Emacs core TLS support
tzz at lifelogs.com
Sun Sep 26 08:12:13 CEST 2010
On Tue, 21 Sep 2010 13:37:42 +0200 Simon Josefsson <simon at josefsson.org> wrote:
SJ> Ted Zlatanov <tzz at lifelogs.com> writes:
>> +(defconst gnutls-version "0.3.1")
>> + "/tmp/ca.pem"
SJ> This should be removed.
>> + (priority-string (or priority-string
>> + (cond
>> + ((eq credentials 'gnutls-anon)
>> + "PERFORMANCE:+ANON-DH:!ARCFOUR-128")
>> + ((eq credentials 'gnutls-x509pki)
>> + "PERFORMANCE"))))
SJ> I think NORMAL should be used instead of PERFORMANCE here.
>> +(defun open-ssl-stream (name buffer host service)
>> + "Open a SSL connection for a service to a host.
SJ> I suggest using 'TLS' or possibly 'SSL/TLS' consistently in
OK, but let's get the code working first.
SJ> Is 'open-ssl-stream' for backwards compatibility? Otherwise I
SJ> suggest 'open-tls-stream'.
Yes, it's trying to be compatible. I'd rather get rid of the
compatibility but we'll see.
>> +;; (open-ssl-stream "tls" "tls-buffer" "yourserver.com" "https")
SJ> Looks like debug code that should be removed?
Please let it be for now. It's useful for quick testing.
>> +PRIORITY-STRING is as per the GnuTLS docs.
SJ> Maybe there could be an info hyperlink here?
Sorry, you mean to the GnuTLS webserver? I don't know if that's
>> + (gnutls-message-maybe
>> + (setq ret (gnutls-boot proc priority-string credentials credentials-file))
>> + "boot: %s")
SJ> How much debug code do we want to retain? I'm not sure.
For now, as much as possible. We can always turn it down later.
>> +DEFUN ("gnutls-global-init", Fgnutls_global_init,
>> + Sgnutls_global_init, 0, 0, 0,
>> + doc: /* Initializes global GNU TLS state to defaults.
>> +Call `gnutls-global-deinit' when GNU TLS usage is no longer needed.
>> +Returns zero on success. */)
>> +DEFUN ("gnutls-global-deinit", Fgnutls_global_deinit,
>> + Sgnutls_global_deinit, 0, 0, 0,
>> + doc: /* Deinitializes global GNU TLS state.
>> +See also `gnutls-global-init'. */)
SJ> I think this shouldn't be exposed to Elisp, Emacs startup code could
SJ> initialize GnuTLS directly.
>> +DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 6, 0,
>> + doc: /* Initializes client-mode GnuTLS for process PROC.
>> +Currently only client mode is supported. Returns a success/failure
>> +value you can check with `gnutls-errorp'.
>> +PRIORITY_STRING is a string describing the priority.
>> +TYPE is either `gnutls-anon' or `gnutls-x509pki'.
>> +TRUSTFILE is a PEM encoded trust file for `gnutls-x509pki'.
>> +KEYFILE is ... for `gnutls-x509pki' (TODO).
>> +CALLBACK is ... for `gnutls-x509pki' (TODO).
SJ> Two comments here: 1) The name is a bit generic..?
Well, "init" is taken and I have a small vocabulary :)
SJ> 2) The design makes it a bit difficult to support multiple
SJ> credentials. The GnuTLS API allows clients to have several
SJ> credentials (X.509, OpenPGP, etc). Perhaps copying the GnuTLS API
SJ> further is more flexible.
I thought of making it more flexible but I really want to get the basic
case working. As I mentioned earlier I think GnuTLS should consider
further extending the idea of priority strings to a full configuration
(credentials especially) in a single string or file. That would make
using it so much easier from Emacs Lisp.
I tried to figure out the TLS handshake problem but it has stumped me.
It's taken me many hours and I still don't know what I'm missing so, as
I mentioned in my other message, I've checked in my current state to let
others take a look. If you or other GnuTLS developers can help, it
would be greatly appreciated. Once the handshake works I will work on
the other improvements you mentioned and on getting the GnuTLS support
into Gnus and other parts of Emacs.
More information about the Gnutls-devel