issues with OpenPGP certificate verification
Daniel Kahn Gillmor
dkg-debian.org at fifthhorseman.net
Mon Apr 21 21:13:44 CEST 2008
Thanks for the quick feedback, Nikos.
On Mon 2008-04-21 14:34:35 -0400, Nikos Mavrogiannopoulos wrote:
> Daniel Kahn Gillmor wrote:
>
>> http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/31
>
> Currently gnutls-cli prints:
> # The hostname in the key does NOT match 'goodsite'.
yup. But without --insecure, the appropriate step would be to
terminate the connection, or else you leave the client open to an
unexpected MITM attack.
> However it seems that gnutls-cli is not any more a debugging
> tool. So it is a valid request to fail if the hostname doesn't
> match. (This also doesn't happen in the X.509 certificate case)...
Yikes! i hadn't tested the X.509 case, sorry.
> Simon could there be any issue with this change and gnus that use
> it?
I'm a gnus user, and hadn't realized that such a spoof wouldn't be
caught by gnutls-cli. I'd certainly prefer gnus to fail on a
hostname/certificate mismatch.
>> http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/32
>
> This is a current limitation of the API. If you have some suggestion
> on a verification function, I'd be glad to hear it. I'd be even more
> glad if you offered a patch for it, since it seems my time is quite
> limited lately.
If only we could unlimit all our times! I'll do what i can.
I'm going to propose a snippet of a .h file on the ticket, and if that
seems acceptable to you, then i'll go ahead and try to implement it.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080421/46f034bd/attachment.pgp>
More information about the Gnutls-devel
mailing list