[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gnutls tofu support? or even --insecure?

From: Nix
Subject: gnutls tofu support? or even --insecure?
Date: Tue, 11 Aug 2015 13:11:37 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

So GnuTLS 3.2.21 has randomly (as in, I haven't updated it or touched
anything) started rejecting all connections to my work mailserver with
an apparently totally spurious certificate validation error:

- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

(when it's a perfectly normal Verisign cert in my certificate store, as
far as I can tell).

Life is *far* too short to figure out why this is (the whole thing is
happening over a VPN anyway, I trust this connection! I just can't tell
GnuTLS that!), so the thing that will save me is apparently --tofu,
though I'd be happy enough with --insecure. Unfortunately I can't get
Gnus to use either of these -- when (gnutls-available-p),
starttls-extra-arguments is ignored, as is tls-program, leaving me
forced to hack at gnutls.c if I want to read my work email any more. (I
find this somewhat unsatisfactory!)

Toke wrote a patch back in October of last year which implemented TOFU,
but now it doesn't remotely apply:

Does anyone know what happened to it? It doesn't seem to have been
applied, though it was applauded by several and adds a feature not
available in any other way (and a way of working *far* preferable to
trusting certificate authorities with anything ever).

I may have to reimplement it :)

NULL && (void)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]