bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[sb]

Entering news.gmane.no nntp groups in gnus fails on Windows, because it
tries to upgrade the connection using STARTTLS and fails because the
news.gmane.org certificate is self signed.

I did
 (setq gnutls-log-level 1)
in the scratch buffer, and tried entering a group, and saw the following
in the messages buffer:
Opening nntp server on news.gmane.org...done
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated.
gnutls.c: [1] (Emacs) allocating credentials
gnutls.c: [1] (Emacs) gnutls callbacks
gnutls.c: [1] (Emacs) gnutls_init
gnutls.c: [1] (Emacs) got non-default priority string: NORMAL
gnutls.c: [1] (Emacs) setting the priority string
news.gmane.org certificate could not be verified.
gnutls.c: [1] (Emacs) certificate signer was not found: news.gmane.org
gnutls.c: [1] (Emacs) certificate validation failed: news.gmane.org
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated.
apply: Server closed connection

I'm using the following GNU-TLS:
 gnutls-3.0.9-w32-bin.zip (from http://sourceforge.net/projects/ezwinports/files/)
(unzipped, and the dlls dropped into the emacs-24.3/bin/ directory)



In GNU Emacs 24.3.1 (i386-mingw-nt6.2.9200)
 of 2013-03-17 on MARVIN
Windowing system distributor `Microsoft Corp.', version 6.2.9200
Configured using:
 `configure --with-gcc (4.7) --cflags
 -ID:/devel/emacs/libs/libXpm-3.5.8/include
 -ID:/devel/emacs/libs/libXpm-3.5.8/src
 -ID:/devel/emacs/libs/libpng-dev_1.4.3-1/include
 -ID:/devel/emacs/libs/zlib-dev_1.2.5-2/include
 -ID:/devel/emacs/libs/giflib-4.1.4-1/include
 -ID:/devel/emacs/libs/jpeg-6b-4/include
 -ID:/devel/emacs/libs/tiff-3.8.2-1/include
 -ID:/devel/emacs/libs/gnutls-3.0.9/include
 -ID:/devel/emacs/libs/libiconv-1.13.1-1-dev/include
 -ID:/devel/emacs/libs/libxml2-2.7.8/include/libxml2'

Important settings:
  value of $LANG: NOR
  locale-coding-system: cp1252
  default enable-multibyte-characters: t

Major mode: Article

Minor modes in effect:
  diff-auto-refine-mode: t
  display-time-mode: t
  tooltip-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
e l l SPC m e SPC t o SPC t r y SPC a g a i n s t SPC 
t h e SPC g n u s SPC d e l i v e r e d SPC w i t h 
SPC C-p C-a M-f C-k C-k C-k . SPC <return> <return> 
I S-SPC t h i n k SPC I S-SPC w i l l SPC j s u t SPC 
<backspace> <backspace> <backspace> <backspace> u s 
t SPC r e p o r t t <backspace> SPC t h e SPC b u g 
SPC o n SPC <backspace> SPC m y SPC s y s t e m SPC 
a s SPC i t SPC i s . M-x g n u s <backspace> <backspace> 
<backspace> <backspace> e m a c s - r e p <tab> C-g 
M-v M-x r e p o r t - e m a c s - b u g <return> C-x 
o <up> <up> <up> <up> <up> <up> <up> <up> <up> <up> 
<up> <up> <up> <up> <up> <up> <up> <up> <up> <up> <up> 
<up> <up> <up> <up> <up> <up> <up> <down> <down> <down> 
<down> <down> <down> <down> <down> <down> <down> <down> 
<down> <down> <down> <down> <down> <down> <down> <down> 
<down> <down> <down> <down> <down> <down> <down> <down> 
<up> <up> <up> <up> <up> <up> <up> <up> <up> <up> <up> 
<up> <up> <up> <up> <up> <up> <up> <up> <up> <up> <up> 
<up> <up> <up> C-x b C-x o C-x b <return> <up> <up> 
<up> <down> SPC C-x o C-n C-n C-n C-n C-n C-n C-n C-n 
C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n C-n 
<down> <down> <down> <down> <down> <down> <down> <down> 
<down> <down> <down> <down> <down> C-SPC C-e M-w M-x 
<up> <return>

Recent messages:
Mark set [3 times]
Auto-saving...done
Auto-saving...done
Mark set
byte-code: End of buffer
Mark set [3 times]
browse-url-at-point: No URL found
Auto-saving...done
Quit
byte-code: Command attempted to use minibuffer while in minibuffer

Load-path shadows:
c:/Users/sb/git/gnus/lisp/password-cache hides c:/ProgramFiles/emacs-24.3/lisp/password-cache
c:/Users/sb/git/gnus/lisp/md4 hides c:/ProgramFiles/emacs-24.3/lisp/md4
c:/Users/sb/git/gnus/lisp/hex-util hides c:/ProgramFiles/emacs-24.3/lisp/hex-util
c:/Users/sb/git/gnus/lisp/format-spec hides c:/ProgramFiles/emacs-24.3/lisp/format-spec
c:/Users/sb/git/gnus/lisp/color hides c:/ProgramFiles/emacs-24.3/lisp/color
c:/Users/sb/git/gnus/lisp/dns-mode hides c:/ProgramFiles/emacs-24.3/lisp/textmodes/dns-mode
c:/Users/sb/git/gnus/lisp/tls hides c:/ProgramFiles/emacs-24.3/lisp/net/tls
c:/Users/sb/git/gnus/lisp/sasl hides c:/ProgramFiles/emacs-24.3/lisp/net/sasl
c:/Users/sb/git/gnus/lisp/sasl-ntlm hides c:/ProgramFiles/emacs-24.3/lisp/net/sasl-ntlm
c:/Users/sb/git/gnus/lisp/sasl-digest hides c:/ProgramFiles/emacs-24.3/lisp/net/sasl-digest
c:/Users/sb/git/gnus/lisp/sasl-cram hides c:/ProgramFiles/emacs-24.3/lisp/net/sasl-cram
c:/Users/sb/git/gnus/lisp/ntlm hides c:/ProgramFiles/emacs-24.3/lisp/net/ntlm
c:/Users/sb/git/gnus/lisp/netrc hides c:/ProgramFiles/emacs-24.3/lisp/net/netrc
c:/Users/sb/git/gnus/lisp/hmac-md5 hides c:/ProgramFiles/emacs-24.3/lisp/net/hmac-md5
c:/Users/sb/git/gnus/lisp/hmac-def hides c:/ProgramFiles/emacs-24.3/lisp/net/hmac-def
c:/Users/sb/git/gnus/lisp/dns hides c:/ProgramFiles/emacs-24.3/lisp/net/dns
c:/Users/sb/git/gnus/lisp/dig hides c:/ProgramFiles/emacs-24.3/lisp/net/dig
c:/Users/sb/git/gnus/lisp/uudecode hides c:/ProgramFiles/emacs-24.3/lisp/mail/uudecode
c:/Users/sb/git/gnus/lisp/hashcash hides c:/ProgramFiles/emacs-24.3/lisp/mail/hashcash
c:/Users/sb/git/gnus/lisp/binhex hides c:/ProgramFiles/emacs-24.3/lisp/mail/binhex
c:/Users/sb/git/gnus/lisp/yenc hides c:/ProgramFiles/emacs-24.3/lisp/gnus/yenc
c:/Users/sb/git/gnus/lisp/utf7 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/utf7
c:/Users/sb/git/gnus/lisp/starttls hides c:/ProgramFiles/emacs-24.3/lisp/gnus/starttls
c:/Users/sb/git/gnus/lisp/spam hides c:/ProgramFiles/emacs-24.3/lisp/gnus/spam
c:/Users/sb/git/gnus/lisp/spam-wash hides c:/ProgramFiles/emacs-24.3/lisp/gnus/spam-wash
c:/Users/sb/git/gnus/lisp/spam-stat hides c:/ProgramFiles/emacs-24.3/lisp/gnus/spam-stat
c:/Users/sb/git/gnus/lisp/spam-report hides c:/ProgramFiles/emacs-24.3/lisp/gnus/spam-report
c:/Users/sb/git/gnus/lisp/smime hides c:/ProgramFiles/emacs-24.3/lisp/gnus/smime
c:/Users/sb/git/gnus/lisp/smiley hides c:/ProgramFiles/emacs-24.3/lisp/gnus/smiley
c:/Users/sb/git/gnus/lisp/sieve hides c:/ProgramFiles/emacs-24.3/lisp/gnus/sieve
c:/Users/sb/git/gnus/lisp/sieve-mode hides c:/ProgramFiles/emacs-24.3/lisp/gnus/sieve-mode
c:/Users/sb/git/gnus/lisp/sieve-manage hides c:/ProgramFiles/emacs-24.3/lisp/gnus/sieve-manage
c:/Users/sb/git/gnus/lisp/score-mode hides c:/ProgramFiles/emacs-24.3/lisp/gnus/score-mode
c:/Users/sb/git/gnus/lisp/rtree hides c:/ProgramFiles/emacs-24.3/lisp/gnus/rtree
c:/Users/sb/git/gnus/lisp/rfc2231 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/rfc2231
c:/Users/sb/git/gnus/lisp/rfc2104 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/rfc2104
c:/Users/sb/git/gnus/lisp/rfc2047 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/rfc2047
c:/Users/sb/git/gnus/lisp/rfc2045 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/rfc2045
c:/Users/sb/git/gnus/lisp/rfc1843 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/rfc1843
c:/Users/sb/git/gnus/lisp/registry hides c:/ProgramFiles/emacs-24.3/lisp/gnus/registry
c:/Users/sb/git/gnus/lisp/qp hides c:/ProgramFiles/emacs-24.3/lisp/gnus/qp
c:/Users/sb/git/gnus/lisp/pop3 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/pop3
c:/Users/sb/git/gnus/lisp/plstore hides c:/ProgramFiles/emacs-24.3/lisp/gnus/plstore
c:/Users/sb/git/gnus/lisp/nnweb hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnweb
c:/Users/sb/git/gnus/lisp/nnvirtual hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnvirtual
c:/Users/sb/git/gnus/lisp/nntp hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nntp
c:/Users/sb/git/gnus/lisp/nnspool hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnspool
c:/Users/sb/git/gnus/lisp/nnrss hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnrss
c:/Users/sb/git/gnus/lisp/nnregistry hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnregistry
c:/Users/sb/git/gnus/lisp/nnoo hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnoo
c:/Users/sb/git/gnus/lisp/nnnil hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnnil
c:/Users/sb/git/gnus/lisp/nnml hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnml
c:/Users/sb/git/gnus/lisp/nnmh hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnmh
c:/Users/sb/git/gnus/lisp/nnmbox hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnmbox
c:/Users/sb/git/gnus/lisp/nnmairix hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnmairix
c:/Users/sb/git/gnus/lisp/nnmaildir hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnmaildir
c:/Users/sb/git/gnus/lisp/nnmail hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnmail
c:/Users/sb/git/gnus/lisp/nnir hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnir
c:/Users/sb/git/gnus/lisp/nnimap hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnimap
c:/Users/sb/git/gnus/lisp/nnheader hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnheader
c:/Users/sb/git/gnus/lisp/nngateway hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nngateway
c:/Users/sb/git/gnus/lisp/nnfolder hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnfolder
c:/Users/sb/git/gnus/lisp/nneething hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nneething
c:/Users/sb/git/gnus/lisp/nndraft hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nndraft
c:/Users/sb/git/gnus/lisp/nndoc hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nndoc
c:/Users/sb/git/gnus/lisp/nndir hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nndir
c:/Users/sb/git/gnus/lisp/nndiary hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nndiary
c:/Users/sb/git/gnus/lisp/nnbabyl hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnbabyl
c:/Users/sb/git/gnus/lisp/nnagent hides c:/ProgramFiles/emacs-24.3/lisp/gnus/nnagent
c:/Users/sb/git/gnus/lisp/mml2015 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mml2015
c:/Users/sb/git/gnus/lisp/mml1991 hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mml1991
c:/Users/sb/git/gnus/lisp/mml hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mml
c:/Users/sb/git/gnus/lisp/mml-smime hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mml-smime
c:/Users/sb/git/gnus/lisp/mml-sec hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mml-sec
c:/Users/sb/git/gnus/lisp/mm-view hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-view
c:/Users/sb/git/gnus/lisp/mm-uu hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-uu
c:/Users/sb/git/gnus/lisp/mm-util hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-util
c:/Users/sb/git/gnus/lisp/mm-url hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-url
c:/Users/sb/git/gnus/lisp/mm-partial hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-partial
c:/Users/sb/git/gnus/lisp/mm-extern hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-extern
c:/Users/sb/git/gnus/lisp/mm-encode hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-encode
c:/Users/sb/git/gnus/lisp/mm-decode hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-decode
c:/Users/sb/git/gnus/lisp/mm-bodies hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-bodies
c:/Users/sb/git/gnus/lisp/mm-archive hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mm-archive
c:/Users/sb/git/gnus/lisp/messcompat hides c:/ProgramFiles/emacs-24.3/lisp/gnus/messcompat
c:/Users/sb/git/gnus/lisp/message hides c:/ProgramFiles/emacs-24.3/lisp/gnus/message
c:/Users/sb/git/gnus/lisp/mailcap hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mailcap
c:/Users/sb/git/gnus/lisp/mail-source hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mail-source
c:/Users/sb/git/gnus/lisp/mail-prsvr hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mail-prsvr
c:/Users/sb/git/gnus/lisp/mail-parse hides c:/ProgramFiles/emacs-24.3/lisp/gnus/mail-parse
c:/Users/sb/git/gnus/lisp/legacy-gnus-agent hides c:/ProgramFiles/emacs-24.3/lisp/gnus/legacy-gnus-agent
c:/Users/sb/git/gnus/lisp/ietf-drums hides c:/ProgramFiles/emacs-24.3/lisp/gnus/ietf-drums
c:/Users/sb/git/gnus/lisp/html2text hides c:/ProgramFiles/emacs-24.3/lisp/gnus/html2text
c:/Users/sb/git/gnus/lisp/gssapi hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gssapi
c:/Users/sb/git/gnus/lisp/gravatar hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gravatar
c:/Users/sb/git/gnus/lisp/gnus hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus
c:/Users/sb/git/gnus/lisp/gnus-win hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-win
c:/Users/sb/git/gnus/lisp/gnus-vm hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-vm
c:/Users/sb/git/gnus/lisp/gnus-uu hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-uu
c:/Users/sb/git/gnus/lisp/gnus-util hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-util
c:/Users/sb/git/gnus/lisp/gnus-undo hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-undo
c:/Users/sb/git/gnus/lisp/gnus-topic hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-topic
c:/Users/sb/git/gnus/lisp/gnus-sync hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-sync
c:/Users/sb/git/gnus/lisp/gnus-sum hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-sum
c:/Users/sb/git/gnus/lisp/gnus-start hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-start
c:/Users/sb/git/gnus/lisp/gnus-srvr hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-srvr
c:/Users/sb/git/gnus/lisp/gnus-spec hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-spec
c:/Users/sb/git/gnus/lisp/gnus-sieve hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-sieve
c:/Users/sb/git/gnus/lisp/gnus-setup hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-setup
c:/Users/sb/git/gnus/lisp/gnus-score hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-score
c:/Users/sb/git/gnus/lisp/gnus-salt hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-salt
c:/Users/sb/git/gnus/lisp/gnus-registry hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-registry
c:/Users/sb/git/gnus/lisp/gnus-range hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-range
c:/Users/sb/git/gnus/lisp/gnus-picon hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-picon
c:/Users/sb/git/gnus/lisp/gnus-notifications hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-notifications
c:/Users/sb/git/gnus/lisp/gnus-msg hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-msg
c:/Users/sb/git/gnus/lisp/gnus-mlspl hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-mlspl
c:/Users/sb/git/gnus/lisp/gnus-ml hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-ml
c:/Users/sb/git/gnus/lisp/gnus-mh hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-mh
c:/Users/sb/git/gnus/lisp/gnus-logic hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-logic
c:/Users/sb/git/gnus/lisp/gnus-kill hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-kill
c:/Users/sb/git/gnus/lisp/gnus-int hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-int
c:/Users/sb/git/gnus/lisp/gnus-html hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-html
c:/Users/sb/git/gnus/lisp/gnus-group hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-group
c:/Users/sb/git/gnus/lisp/gnus-gravatar hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-gravatar
c:/Users/sb/git/gnus/lisp/gnus-fun hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-fun
c:/Users/sb/git/gnus/lisp/gnus-ems hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-ems
c:/Users/sb/git/gnus/lisp/gnus-eform hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-eform
c:/Users/sb/git/gnus/lisp/gnus-dup hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-dup
c:/Users/sb/git/gnus/lisp/gnus-draft hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-draft
c:/Users/sb/git/gnus/lisp/gnus-dired hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-dired
c:/Users/sb/git/gnus/lisp/gnus-diary hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-diary
c:/Users/sb/git/gnus/lisp/gnus-demon hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-demon
c:/Users/sb/git/gnus/lisp/gnus-delay hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-delay
c:/Users/sb/git/gnus/lisp/gnus-cus hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-cus
c:/Users/sb/git/gnus/lisp/gnus-cite hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-cite
c:/Users/sb/git/gnus/lisp/gnus-cache hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-cache
c:/Users/sb/git/gnus/lisp/gnus-bookmark hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-bookmark
c:/Users/sb/git/gnus/lisp/gnus-bcklg hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-bcklg
c:/Users/sb/git/gnus/lisp/gnus-async hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-async
c:/Users/sb/git/gnus/lisp/gnus-art hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-art
c:/Users/sb/git/gnus/lisp/gnus-agent hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gnus-agent
c:/Users/sb/git/gnus/lisp/gmm-utils hides c:/ProgramFiles/emacs-24.3/lisp/gnus/gmm-utils
c:/Users/sb/git/gnus/lisp/flow-fill hides c:/ProgramFiles/emacs-24.3/lisp/gnus/flow-fill
c:/Users/sb/git/gnus/lisp/ecomplete hides c:/ProgramFiles/emacs-24.3/lisp/gnus/ecomplete
c:/Users/sb/git/gnus/lisp/deuglify hides c:/ProgramFiles/emacs-24.3/lisp/gnus/deuglify
c:/Users/sb/git/gnus/lisp/compface hides c:/ProgramFiles/emacs-24.3/lisp/gnus/compface
c:/Users/sb/git/gnus/lisp/canlock hides c:/ProgramFiles/emacs-24.3/lisp/gnus/canlock
c:/Users/sb/git/gnus/lisp/auth-source hides c:/ProgramFiles/emacs-24.3/lisp/gnus/auth-source
c:/Users/sb/git/gnus/lisp/.dir-locals hides c:/ProgramFiles/emacs-24.3/lisp/gnus/.dir-locals
c:/Users/sb/git/gnus/lisp/time-date hides c:/ProgramFiles/emacs-24.3/lisp/calendar/time-date
c:/Users/sb/git/gnus/lisp/parse-time hides c:/ProgramFiles/emacs-24.3/lisp/calendar/parse-time
c:/Users/sb/apps/share/emacs/site-lisp/icalendar hides c:/ProgramFiles/emacs-24.3/lisp/calendar/icalendar

Features:
(shadow emacsbug shr-color color shr browse-url gnus-dup org-clock
org-w3m org-wl org-vm org-rmail org-mhe org-mew org-irc org-habit
org-jsinfo org-infojs org-html org-exp ob-exp org-exp-blocks org-agenda
org-info org-gnus org-docview org-bibtex bibtex org-bbdb org-install org
ob-tangle ob-ref ob-lob ob-table org-footnote org-src ob-comint ob-keys
org-pcomplete pcomplete org-list org-faces org-entities noutline outline
org-version ob-emacs-lisp ob org-compat org-macs ob-eval org-loaddefs
find-func nnagent magit-key-mode magit view help-mode grep compile
comint epa derived epg diff-mode autorevert git-rebase-mode thingatpt
git-commit-mode server log-edit ring pcvs-util add-log dired url-http
url-gw url-cache url-auth time-stamp vc-git pp canlock bbdb-message
sendmail flow-fill mm-archive sort gnus-cite ansi-color mail-extr u-appt
appt diary-lib diary-loaddefs cal-menu calendar cal-loaddefs gnus-bcklg
gnus-async qp gnus-ml spam-gmane dns mm-url edmacro kmacro gnus-topic
nnml nndraft nnmh utf-7 rfc2104 gnutls bbdb-gnus bbdb-mua network-stream
warnings starttls gnus-agent gnus-srvr gnus-score score-mode nnvirtual
gnus-cache gnus-demon nntp gnus-diary nndiary spam-report spam spam-stat
bbdb-com crm bbdb bbdb-site timezone gnus-uu yenc gnus-msg gnus-art
mm-uu mml2015 epg-config mm-view mml-smime smime dig supercite regi
gnus-sync json advice advice-preload gnus-load bbdb-autoloads
magit-autoloads info git-rebase-mode-autoloads git-commit-mode-autoloads
finder-inf package cl-macs gv desktop cl cl-lib nnir gnus-sum gnus-group
gnus-undo gnus-start gnus-cloud nnimap nnmail mail-source tls utf7 netrc
parse-time gnus-spec gnus-int gnus-range message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
rfc2047 rfc2045 ietf-drums mailabbrev gmm-utils mailheader gnus-win gnus
gnus-ems gnus-compat url url-proxy url-privacy url-expand url-methods
url-history url-cookie url-domsuf url-util url-parse auth-source eieio
byte-opt bytecomp byte-compile cconv password-cache url-vars mailcap
wid-edit nnoo nnheader gnus-util mm-util help-fns mail-prsvr mail-utils
gnus-setup nxml-psgml-compatibility easy-mmode filladapt time jka-compr
time-date tooltip ediff-hook vc-hooks lisp-float-type mwheel dos-w32
ls-lisp w32-common-fns disp-table w32-win w32-vars tool-bar dnd fontset
image regexp-opt fringe tabulated-list newcomment lisp-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew
greek romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer loaddefs
button faces cus-face macroexp files text-properties overlay sha1 md5
base64 format env code-pages mule custom widget hashtable-print-readable
backquote make-network-process w32 multi-tty emacs)

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Ted Zlatanov]

On Mon, 17 Feb 2014 18:50:32 +0100 sb@dod.no wrote: 

s> Entering news.gmane.no nntp groups in gnus fails on Windows, because it
s> tries to upgrade the connection using STARTTLS and fails because the
s> news.gmane.org certificate is self signed.

Steinar also posted some suggestions in the original thread:

SB> I would like one of the following solutions:
SB>  1. The possibility to switch off the attempted upgrade to STARTTLS for
SB>     NNTP connections
SB>  2. The possibility to tell GNU-TLS not to be so stringent about
SB>     certificate verification

I'll respond as soon as I'm able :)

Ted

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Ted Zlatanov]

On Tue, 18 Feb 2014 10:43:00 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Mon, 17 Feb 2014 18:50:32 +0100 sb@dod.no wrote: 
s> Entering news.gmane.no nntp groups in gnus fails on Windows, because it
s> tries to upgrade the connection using STARTTLS and fails because the
s> news.gmane.org certificate is self signed.

SB> I would like one of the following solutions:
SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
SB> NNTP connections

I think Lars has to give an opinion here.

SB> 2. The possibility to tell GNU-TLS not to be so stringent about
SB> certificate verification

The latest Emacs trunk has this:

(defcustom gnutls-verify-error nil
  "If non-nil, this should be a list of checks per hostname regex or t."
  :group 'gnutls
  :version "24.4"
  :type '(choice
          (const t)
          (repeat :tag "List of hostname regexps with flags for each"
           (list
            (choice :tag "Hostname"
                    (const ".*" :tag "Any hostname")
                    regexp)
            (set (const :trustfiles)
                 (const :hostname))))))

So basically customize that variable and add :trustfiles and :hostname
for the respective verifications, or nil to disable them.

Also note that internally, we use some default flags for
`gnutls-negotiate'.  From the docstring:

VERIFY-FLAGS is a numeric OR of verification flags only for
`gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
here's a recent version of the list.

    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256

It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.

This is the current default, except as modified by the GnuTLS priority
string.  I would expect callers such as Gnus to modify this, but not
normal users.

Ted

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> SB> I would like one of the following solutions:
> SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
> SB> NNTP connections
>
> I think Lars has to give an opinion here.

I think we should always do encryption, even though we can't do validation.

> So basically customize that variable and add :trustfiles and :hostname
> for the respective verifications, or nil to disable them.

When doing opportunistic upgrades (where the user hasn't asked for the
connection to be encrypted), bothering the user with warnings about not
being able to establish the identity of the server doesn't make much
sense.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Ted Zlatanov]

On Thu, 20 Mar 2014 15:58:02 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
SB> I would like one of the following solutions:
SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
SB> NNTP connections
>> 
>> I think Lars has to give an opinion here.

LMI> I think we should always do encryption, even though we can't do validation.

So the answer is "no" to Steinar's question.  I have to agree, although
it may be noisier, in 2014 it's the right way.

>> So basically customize that variable and add :trustfiles and :hostname
>> for the respective verifications, or nil to disable them.

LMI> When doing opportunistic upgrades (where the user hasn't asked for the
LMI> connection to be encrypted), bothering the user with warnings about not
LMI> being able to establish the identity of the server doesn't make much
LMI> sense.

I can only suggest overriding `gnutls-log-level' but that doesn't make
much sense if you're planning to use that connection, in which case you
care about those warnings.  Do we need a way to defer GnuTLS warnings
(put them in a variable temporarily)?

Ted

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Steinar Bang]

>>>>> Lars Magne Ingebrigtsen <larsi@gnus.org>:

> Ted Zlatanov <tzz@lifelogs.com> writes:
SB> I would like one of the following solutions:
SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
SB> NNTP connections

>> I think Lars has to give an opinion here.

> I think we should always do encryption, even though we can't do validation.

The reason I asked for this, is that if an ecryption I didn't ask for
causes the connection to fail, I would like to be able to turn it off
and have my unsafe connection.

I would rather have an unsafe conncetion than no connection (which is
what I seem to have right now on Windows).

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Lars Magne Ingebrigtsen]

Steinar Bang <sb@dod.no> writes:

>>>>>> Lars Magne Ingebrigtsen <larsi@gnus.org>:
>
>> Ted Zlatanov <tzz@lifelogs.com> writes:
> SB> I would like one of the following solutions:
> SB> 1. The possibility to switch off the attempted upgrade to STARTTLS for
> SB> NNTP connections
>
>>> I think Lars has to give an opinion here.
>
>> I think we should always do encryption, even though we can't do validation.
>
> The reason I asked for this, is that if an ecryption I didn't ask for
> causes the connection to fail, I would like to be able to turn it off
> and have my unsafe connection.

Yeah, but I's saying that the connection shouldn't fail.  >"?  If you
didn't ask for encryption, but Emacs decides to do STARTTLS anyway, then
Emacs should not do identity validation.

Except perhaps just issue a message saying "couldn't validate TLS
identity" or something at the most.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#16784: 24.3; Problems opening NNTP connection: failing starttls because of a non-verified certificate

[Lars Magne Ingebrigtsen]

sb@dod.no writes:

> Entering news.gmane.no nntp groups in gnus fails on Windows, because it
> tries to upgrade the connection using STARTTLS and fails because the
> news.gmane.org certificate is self signed.

This should now be fixed due to the NSM stuff, I think?  So I'm closing
this report.  Please reopen if this is still a problem.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no