bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane

[David Engster]

Eli Zaretskii writes:
>> From: David Engster <deng@randomsample.de>
>> Cc: Eli Zaretskii <eliz@gnu.org>,  19404@debbugs.gnu.org,  dgutov@yandex.ru
>> Date: Thu, 18 Dec 2014 21:20:05 +0100
>
>> 
>> Just to make a few things clear: A 'self-signed' certificate simply
>> means that a certificate is signed with its own private key. You can
>> easily identify them by looking at the 'Issuer' and 'Subject' - they are
>> identical:
>> 
>>   openssl s_client -connect news.gmane.org:563
>> 
>>   [...]
>> 
>>   Certificate chain
>>   0 s:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org
>>     i:/C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org
>> 
>> If you connect to a service secured with such a certificate, you'll be
>> greeted with a certificate chain with a depth of '0', only containing
>> this one certificate (so it's actually not a chain). Self-signed
>> certificates are by default never trustworthy, since anyone can create
>> them.
>
> Do you understand why I got the same "self-signed" indication for a
> certificate whose chain couldn't be verified because the root
> certificates were not available?  E.g., remove or rename your bundle,
> then try "M-x eww" to some HTTPS address -- you will see the
> "self-signed" indication in that case as well.  Why does this happen?

I see now that :self-signed is mapped to
GNUTLS_CERT_SIGNER_NOT_FOUND. This however does not mean that a
certificate is self-signed. See

http://www.gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fstatus_005ft

It simply means: "The certificate’s issuer is not known. This is the
case if the issuer is not included in the trusted certificate list."

It *could* be self-signed. I don't know the best way in libgnutls to
detect this. You probably have to compare issuer and subject, or
similar.

-David