[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Jimmy Yuen Ho Wong
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 24 Jun 2018 22:30:50 +0100

Here's the patch to get GnuTLS to do CRL checking.

On Debian, you can get a bunch of CRL PEM files by the following:

    $ sudo apt-get install igtf-policy-bundle
    $ sudo apt-get install fetch-crl
    $ sudo fetch-crl -p 8 --format pem

On macOS with MacPorts:

    $ sudo port install igtf-ca-bundle
    $ sudo fetch-crl -p 8 --format pem

Now if you do

  M-: (url-retrieve-synchronously "https://revoked.grc.com/") RET

You should see a prompt from NSM.

Possible improvement:

Checking static CRL is still spotty. "https://revoked.badssl.com" still fails to trigger a prompt from NSM. For that we'll definitely need OCSP and some of the newer Certificate Transparency tricks.

On Sun, Jun 24, 2018 at 7:29 PM, Jimmy Yuen Ho Wong <address@hidden> wrote:

I'm not quite sure I follow you here.  OCSP is the online query stuff,
and is something that gnutls doesn't do, I think, and which is probably
not something we want to do either.  (Chrome doesn't, for instance.)

GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This is how you do it according to the manual.

Chrome's primary check OOTB is its own curated CRLSet, but it does use OCSP for some EV certs, and relies on the underlying library to do OCSP. You can also enable it in Chrome if you want.

But a certificate revocation list is something we could consider
distributing via ELPA, but that's a bigger project...

No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) it looks for now, the same can be done for CRL files. Users can periodically update their CA bundle and CRL bundle. The CA bundle on *nix is typically Mozilla's, which is covered by the default list in `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't exists on most systems, but can be generated with `igtf-ca-bundle` + `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also be a matter of installing a few packages and running `fetch-crl`.
Or do you mean OCSP stapling?  There's so much going on in this area
(because it's a clusterfuck to begin with) that it can be challenging
keeping track.  :-)

Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP above.

Attachment: 0001-Check-TLS-certs-against-CRL.patch
Description: Binary data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]