Emacs core TLS support
nmav at gnutls.org
Tue Sep 14 20:55:51 CEST 2010
On 09/14/2010 08:30 PM, Ted Zlatanov wrote:
> On Mon, 13 Sep 2010 09:49:30 +0200 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> NM> 2010/9/11 Ted Zlatanov <tzz at lifelogs.com>:
>>> - no SRP anywhere, just anon and x509 (I'll add SRP if we need it and
>>> when the other two are working)
>>> Now I get GNUTLS_E_INSUFFICIENT_CREDENTIALS when I open a x509
>>> connection to an IMAP TLS server so I think there's still work to do.
>>> The trust file seems to be wrong (see lisp/net/gnutls.el, I tried both
>>> "/etc/ssl/certs/ca-certificates.crt" and "/etc/ssl/certs/ca.pem").
>>> The GnuTLS examples don't seem to cover the standard situation of
>>> talking to a web server over SSL and possibly accepting an insecure
>>> connection if the server credentials are bad. I must have missed
>>> something. Could the GnuTLS developers look at my patch and help me
> NM> I cannot look at the patch but the example you are looking for is:
> NM> http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support
> NM> to do the connection, and this one to verify the certificate:
> NM> http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html#Verifying-peer_0027s-certificate
> What ca.pem should I use? There's one in GnuTLS and one in
> /etc/ssl/certs/ca.pem on my Ubuntu system. It should Just Work so it
> may make sense to ship ca.pem with Emacs. WDYT?
This is local policy, I don't think that it has to be shipped with
emacs. Just give the option of someone specifying it.
> The simple client code is implemented in my current patch. Without
> verifying anything I keep getting GNUTLS_E_AGAIN when I try to handshake
> against an SSL server. See gnutls-boot, the control flow is really
> simple and I think correct. What am I missing?
GNUTLS_E_AGAIN is returned only if the transport layer function
(recv/send) return -1 and EAGAIN. Usually this is normal behavior and is
enough to loop around them. Do you use non-blocking IO?
More information about the Gnutls-devel