[gnutls-devel] TLS connection improperly terminated
Eli Zaretskii
eliz at gnu.org
Thu Jul 30 04:41:59 CEST 2015
> From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> Cc: rustompmody at gmail.com, bugs at gnutls.org
> Date: Wed, 29 Jul 2015 17:24:53 -0400
>
> >> So this is a non-fatal warning that is reported back to emacs? how is
> >> emacs invoking gnutls here?
> >
> > Not sure what you want to hear in response. As you well know,
> > invoking GnuTLS involves an elaborate setup, which calls many
> > different GnuTLS functions. The function that actually fails is
> > gnutls_handshake, I think.
>
> You're saying that gnutls_handshake fails, but the application continues
> to use the network connection?
Maybe. As I mentioned, I cannot reproduce the problem on my machine,
so I was guessing by looking at the sources. If someone who can
reproduce the problem could turn on all the logs in Emacs's gnutls.c
and show the results, we might have a better idea.
> I think the description of the situation is:
>
> GnuTLS reports a warning/error about a certificate validation to the
> application, and the application decides to continue with the connection
> anyway, which seems like it is probably insecure. Is that right?
>
> I see two approaches: the application can close the connection when it
> sees that warning/error, or GnuTLS can terminate the connection for the
> user (effectively changing its interface contract, which has
> implications for other users of the library). I can see (good)
> arguments for the latter, but the former might be easier to accomplish.
Please don't forget the fact that on my system I fetch the list from
marmalade without any error messages. So I think we don't even
understand sufficiently well why is the message issued.
More information about the Gnutls-devel
mailing list