GNU bug report logs -
#28458
26.0.50; Does Emacs support SAN (subject alternate names)?
Previous Next
Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>
Date: Thu, 14 Sep 2017 12:20:02 UTC
Severity: normal
Tags: notabug, security
Found in version 26.0.50
Done: Noam Postavsky <npostavs <at> users.sourceforge.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28458 in the body.
You can then email your comments to 28458 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Thu, 14 Sep 2017 12:20:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Lars Ingebrigtsen <larsi <at> gnus.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Thu, 14 Sep 2017 12:20:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
I've been seeing some warnings about invalid TLS certificates lately
that seem kinda unlikely. I mean, it's from major sites that shouldn't
have broken TLS certificates. And the error is always that the host
name doesn't match the name of the certificate.
Which made me wonder: Does gnutls.c support SAN (subject alternate
names), which is a way to list oodles of host names in a single
certificate? I can't find any mention of this in the code...
I'll try to get a test case going, but this bug report is mainly to
remind myself not to forget this again, which I've done the previous
dozen times this has happened.
In GNU Emacs 26.0.50 (build 7, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
of 2017-09-13 built on mouse
Repository revision: bdb71dea4a478115bde5c8260f228613d6717157
Windowing system distributor 'The X.Org Foundation', version 11.0.11903000
System Description: Ubuntu 17.04
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) security.
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Thu, 14 Sep 2017 15:29:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Mon, 18 Sep 2017 12:47:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 28458 <at> debbugs.gnu.org (full text, mbox):
Lars Ingebrigtsen <larsi <at> gnus.org> writes:
> I've been seeing some warnings about invalid TLS certificates lately
> that seem kinda unlikely. I mean, it's from major sites that shouldn't
> have broken TLS certificates. And the error is always that the host
> name doesn't match the name of the certificate.
>
> Which made me wonder: Does gnutls.c support SAN (subject alternate
> names), which is a way to list oodles of host names in a single
> certificate? I can't find any mention of this in the code...
>
Good question. Example sites/certificates? (I have a vague memory of
there being more than one way to do SAN, perhaps we're looking at the
wrong field)
Regards
Robert
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Mon, 18 Sep 2017 12:53:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 28458 <at> debbugs.gnu.org (full text, mbox):
Robert Pluim <rpluim <at> gmail.com> writes:
> Good question. Example sites/certificates? (I have a vague memory of
> there being more than one way to do SAN, perhaps we're looking at the
> wrong field)
https://1000-sans.badssl.com/
has a lot of SANs. :-)
Of course, after reporting this bug, it hasn't happened once to me
afterwards (that Emacs has claimed that it can't verify a certificate
due to a bad host name), so I've been unable to pursue this (possible)
issue any further...
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Mon, 18 Sep 2017 13:09:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 28458 <at> debbugs.gnu.org (full text, mbox):
Lars Ingebrigtsen <larsi <at> gnus.org> writes:
> Robert Pluim <rpluim <at> gmail.com> writes:
>
>> Good question. Example sites/certificates? (I have a vague memory of
>> there being more than one way to do SAN, perhaps we're looking at the
>> wrong field)
>
> https://1000-sans.badssl.com/
>
> has a lot of SANs. :-)
>
Yes, but that one works fine for me :-)
> Of course, after reporting this bug, it hasn't happened once to me
> afterwards (that Emacs has claimed that it can't verify a certificate
> due to a bad host name), so I've been unable to pursue this (possible)
> issue any further...
I've just re-read
<https://tools.ietf.org/html/rfc5280#section-4.2.1.6> and it looks
like there is ample scope for getting things wrong there....
Regards
Robert
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Tue, 19 Sep 2017 11:55:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 28458 <at> debbugs.gnu.org (full text, mbox):
Finally, I got one of these warnings on a web site:
`M-x eww RET
http://media.boingboing.net/wp-content/uploads/2017/01/Autonomous_Design20by20Will20Staehle.jpg RET'
But! It looks like this is a genuine error: Firefox gives the same
warning... So perhaps this isn't an issue after all?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Tue, 19 Sep 2017 12:24:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 28458 <at> debbugs.gnu.org (full text, mbox):
Lars Ingebrigtsen <larsi <at> gnus.org> writes:
> Finally, I got one of these warnings on a web site:
>
> `M-x eww RET
> http://media.boingboing.net/wp-content/uploads/2017/01/Autonomous_Design20by20Will20Staehle.jpg RET'
>
> But! It looks like this is a genuine error: Firefox gives the same
> warning... So perhaps this isn't an issue after all?
Also: that http URL redirects to https. If you access the https
version directly, it uses a different certificate than the redirected
one. Neither eww nor chrome complain about the non-redirected one.
Regards
Robert
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#28458; Package
emacs.
(Wed, 29 Nov 2017 02:35:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 28458 <at> debbugs.gnu.org (full text, mbox):
# not an Emacs bug
tags 28458 notabug
close 28458
quit
Robert Pluim <rpluim <at> gmail.com> writes:
> Lars Ingebrigtsen <larsi <at> gnus.org> writes:
>
>> Finally, I got one of these warnings on a web site:
>>
>> `M-x eww RET
>> http://media.boingboing.net/wp-content/uploads/2017/01/Autonomous_Design20by20Will20Staehle.jpg RET'
>>
>> But! It looks like this is a genuine error: Firefox gives the same
>> warning... So perhaps this isn't an issue after all?
>
> Also: that http URL redirects to https. If you access the https
> version directly, it uses a different certificate than the redirected
> one. Neither eww nor chrome complain about the non-redirected one.
Seems to be fixed on the remote end now.
Added tag(s) notabug.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Wed, 29 Nov 2017 02:35:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
28458 <at> debbugs.gnu.org and Lars Ingebrigtsen <larsi <at> gnus.org>
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Wed, 29 Nov 2017 02:35:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 27 Dec 2017 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 120 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.