Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

No warning when SSL certificate expired #405

Closed
hendursaga opened this issue Nov 22, 2021 · 5 comments
Closed

No warning when SSL certificate expired #405

hendursaga opened this issue Nov 22, 2021 · 5 comments

Comments

@hendursaga
Copy link

A few days into using Circe, all of a sudden I couldn't connect to ZNC, more specifically, over TLS. After a frustrating amount of time, apparently my ZNC provider's SSL certificate expired and nobody noticed. After hanging indefinitely, I set irc-debug-log to t and restarted, which did not show any logs whatsoever, as nothing was connected to at that stage. It would be helpful to alert the user when an SSL certificate is expired or invalid.
@hendursaga
Copy link
Author

On a related note, what would be a good workaround, assuming you cannot immediately change over the certs? Could you, say, pin the SSL fingerprints? Or even ignore SSL validation errors entirely?

@hendursaga hendursaga mentioned this issue Feb 19, 2022
Open
@wasamasa
Copy link
Collaborator

The main difficulty with TLS issues is reproducing them. If you have a recipe how to set up or connect to an existing IRC server with an expired cert, that would help.

Regarding errors, on Emacs 26.1 and newer, make-network-process is used in combination with gnutls-boot-parameters to launch a process using the GnuTLS library. There are intentionally no parameters set to let GnuTLS perform the verification, instead this is done by NSM if available, precisely to display warnings about expired certificates and allow the user to ignore them. What you've described should therefore not happen in the first place and workarounds shouldn't be necessary either.

@hendursaga
Copy link
Author

If you have a recipe how to set up or connect to an existing IRC server with an expired cert

Sadly no, not yet, at any rate. My ZNC provider is getting better at catching certificate expirations before they occur, so I'm not sure when's the next time I'd be unintentionally hung from said error..

@hendursaga
Copy link
Author

this is done by NSM if available, precisely to display warnings about expired certificates and allow the user to ignore them.

Turns out, Doom sets gnutls-verify-error to t - setting it to nil brings up a prompt and then I can pin my expired cert. You may close this if you want.

@wasamasa
Copy link
Collaborator

Interesting, I didn't expect this at all. Yet another example of your Emacs configuration being an unexpected culprit. I see three consequences arising from this:

  • Circe issues should use a minimal config (Evil and Helm offer scripts for reproduction purposes) for reproducability
  • Doom should be informed about gnutls-verify-error interacting with nsm.el
  • Circe should explicitly bind gnutls-verify-error when using it with nsm.el to guard against this

Therefore I'll keep this open for now.

hlissner added a commit to doomemacs/doomemacs that referenced this issue Jun 17, 2022
@hlissner
tweak: disable gnutls-verify-error in interactive sessions
196adfb 
NSM has better UX when an invalid/expired certificate is encountered: it
prompts the user to decide what to do with it. If gnutls-verify-error is
non-nil, gnutls either kills or hangs the connection. This is (mostly)
acceptable in noninteractive sessions, where I can more tightly control
outgoing connections, but not in interactive sessions where I stand a
higher chance of stepping on the user's toes instead.

Ref: emacs-circe/circe#405
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wasamasa @hendursaga