[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#16978: 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities
From: |
Jens Lechtenboerger |
Subject: |
bug#16978: 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities |
Date: |
Tue, 18 Mar 2014 22:25:42 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) |
On 2014-03-17, Ted Zlatanov wrote:
> (require 'gnutls)
> (setq gnutls-verify-error t)
> (open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
> (open-gnutls-stream "tls" "tls-buffer" "localhost" "imaps")
>
> I just made a small change to allow the t in the above, so please
> update to the latest.
>
> Can you please run `gnutls-serv' with the right options and hit it
> directly, and see if that replicates the issue?
Hi Ted,
I don’t see `gnutls-serv'. The following works for me:
(open-gnutls-stream "tls" "tls-buffer" "imap.gmail.com" "imaps")
It also catches MITM attacks with self-signed certs:
(error "Certificate validation failed imap.gmail.com, verification
code 66")
That’s good.
Thanks
Jens
P.S. Self-signed certs are unusable now, e.g., this fails:
(open-gnutls-stream "tls" "tls-buffer" "news.gmane.org" "nntps")
Of course, this is to be expected, but Gnus aborts the connection
without any user-visible clue, and the server is reported to be
offline.
P.P.S. I’m using imap.el, which knows of various ways to establish
SSL/TLS connections, but gnutls.el is not among them.