Bug 1403643

Summary: hardening: TLS certificate warnings should be hard errors
Product: Red Hat Enterprise Linux 7 Reporter: Doran Moppert <dmoppert>
Component: emacsAssignee: Jan Synacek <jsynacek>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: fsumsal, jsynacek, lmiksik
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: emacs-24.3-22.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:45:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1549689    

Description Doran Moppert 2016-12-12 04:14:06 UTC 
Related to this bug in Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816063

See also:

https://glyph.twistedmatrix.com/2015/11/editor-malware.html

Main concern is that `package.el` will continue despite certificate validation errors, which doesn't seem to be exactly the case on RHEL but the defaults could perhaps be hardened?

The commands logged in Wade's paste below show that `gnutls-cli` exits with an error when it detects cert errors, while `openssl` just spits some diagnostics on stderr and allows the user to continue.


Quoting wmealing from PS bug 1312922:
> RHEL5 wasn't built linked to gnutls.. so...
> RHEL6 
> RHEL7 throws warnings and asks if you want to continue.
> Fedora24 and Fedora25 throw warnings/displays and ask if you want to continue.
> 
> http://pastebin.test.redhat.com/433806
> 
> Some bad news, it looks like it falls back to openssl to make the connection,
> which doesn't fail. Boo.. so while its not the same bug.. its got the same
> outcome.
> 
> Maybe not all commands that use TLS will do this kind of fallback though.
Comment 1 Jan Synacek 2016-12-12 12:12:10 UTC 
Seems to be fixed by http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=ccae04f205db7cffa0f247a463272f6c5af77122.
Comment 11 errata-xmlrpc 2018-10-30 10:45:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3166