Hello, First, I apologize for the double posting - I realize that I sent the previous message with a messed up subject and this caused it not to be grouped with the rest of the messages in this bug, and to not appear in the tracker. I hope this second one will work now. I am using emacs on OSX 10.12 from https://emacsformacosx.com/builds: (emacs-version) "GNU Emacs 25.1.50.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version 10.9.5 (Build 13F1603)) of 2016-05-30" And experience the same problem when running emacs -Q. Furthermore, I diagnosed the cause to be incorrect building of formatted-cmd in open-tls-stream from the given arguments. Attached is a patch that fixes the problem on my end. To make the patch smaller, I did not reindent the whole function - I hope this is alright. Finally, I'd like to reply to: > Fran gmail.com> writes: > If Cygwin is installed, open-tls-stream works, because gnutls-cli and > openssl > > are available. It has worked for some time. I routinely use this feature > to > > enable ERC to connect to servers using TLS using function erc-tls. > At some point, tls.el will be deprecated. Why aren't you just using > Emacs with the built-in TLS support? In my honest opinion, a feature is either deprecated or not, and while it is not yet deprecated, bugs should not be ignored. I hope you would agree at least to the point of testing the patch and incorporating it if it works well :-) Fuller description of the problem and the fix: The problem: `open-tls-stream' replaces %t with exactly one element, which is nil if none of gnutls-trustfiles is readable, and the first element of gnutls-trustfiles is more than one is readable. The Solution: In the patch I make the test iterate on all the trustfiles as a user might have more than one relevant. In addition, I made the default setting for tls-program have entries that do not explicitly specify the trustfile. One thing to note here perhaps, is that if (gnutls-trustfiles) returns an empty list and one has the %t substitution in one of the tls-program entries, then that entry will not be run at all. I feel that this is reasonable since by setting --x509cafile nil one makes gnutls-cli fail anyway. Finally, I'm experiencing the above behavior, as far as I can tell, by default in e.g. erc-tls. What is the proper way to move to the built in TLS? Is it likely to be something in my config or in the implementation of ERC? Thanks, Kosta