bug#23759: 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist

[flitterio@gmail.com (Francis Litterio)]

Using Emacs built from the latest mainline source on Windows 7 (with all updates applied),
I see this problem:

1. Launch Emacs using: emacs.exe -Q

2. Evaluate this form in buffer *scratch*:

   (progn
     (require 'tls)
     (open-tls-stream "foo" nil "irc.oftc.net" 6697))

After the connection is established, buffer *Messages* shows two failed connection
attempts using gnutls-cli, followed by a successful connection using openssl:

  Opening TLS connection to ‘irc.oftc.net’...
  Opening TLS connection with ‘gnutls-cli --x509cafile nil -p 6697 irc.oftc.net’...failed
  Opening TLS connection with ‘gnutls-cli --x509cafile nil -p 6697 irc.oftc.net --protocols ssl3’...failed
  Opening TLS connection with ‘openssl s_client -connect irc.oftc.net:6697 -no_ssl2 -ign_eof’...done
  Opening TLS connection to ‘irc.oftc.net’...done

Notice switch "--x509cafile nil" passed to gnutls-cli, which cause it to fail both times.

The root cause has to do with variable tls-program, which has this value:

  ("gnutls-cli --x509cafile %t -p %p %h"
   "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")

The docstring for tls-program says that %t is replaced "with a file name containing
trusted certificates".  The names of trusted certificate files come from variable
gnutls-trustfiles, which has this value:

  ("/etc/ssl/certs/ca-certificates.crt"
   "/etc/pki/tls/certs/ca-bundle.crt"
   "/etc/ssl/ca-bundle.pem"
   "/usr/ssl/certs/ca-bundle.crt"
   "/usr/local/share/certs/ca-root-nss.crt")

The docstring for gnutlsw-trustfiles says:

  The files may not exist, in which case they will be ignored.

These files do not exist on my Windows system, but the %t in the strings listed in
variable tls-program is replaced by "nil", which creates a malformed gnutls-cli command.

I can work around the problem by setting variable tls-program to this list, which is the
above list without the "--x509cafile %t" in the gnutls-cli commands:

  ("gnutls-cli -p %p %h"
   "gnutls-cli -p %p %h --protocols ssl3"
   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")

If the no trusted cert file is available, the gnutls-cli command needs to be constructed
more intelligently, so as not to create a malformed command.  This problem seems to be
localized in this code in function open-tls-stream in lisp/net/tls.el:

    (with-current-buffer buffer
      (message "Opening TLS connection to `%s'..." host)
      (while (and (not done) (setq cmd (pop cmds)))
        (let ((process-connection-type tls-process-connection-type)
              (formatted-cmd
               (format-spec
                cmd
                (format-spec-make
                 ?t (car (gnutls-trustfiles))
                 ?h host
                 ?p (if (integerp port)
                        (int-to-string port)
                      port)))))
          (message "Opening TLS connection with `%s'..." formatted-cmd)
          (setq process (start-process
                         name buffer shell-file-name shell-command-switch
                         formatted-cmd))
--
Fran Litterio



In GNU Emacs 25.1.50.1 (i686-pc-mingw32)
 of 2016-05-28 built on PUPPY
Repository revision: 549470fdf234acb4da7941e3bb9b28ed63a51876
Windowing system distributor 'Microsoft Corp.', version 6.1.7601
Recent messages:
Saving file c:/franl/zzz-emacs-bug-open-tls-stream.el...
Wrote c:/franl/zzz-emacs-bug-open-tls-stream.el
Saving file c:/franl/zzz-emacs-bug-open-tls-stream.el...
Wrote c:/franl/zzz-emacs-bug-open-tls-stream.el
Saving file c:/franl/zzz-emacs-bug-open-tls-stream.el...
Wrote c:/franl/zzz-emacs-bug-open-tls-stream.el
Mark set
Mark saved where search started
Mark set [2 times]
Type "q" to delete help window.

Configured using:
 'configure --prefix=/c/apps/emacs --without-x --without-xpm
 --without-png --without-jpeg --without-tiff --without-gif'

Configured features:
SOUND NOTIFY ACL TOOLKIT_SCROLL_BARS

Important settings:
  value of $LANG: C.ISO-8859-1
  locale-coding-system: cp1252

Major mode: Emacs-Lisp

Minor modes in effect:
  erc-list-mode: t
  erc-menu-mode: t
  erc-ring-mode: t
  erc-networks-mode: t
  erc-pcomplete-mode: t
  erc-track-mode: t
  erc-track-minor-mode: t
  erc-match-mode: t
  erc-button-mode: t
  erc-fill-mode: t
  erc-netsplit-mode: t
  erc-irccontrols-mode: t
  erc-noncommands-mode: t
  erc-move-to-prompt-mode: t
  erc-readonly-mode: t
  diff-auto-refine-mode: t
  show-paren-mode: t
  save-place-mode: t
  icomplete-mode: t
  savehist-mode: t
  shell-dirtrack-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t
  abbrev-mode: t

Load-path shadows:
None found.

Features:
(shadow mail-extr emacsbug skeleton gud mm-archive url-http url-gw
url-cache url-auth url url-proxy url-privacy url-expand url-methods
url-history url-cookie url-domsuf url-util jka-compr face-remap tabify
imenu edmacro kmacro eieio-opt speedbar sb-image ezimage dframe
find-func help-fns rect vc-git misearch multi-isearch server sort
gnus-draft gnus-agent gnus-srvr nnvirtual nndraft nnmh gnus-msg
gnus-cite canlock gnus-async gnus-score score-mode gnus-art mm-uu
mml2015 mm-view mml-smime smime dig mailcap gnus-cache gnus-sum fpl-moo
fpl-react cl erc-sasl erc-notify erc-truncate erc-log erc-dcc erc-list
erc-menu erc-join erc-ring erc-networks erc-pcomplete erc-track
erc-match erc-button erc-fill erc-stamp erc-netsplit erc-goodies erc
erc-backend erc-compat thingatpt source-safe ediff-merg ediff-wind
ediff-diff ediff-mult ediff-help ediff-init ediff-util ediff grep
sh-script smie executable python tramp-sh json map ielm pp sgml-mode
csharp-mode cc-langs smtpmail sendmail nntp gnus-group gnus-undo
gnus-start gnus-cloud nnimap nnmail mail-source utf7 netrc parse-time
gnus-spec gnus-int gnus-range message rfc822 mml mml-sec epa derived epg
mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils
mailheader gnus-win nnoo gnus nnheader subr-x gnus-util rmail
rmail-loaddefs rfc2047 rfc2045 ietf-drums mail-utils mm-util mail-prsvr
wid-edit etags vc vc-dispatcher dired-aux hexl smerge-mode diff-mode
easy-mmode paren man info compile apropos tramp tramp-compat
tramp-loaddefs trampver ucs-normalize format-spec advice saveplace
icomplete xref project savehist browse-url shell pcomplete warnings
arc-mode archive-mode ange-ftp socks network-stream puny nsm starttls
tls gnutls dired dired-loaddefs cc-mode cc-fonts cc-guess cc-menus
cc-cmds cc-styles cc-align cc-engine cc-vars cc-defs comint ansi-color
ring calc-ext calc calc-loaddefs calc-macs time-stamp finder-inf package
epg-config url-handlers url-parse auth-source cl-seq eieio eieio-core
cl-macs eieio-loaddefs password-cache url-vars seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util tooltip eldoc electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel dos-w32 ls-lisp disp-table term/w32-win w32-win
w32-vars term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core term/tty-colors frame cl-generic cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese charscript case-table epa-hook
jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote w32notify w32 multi-tty
make-network-process emacs)

Memory information:
((conses 8 524945 95746)
 (symbols 32 46666 0)
 (miscs 32 274 2594)
 (strings 16 105202 34595)
 (string-bytes 1 3339203)
 (vectors 8 72445)
 (vector-slots 4 1840040 248756)
 (floats 8 547 954)
 (intervals 28 15501 2890)
 (buffers 528 53))