emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnutls tofu support? or even --insecure?

From: Eli Zaretskii
Subject: Re: gnutls tofu support? or even --insecure?
Date: Tue, 11 Aug 2015 18:16:50 +0300 
> From: Nix <address@hidden>
> Emacs: ballast for RAM.
> Date: Tue, 11 Aug 2015 13:11:37 +0100
> Cc: Lars Magne Ingebrigtsen <address@hidden>, address@hidden
> 
> So GnuTLS 3.2.21 has randomly (as in, I haven't updated it or touched
> anything) started rejecting all connections to my work mailserver with
> an apparently totally spurious certificate validation error:
> 
> - Status: The certificate is NOT trusted. The certificate issuer is unknown.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.
> 
> (when it's a perfectly normal Verisign cert in my certificate store, as
> far as I can tell).
> 
> Life is *far* too short to figure out why this is (the whole thing is
> happening over a VPN anyway, I trust this connection! I just can't tell
> GnuTLS that!), so the thing that will save me is apparently --tofu,

Before you press the panic button, wouldn't it be better to try to
find out why GnuTLS started failing?  My first suspect is the
certificate bundle.  Since this is Emacs 25.0 and GnuTLS > 3.0.20,
gnutls.c is supposed to use the system-stored certificates, but does
it?  The GnuTLS logs should show: if something goes wrong with that,
you should see a log message saying something like "setting system
trust failed with code NNN".

Or maybe you made some change to your system, unrelated to Emacs,
which somehow affected the system store of the certificates?

Or maybe one of your customizations forced it to use the external
bundle of certificate files, and that bundle is outdated or missing?
Again, there should be signs of that in the logs.

So I'd suggest to set gnutls-log-level to 10, and show all the logs
you get in *Messages* while initiating such a failing connection.

P.S. I have no opinions and no objections to applying the patch you
mentioned, but AFAICT the discussion back then raised a few issues
which the OP promised to work on.  Was there ever an updated patch?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]