No warning when SSL certificate expired

Question

No warning when SSL certificate expired

hendursaga opened this issue 3 years ago · 5 comments

A few days into using Circe, all of a sudden I couldn't connect to ZNC, more specifically, over TLS. After a frustrating amount of time, apparently my ZNC provider's SSL certificate expired and nobody noticed. After hanging indefinitely, I set irc-debug-log to t and restarted, which did not show any logs whatsoever, as nothing was connected to at that stage. It would be helpful to alert the user when an SSL certificate is expired or invalid.

Answer 1 · 2022-02-19T00:49:04.000Z

On a related note, what would be a good workaround, assuming you cannot immediately change over the certs? Could you, say, pin the SSL fingerprints? Or even ignore SSL validation errors entirely?

Answer 2 · 2022-03-20T18:18:45.000Z

The main difficulty with TLS issues is reproducing them. If you have a recipe how to set up or connect to an existing IRC server with an expired cert, that would help.

Regarding errors, on Emacs 26.1 and newer, make-network-process is used in combination with gnutls-boot-parameters to launch a process using the GnuTLS library. There are intentionally no parameters set to let GnuTLS perform the verification, instead this is done by NSM if available, precisely to display warnings about expired certificates and allow the user to ignore them. What you've described should therefore not happen in the first place and workarounds shouldn't be necessary either.

Answer 3 · 2022-03-20T22:32:27.000Z

If you have a recipe how to set up or connect to an existing IRC server with an expired cert

Sadly no, not yet, at any rate. My ZNC provider is getting better at catching certificate expirations before they occur, so I'm not sure when's the next time I'd be unintentionally hung from said error..

Answer 4 · 2022-05-21T00:07:38.000Z

this is done by NSM if available, precisely to display warnings about expired certificates and allow the user to ignore them.

Turns out, Doom sets gnutls-verify-error to t - setting it to nil brings up a prompt and then I can pin my expired cert. You may close this if you want.

Answer 5 · 2022-05-21T10:46:47.000Z

Interesting, I didn't expect this at all. Yet another example of your Emacs configuration being an unexpected culprit. I see three consequences arising from this:

Circe issues should use a minimal config (Evil and Helm offer scripts for reproduction purposes) for reproducability
Doom should be informed about gnutls-verify-error interacting with nsm.el
Circe should explicitly bind gnutls-verify-error when using it with nsm.el to guard against this

Therefore I'll keep this open for now.