GNU bug report logs -
#29977
gnutls-verify-error does not allow matching hostnames
Previous Next
Reported by: Robert Pluim <rpluim <at> gmail.com>
Date: Thu, 4 Jan 2018 15:19:01 UTC
Severity: normal
Tags: fixed
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29977 in the body.
You can then email your comments to 29977 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29977; Package
emacs.
(Thu, 04 Jan 2018 15:19:01 GMT)
Full text and
rfc822 format available.
Message #3 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
(this is emacs-26)
Given a gnutls-verify-error of
'(("news.gmane.org" nil)
(".*" (:trustfiles :hostname)))
gnutls-boot-parameters will always use (:trustfiles :hostname) even
though the intent is to turn off verification for news.gmane.org.
Proposed patch converts this to first-match, which I think matches the
intent of the variable.
[0001-Change-gnutls-verify-error-to-be-first-match.patch (text/x-patch, inline)]
From 2935008e42d956607bf1893ea6507db6202b3eb1 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim <at> gmail.com>
Date: Thu, 4 Jan 2018 16:12:47 +0100
Subject: [PATCH] Change gnutls-verify-error to be first-match
* lisp/net/gnutls.el (gnutls-boot-parameters): Convert to
first-match for gnutls-verify-error rather than any-match
---
lisp/net/gnutls.el | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 5afd5c5804..c8f4824b53 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -282,13 +282,9 @@ gnutls-log-level
t)
;; if a list, look for hostname matches
((listp gnutls-verify-error)
- (apply 'append
- (mapcar
- (lambda (check)
- (when (string-match (nth 0 check)
- hostname)
- (nth 1 check)))
- gnutls-verify-error)))
+ (cadr (cl-find-if #'(lambda (x)
+ (string-match (car x) hostname))
+ gnutls-verify-error)))
;; else it's nil
(t nil))))
(min-prime-bits (or min-prime-bits gnutls-min-prime-bits)))
--
2.16.0.rc0
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29977; Package
emacs.
(Fri, 13 Apr 2018 12:25:02 GMT)
Full text and
rfc822 format available.
Message #6 received at 29977 <at> debbugs.gnu.org (full text, mbox):
Robert Pluim <rpluim <at> gmail.com> writes:
> gnutls-boot-parameters will always use (:trustfiles :hostname) even
> though the intent is to turn off verification for news.gmane.org.
> Proposed patch converts this to first-match, which I think matches the
> intent of the variable.
Yes, that makes sense, I think. I've now applied the patch to Emacs
27.1.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Fri, 13 Apr 2018 12:25:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
29977 <at> debbugs.gnu.org and Robert Pluim <rpluim <at> gmail.com>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Fri, 13 Apr 2018 12:25:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29977; Package
emacs.
(Fri, 13 Apr 2018 12:33:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 29977 <at> debbugs.gnu.org (full text, mbox):
Lars Ingebrigtsen <larsi <at> gnus.org> writes:
> Robert Pluim <rpluim <at> gmail.com> writes:
>
>> gnutls-boot-parameters will always use (:trustfiles :hostname) even
>> though the intent is to turn off verification for news.gmane.org.
>> Proposed patch converts this to first-match, which I think matches the
>> intent of the variable.
>
> Yes, that makes sense, I think. I've now applied the patch to Emacs
> 27.1.
Did we want something like this on top? I doubt this warrants a NEWS
entry, as the previous behaviour was never documented :-)
2018-04-13 Robert Pluim <rpluim <at> gmail.com>
* lisp/net/gnutls.el (gnutls-verify-error): Mention that the
matching is first-match.
diff --git i/lisp/net/gnutls.el w/lisp/net/gnutls.el
index 85c9308c0d..a9ee6ebfaf 100644
--- i/lisp/net/gnutls.el
+++ w/lisp/net/gnutls.el
@@ -61,9 +61,9 @@ gnutls-verify-error
((HOST-REGEX FLAGS...) (HOST-REGEX FLAGS...) ...)
where each HOST-REGEX is a regular expression to be matched
-against the hostname, and FLAGS is either t or a list of
-one or more verification flags. The supported flags and the
-corresponding conditions to be tested are:
+against the hostname, on a first-match basis, and FLAGS is either
+t or a list of one or more verification flags. The supported
+flags and the corresponding conditions to be tested are:
:trustfiles -- certificate must be issued by a trusted authority.
:hostname -- hostname must match presented certificate's host name.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29977; Package
emacs.
(Fri, 13 Apr 2018 12:46:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 29977 <at> debbugs.gnu.org (full text, mbox):
Robert Pluim <rpluim <at> gmail.com> writes:
> Did we want something like this on top? I doubt this warrants a NEWS
> entry, as the previous behaviour was never documented :-)
>
> 2018-04-13 Robert Pluim <rpluim <at> gmail.com>
>
> * lisp/net/gnutls.el (gnutls-verify-error): Mention that the
> matching is first-match.
Yup; applied.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 12 May 2018 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 350 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.