Hi, Matthias Andree <[EMAIL PROTECTED]> writes:
> Reiner Steib <[EMAIL PROTECTED]> writes: > >>> Then, someone should correct the code to support passing trust anchors, >>> allow passing the verify value, and document capabilities and >>> limitations. >> >> Gnus currently uses starttls if starttls and gnutls-cli are available >> for backward compatibility. >> >> Would it make sense to prefer gnutls-cli and warn when using starttls >> (if gnutls-cli is not installed)? > > It would make sense to fix the tools first, and stop using them in > unsafe ways. > > I recently found on Cygwin, when setting up Emacs+Gnus, that gnutls-cli > (2.4.2 IIRC) has some subtle "accept b0rked cert chain" behaviour: it > would happily accept any garbage^Wuntrusted certificate chain without > notice -- when I'm not using "--x509cafile FOO" on the command line. > This isn't documented anywhere (manual, manpage, --help), I found this > out through systematic testing. > > I find this most disturbing, since if I don't provide a set of trusted > X.509 CA certs, I trust nobody (rather than everybody as gnutls-cli > does)... gnutls-cli should bail out if it has no trusted root > certificates, rather than silently trust everyone. Go figure - there's a > difference between giving "--x509cafile /dev/null" and not giving this > option at all. :-( Maybe I missed the point in Simon's response below because if you are correct (I just don't have gnutls-cli on my laptop to test) that deserves a bug report (and a clarification from Simon): http://article.gmane.org/gmane.linux.debian.devel.bugs.general/493201 > While I'm at it, from the end user's perspective, I find it very hard to > figure what options I need for a proper configuration that doesn't use > b0rked protocols such as SSLv2, that uses proper X.509 certificate > validation to detect MITM attacks. Few applications except Firefox 3 get > that right, and I couldn't tell one off-hand. > > I think that EVERY tool that has a remotely security-related context > should default to bulletproof mode and require that the user relaxes > every test explicitly. > > Yes, I need to do homework here, fetchmail doesn't get this right > either... compatibility and all that. > > So I'd say make Gnus default to gnutls-cli and change the sample > configuration to include --x509cafile and add instructions to the > defcustom blah self-documentation telling the user to cat(1) his trusted > ROOT certificates (in PEM format) together to form this file. +1 (a big one). Cheers, a+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
