bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because t

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because t

From:	Lars Magne Ingebrigtsen
Subject:	bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently
Date:	Sun, 24 Apr 2016 16:03:40 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> Here's an easy test case:
>
> (open-network-stream
>  "nntpd" (get-buffer-create "*foo*")
>  "news.eternal-september.org" "nntp"
>  :type 'starttls
>  :end-of-command "^\\([2345]\\|[.]\\).*\n"
>  :capability-command "HELP\r\n"
>  :success "^3"
>  :starttls-function
>  (lambda (capabilities)
>    (if (not (string-match "STARTTLS" capabilities))
>        nil
>      "STARTTLS\r\n")))
>
> First of all, I think the error message is lacking.  It should say more
> about what's failing.

I've now fixed this...

> As to the bug -- gnutls by default now refuses to deal with MD5
> certificates.  We could override that, and instead let the network
> security manager notify the user that the connection isn't safe.

This apparently has nothing to do with MD5?  Included below is what
s_client says about the TLS connection.  It's ECDSA...

Hm...  but there is a self signed certificate in the chain.  Uhm...
using GNUTLS_VERIFY_DISABLE_CA_SIGN doesn't help, I still get
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM.  Hm...

Is it possible that the gnutls installation is just too old or
something?  Weird.

[larsi@stories /usr/include/gnutls]$ openssl s_client -connect 
news.eternal-september.org:nntps
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing 
Authority, emailAddress = support@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=news.eternal-september.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support@cacert.org
 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support@cacert.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLDCCBBSgAwIBAgIDEdYnMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE2MDMxMTAzMzUyMFoXDTE2MDkwNzAzMzUyMFowJTEj
MCEGA1UEAxMabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwggIgMA0GCSqGSIb3
DQEBAQUAA4ICDQAwggIIAoIB/yjsWrb5ftbIGzSCTRyYRyH+CcwR2FkVXaK331KM
8bULtWrbOGj8Ig5iMSP1+y7GQxX5WPErSduJI2fnp//TElb0FlmqShkNesSc3os1
Jng+aSbpYmnHhR0QHLt+wB9PG1WslD2fsyCHQnkAMNF7wtDyZ3N5YJveQHd9OjR1
LC4GwlHNWaRh2b1IEY/glO5+xXnrXMJLYLWv6Qj5rWpPNb/pn2hQT06sCdOLd/zP
MND0/G7cg4KSasRCFEMl8sMO4/013ZelBoBYQRkJs7LQFKfk4I3Xv97BZu0w/VNu
yQUShJDzaa9+JWM56eLP52rkK4uic++z3kF9ehhE5UrEMFDPusBcyJ+GehSvJXx/
YUq8QejYvKL+7K+nAvQDioUjc3GfvW3CoFbuH4vTK+4H2N9BAsUi3NbSmCxAVYuy
FNJgapAvPrJrgsQshHWJcHdcDbIFBmTqsemK/9Fs2CPFPGr0ckmhu+zDkUBWGqoK
JTW1nKU+Szf5+NVgNf9GxVv3HoLtRibAAH1eRVGursZc5Sy9p9pRuFVEwBkJUpC6
P+2u8b768VJsruQOwccWy4+QH0Mq/xxVKP5b4Fq3tP0CSBhsJD88QdgptCgHArKw
axJ8DlcOwY7BhcCEMpjN4lArZZMERWHCYEhIvdHMVCXZD8aLnoio4YhdFGdEpvgN
/sUCAwEAAaOCAREwggENMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3Jn
L3Jldm9rZS5jcmwwTwYDVR0RBEgwRoIabmV3cy5ldGVybmFsLXNlcHRlbWJlci5v
cmegKAYIKwYBBQUHCAWgHAwabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwDQYJ
KoZIhvcNAQENBQADggIBAK9hEHAl5w+8s/ZISK2LBv3mvPBmOEfcwhhCBzlDn5S1
/sUot+tPVv1AUF5Z7p21E9HiLRr69C038imk8wD9kTIGakW+o4izC57lpMCklKFc
Qfqi/YQmCIeIbXQAxaMdANyz/HpajhhHtOmSYjcUrXWFds/Bm1hJzHb+rFSFnL7Y
GN2gogeLzgEcTZMPIrmzoCGqkal4+guWnj3Fc5bXWgc9CBbVHOV9WAyFhhRPwbVl
w87uVpGjHoA2epzirdtc6KcLZCymCCCHYHTUJ8F9f6W/IJtIKdtw4G2/1z7lz2v3
Coo7mXKY8n/tgCUUBZfcCalkL//5MCdf746XM9uJxdibDSnf8vdpQKx4Otf0W3h7
/zGIntpuUxWwwGCCdknTVagT2+XhhpHqBPgQYKm87zmbzweg2RMqRzXIq81+Gxz0
UkKHyJJsec421m+smZDdsjYMvc+FWsbuKXjnjzDwEj2TuxPYIaUJQAvj+ZnlBP8Y
fXZYD/ykrH9v4YGO7BtGRi0NY3Hs1tMIOSo2Ran0LmeQbGFpDPLvgUzg3Ta9RkYY
9FY6Bm6WHd5EVVXdL/m5OlC+50FqXWpkizmVsm6SpWcKzUSn1rQpTqd4wegsg1fw
CurbHkgkP56yPFj8SdXfNdP34YBXEiSI4ZEFM9CS/wsVKm8SE4TnIRDjN39i7ad1
-----END CERTIFICATE-----
subject=/CN=news.eternal-september.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4086 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 79FA1DD8A295D1D96475BE1818E88C3C28059A074AA8B743871B48243C203072
    Session-ID-ctx: 
    Master-Key: 
156AF5671933E472B5B2E5ACAED0FB40B6F4EE997F9F2DABA13F548E9B64DB4565C4FD9B7D9539AF0D7A77B64E3942F4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 65 10 86 c0 3b 81 89 d6-b6 63 74 7a c6 9d 9b 3b   e...;....ctz...;
    0010 - a8 38 e2 4a dc 47 96 f6-90 b5 37 6b 33 dc 73 2b   .8.J.G....7k3.s+
    0020 - 9c fb 97 e9 fc de 22 70-b7 da 76 0b 92 f3 94 72   ......"p..v....r
    0030 - 49 c5 ac 15 9f a3 5f 1e-e9 c6 19 b1 ed 16 1d 50   I....._........P
    0040 - 8a 0a 74 70 8e 97 ed 09-04 99 3d 75 cd 4d 46 15   ..tp......=u.MF.
    0050 - 93 b1 31 50 e0 28 bc b3-dd da 46 2c ac 00 47 88   ..1P.(....F,..G.
    0060 - a5 c3 b1 ad e1 86 d8 f3-85 c8 c3 9e c5 cf bb 9d   ................
    0070 - 93 14 8d c6 de c9 ff 7e-f6 45 99 35 cb 83 41 ab   .......~.E.5..A.
    0080 - 97 06 11 85 4a ee 76 a5-f4 1b 11 17 98 dd ec aa   ....J.v.........
    0090 - f2 48 d4 b6 2d 2e 16 a9-53 03 c1 96 96 31 ba ab   .H..-...S....1..

    Start Time: 1461506257
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

[Prev in Thread]

Current Thread

[Next in Thread]

bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently, Lars Magne Ingebrigtsen <=
- bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently, Lars Magne Ingebrigtsen, 2016/04/24
- bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently, Anssi Saari, 2016/04/29
  - bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently, Lars Ingebrigtsen, 2016/04/29

Prev by Date: bug#23343: 25.0.93; [PATCH] URI schemes are not regexp-quoted for `goto-address-url-regexp'
Next by Date: bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently
Previous by thread: bug#23357: [PATCH] Don't let `css--property-values' return duplicates
Next by thread: bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently
Index(es):
- Date
- Thread