Emacs core TLS support

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Sep 14 20:55:51 CEST 2010


On 09/14/2010 08:30 PM, Ted Zlatanov wrote:
> On Mon, 13 Sep 2010 09:49:30 +0200 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: 
> 
> NM> 2010/9/11 Ted Zlatanov <tzz at lifelogs.com>:
>>> - no SRP anywhere, just anon and x509 (I'll add SRP if we need it and
>>>  when the other two are working)
>>> Now I get GNUTLS_E_INSUFFICIENT_CREDENTIALS when I open a x509
>>> connection to an IMAP TLS server so I think there's still work to do.
>>> The trust file seems to be wrong (see lisp/net/gnutls.el, I tried both
>>> "/etc/ssl/certs/ca-certificates.crt" and "/etc/ssl/certs/ca.pem").
>>> The GnuTLS examples don't seem to cover the standard situation of
>>> talking to a web server over SSL and possibly accepting an insecure
>>> connection if the server credentials are bad.  I must have missed
>>> something.  Could the GnuTLS developers look at my patch and help me
>>> out?
> NM> I cannot look at the patch but the example you are looking for is:
> NM> http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support
> NM> to do the connection, and this one to verify the certificate:
> NM> http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html#Verifying-peer_0027s-certificate
> 
> What ca.pem should I use?  There's one in GnuTLS and one in
> /etc/ssl/certs/ca.pem on my Ubuntu system.  It should Just Work so it
> may make sense to ship ca.pem with Emacs.  WDYT?

This is local policy, I don't think that it has to be shipped with
emacs. Just give the option of someone specifying it.

> The simple client code is implemented in my current patch.  Without
> verifying anything I keep getting GNUTLS_E_AGAIN when I try to handshake
> against an SSL server.  See gnutls-boot, the control flow is really
> simple and I think correct.  What am I missing?

GNUTLS_E_AGAIN is returned only if the transport layer function
(recv/send) return -1 and EAGAIN. Usually this is normal behavior and is
enough to loop around them. Do you use non-blocking IO?


regards,
Nikos




More information about the Gnutls-devel mailing list