tags -1 -unreproducible I can reproduce issues with certification verification in Emacs 24.5+1-8 in Debian Stretch. As documented here:
https://glyph.twistedmatrix.com/2015/11/editor-malware.html The following script will yield an error: (let ((bad-hosts (cl-loop for bad in `("https://wrong.host.badssl.com/"; "https://self-signed.badssl.com/";) if (condition-case e (url-retrieve bad (lambda (retrieved) t)) (error nil)) collect bad))) (if bad-hosts (error (format "tls misconfigured; retrieved %s ok" bad-hosts)) (url-retrieve "https://badssl.com"; (lambda (retrieved) t)))) The error is: Debugger entered--Lisp error: (error "tls misconfigured; retrieved (https://wrong.host.badssl.com/ https://self-signed.badssl.com/) ok") signal(error ("tls misconfigured; retrieved (https://wrong.host.badssl.com/ https://self-signed.badssl.com/) ok")) error("tls misconfigured; retrieved (https://wrong.host.badssl.com/ https://self-signed.badssl.com/) ok") (if bad-hosts (error (format "tls misconfigured; retrieved %s ok" bad-hosts)) (url-retrieve "https://badssl.com"; (function (lambda (retrieved) t)))) (let ((bad-hosts (let* ((--cl-var-- (quote ("https://wrong.host.badssl.com/"; "https://self-signed.badssl.com/";))) (bad nil) (--cl-var-- nil)) (while (consp --cl-var--) (setq bad (car --cl-var--)) (if (condition-case e (url-retrieve bad ...) (error nil)) (progn (setq --cl-var-- ...))) (setq --cl-var-- (cdr --cl-var--))) (nreverse --cl-var--)))) (if bad-hosts (error (format "tls misconfigured; retrieved %s ok" bad-hosts)) (url-retrieve "https://badssl.com"; (function (lambda (retrieved) t))))) eval-region(192 615 t #[257 "\300\242b\210\301\207" [(615) (let ((bad-hosts (let* ((--cl-var-- ...) (bad nil) (--cl-var-- nil)) (while (consp --cl-var--) (setq bad ...) (if ... ...) (setq --cl-var-- ...)) (nreverse --cl-var--)))) (if bad-hosts (error (format "tls misconfigured; retrieved %s ok" bad-hosts)) (url-retrieve "https://badssl.com"; (function (lambda (retrieved) t)))))] 2 "\n\n(fn IGNORE)"]) ; Reading at buffer position 615 eval-defun-2() eval-defun(nil) call-interactively(eval-defun nil nil) command-execute(eval-defun) In other words, by default, with Emacs 24.5 in Debian stretch right now, visiting self-signed or hijacked certificates will yield no warning at all. Therefore, I currently have the following snippet in my .emacs to fix X509 certification validation: ;; make sure we check against trusted X509 roots ;; requires python-certifi ;; see https://glyph.twistedmatrix.com/2015/11/editor-malware.html (when (< emacs-major-version 25) (let ((trustfile (replace-regexp-in-string "\\\\" "/" (replace-regexp-in-string "\n" "" (shell-command-to-string "python -m certifi"))))) (setq tls-program (list (format "gnutls-cli%s --x509cafile %s -p %%p %%h" (if (eq window-system 'w32) ".exe" "") trustfile))) (setq gnutls-verify-error t) (setq gnutls-trustfiles (list trustfile)) (setq gnutls-log-level 2) (setq tls-checktrust t) ;; disable builtin gnutls support completely, as it fails on checks: ;; http://emacs.stackexchange.com/a/18610 (defun user/disable-gnutls (f &rest args) nil) (advice-add 'gnutls-available-p :around #'user/disable-gnutls))) Emacs 25 doesn't have this problem: certificate validation works fine there. Or, to be more accurate, it yields a warning like this: Certificate information Issued by: *.badssl.com Issued to: BadSSL Hostname: *.badssl.com Public key: RSA, signature: RSA-SHA256 Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD Security level: Medium Valid: From 2016-08-08 to 2018-08-08 The TLS connection to self-signed.badssl.com:443 is insecure for the following reasons: certificate signer was not found (self-signed) the certificate was signed by an unknown and therefore untrusted authority certificate could not be verified Continue connecting? (No, Session-only, Always) I am not sure what changed between Emacs 24 and 25, but it seems to me Emacs 24 should absolutely be fixed before Stretch is released, or just be removed from stretch. A.
signature.asc
Description: PGP signature
