[gnutls-devel] TLS connection improperly terminated

Eli Zaretskii eliz at gnu.org
Thu Jul 30 04:41:59 CEST 2015

> From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> Cc: rustompmody at gmail.com, bugs at gnutls.org
> Date: Wed, 29 Jul 2015 17:24:53 -0400
> >> So this is a non-fatal warning that is reported back to emacs?  how is
> >> emacs invoking gnutls here?
> >
> > Not sure what you want to hear in response.  As you well know,
> > invoking GnuTLS involves an elaborate setup, which calls many
> > different GnuTLS functions.  The function that actually fails is
> > gnutls_handshake, I think.
> You're saying that gnutls_handshake fails, but the application continues
> to use the network connection?

Maybe.  As I mentioned, I cannot reproduce the problem on my machine,
so I was guessing by looking at the sources.  If someone who can
reproduce the problem could turn on all the logs in Emacs's gnutls.c
and show the results, we might have a better idea. 

> I think the description of the situation is:
> GnuTLS reports a warning/error about a certificate validation to the
> application, and the application decides to continue with the connection
> anyway, which seems like it is probably insecure.  Is that right?
> I see two approaches: the application can close the connection when it
> sees that warning/error, or GnuTLS can terminate the connection for the
> user (effectively changing its interface contract, which has
> implications for other users of the library).  I can see (good)
> arguments for the latter, but the former might be easier to accomplish.

Please don't forget the fact that on my system I fetch the list from
marmalade without any error messages.  So I think we don't even
understand sufficiently well why is the message issued.

More information about the Gnutls-devel mailing list