Reiner Steib <[EMAIL PROTECTED]> writes: >> Then, someone should correct the code to support passing trust anchors, >> allow passing the verify value, and document capabilities and >> limitations. > > Gnus currently uses starttls if starttls and gnutls-cli are available > for backward compatibility. > > Would it make sense to prefer gnutls-cli and warn when using starttls > (if gnutls-cli is not installed)?
It would make sense to fix the tools first, and stop using them in unsafe ways. I recently found on Cygwin, when setting up Emacs+Gnus, that gnutls-cli (2.4.2 IIRC) has some subtle "accept b0rked cert chain" behaviour: it would happily accept any garbage^Wuntrusted certificate chain without notice -- when I'm not using "--x509cafile FOO" on the command line. This isn't documented anywhere (manual, manpage, --help), I found this out through systematic testing. I find this most disturbing, since if I don't provide a set of trusted X.509 CA certs, I trust nobody (rather than everybody as gnutls-cli does)... gnutls-cli should bail out if it has no trusted root certificates, rather than silently trust everyone. Go figure - there's a difference between giving "--x509cafile /dev/null" and not giving this option at all. :-( While I'm at it, from the end user's perspective, I find it very hard to figure what options I need for a proper configuration that doesn't use b0rked protocols such as SSLv2, that uses proper X.509 certificate validation to detect MITM attacks. Few applications except Firefox 3 get that right, and I couldn't tell one off-hand. I think that EVERY tool that has a remotely security-related context should default to bulletproof mode and require that the user relaxes every test explicitly. Yes, I need to do homework here, fetchmail doesn't get this right either... compatibility and all that. So I'd say make Gnus default to gnutls-cli and change the sample configuration to include --x509cafile and add instructions to the defcustom blah self-documentation telling the user to cat(1) his trusted ROOT certificates (in PEM format) together to form this file. -- Matthias Andree -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
