[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gnutls tofu support? or even --insecure?
From: |
Nix |
Subject: |
gnutls tofu support? or even --insecure? |
Date: |
Tue, 11 Aug 2015 13:11:37 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
So GnuTLS 3.2.21 has randomly (as in, I haven't updated it or touched
anything) started rejecting all connections to my work mailserver with
an apparently totally spurious certificate validation error:
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
(when it's a perfectly normal Verisign cert in my certificate store, as
far as I can tell).
Life is *far* too short to figure out why this is (the whole thing is
happening over a VPN anyway, I trust this connection! I just can't tell
GnuTLS that!), so the thing that will save me is apparently --tofu,
though I'd be happy enough with --insecure. Unfortunately I can't get
Gnus to use either of these -- when (gnutls-available-p),
starttls-extra-arguments is ignored, as is tls-program, leaving me
forced to hack at gnutls.c if I want to read my work email any more. (I
find this somewhat unsatisfactory!)
Toke wrote a patch back in October of last year which implemented TOFU,
but now it doesn't remotely apply:
<https://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00250.html>.
Does anyone know what happened to it? It doesn't seem to have been
applied, though it was applauded by several and adds a feature not
available in any other way (and a way of working *far* preferable to
trusting certificate authorities with anything ever).
I may have to reimplement it :)
--
NULL && (void)
- gnutls tofu support? or even --insecure?,
Nix <=