include/asm-i386/bugs.h
--- End Message ---