Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5713

Can't override cert verification status by setting gnutls-verify-error to nil

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-9.1.0
    • emacs
    • None
    • None
    • rhel-sst-cs-plumbers
    • ssg_core_services
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      +++ This bug was initially created as a clone of Bug #1990588 +++

      Description of problem:
      This issue is more or less the exact opposite of BZ#1403643 - using `url-retrieve-synchronously` to fetch a web site with an invalid SSL/TLS certificate doesn't work even when `gnutls-verify-error` is set to `nil`.

      Version-Release number of selected component (if applicable):
      emacs-26.1-5.el8.x86_64

      Steps to Reproduce:

      1. cat >script <<EOF
        (require 'gnutls)
        (setq gnutls-log-level 2)
        (setq gnutls-verify-error nil)
        (url-retrieve-synchronously "https://self-signed.badssl.com")
        EOF
      2. emacs -Q --script script

      Actual results:

      1. emacs -Q --script script
        Contacting host: self-signed.badssl.com:443
        gnutls.c: [1] (Emacs) connecting to host: self-signed.badssl.com
        gnutls.c: [1] (Emacs) allocating credentials
        gnutls.c: [2] (Emacs) allocating x509 credentials
        gnutls.c: [2] (Emacs) using default verification flags
        <...snip...>
        gnutls.c: [2] p11: No login requested.

      gnutls.c: [1] (Emacs) verification: the certificate was signed by an unknown and therefore untrusted authority
      gnutls.c: [1] (Emacs) verification: certificate could not be verified
      gnutls.c: [1] (Emacs) certificate validation failed: self-signed.badssl.com
      gnutls.c: [2] (Emacs) Deallocating x509 credentials
      Could not create connection to self-signed.badssl.com:443

      1. echo $?
        255

      Expected results:

        1. RHEL 7 (emacs-24.3-23.el7.x86_64)
      2. emacs -Q --script script
        Contacting host: self-signed.badssl.com:443
        gnutls.c: [2] called the deprecated gnutls_global_set_mem_functions()

      gnutls.c: [1] (Emacs) allocating credentials
      gnutls.c: [2] (Emacs) allocating x509 credentials
      gnutls.c: [2] (Emacs) using default verification flags
      gnutls.c: [1] (Emacs) setting the trustfile: /etc/pki/tls/certs/ca-bundle.crt
      gnutls.c: [1] (Emacs) gnutls callbacks
      gnutls.c: [1] (Emacs) gnutls_init
      gnutls.c: [1] (Emacs) got non-default priority string: NORMAL
      <...snip...>
      gnutls.c: [1] (Emacs) non-fatal error: Resource temporarily unavailable, try again.
      gnutls.c: [1] (Emacs) non-fatal error: Resource temporarily unavailable, try again.
      gnutls.c: [1] (Emacs) non-fatal error: Resource temporarily unavailable, try again.
      gnutls.c: [1] (Emacs) non-fatal error: Resource temporarily unavailable, try again.
      gnutls.c: [1] (Emacs) non-fatal error: Resource temporarily unavailable, try again.
      self-signed.badssl.com certificate could not be verified.
      gnutls.c: [1] (Emacs) certificate signer was not found: self-signed.badssl.com
      gnutls.c: [1] (Emacs) certificate validation failed: self-signed.badssl.com
      gnutls.c: [1] (Emacs) x509 certificate does not match: self-signed.badssl.com
      gnutls.c: [2] (Emacs) Deallocating x509 credentials

      1. echo $?
        0

      Additional info:
      The same thing can be reproduced with a locally generated self-signed cert:
      ```

      1. openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'
      2. gnutls-serv --http -p 4433 --x509keyfile key.pem --x509certfile cert.pem &
      3. emacs -Q --script script

      I'm not sure if it's an expected outcome, since Fedora Rawhide (emacs-27.2-8.fc35) behaves exactly the same as the RHEL 8 version (but it definitely doesn't feel expected). Also, connecting to the offending site with `gnutls-cli` works fine (with invalid cert error suppression):

      1. gnutls-cli -p 443 self-signed.badssl.com --insecure </dev/null
        Processed 0 CA certificate(s).
        Resolving 'self-signed.badssl.com:443'...
        Connecting to '104.154.89.105:443'...
      • Certificate type: X.509
      • Got a certificate list of 1 certificates.
      • Certificate[0] info:
      • subject `CN=.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US', issuer `CN=.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US', serial 0x00fce2ba29024e8c78, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-10-09 23:41:52 UTC', expires `2021-10-08 23:41:52 UTC', pin-sha256="9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8="
        Public Key ID:
        sha1:7965dfc93c6ae6fe8381ec482216ec44ef47282a
        sha256:f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f
        Public Key PIN:
        pin-sha256:9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=
      • Status: The certificate is NOT trusted. The certificate issuer is unknown.
          • PKI verification of server certificate failed...
      • Description: (TLS1.2-X.509)(ECDHE-SECP256R1)(RSA-SHA512)-(AES-128-GCM)
      • Session ID: EA:4B:E7:93:88:47:04:CD:97:7F:67:96:AD:7A:78:56:BD:7E:51:F4:B0:6C:DC:32:3C:AF:38:6E:0D:8E:B7:63
      • Options: safe renegotiation,
      • Handshake was completed
      • Simple Client Mode:
      • Peer has closed the GnuTLS connection

              jmigacz@redhat.com Jacek Migacz
              fsumsalrh Frantisek Sumsal
              Jacek Migacz Jacek Migacz
              qe-baseos-daemons qe-baseos-daemons
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: