* [PATCH] Add FreeBSD CA bundle location to GnuTLS
@ 2015-11-13 13:49 Ashish SHUKLA
2015-12-24 17:55 ` Lars Ingebrigtsen
0 siblings, 1 reply; 2+ messages in thread
From: Ashish SHUKLA @ 2015-11-13 13:49 UTC (permalink / raw)
To: emacs-devel
[-- Attachment #1.1: Type: text/plain, Size: 749 bytes --]
Hi,
I've come across this interesting article[1], and noticed that
`gnutls-trustfiles' is missing the CA certificate path listed for FreeBSD, as
installed by FreeBSD port security/ca_root_nss[2].
So as per the documentation, here is the attached diffs add CA bundle location
for FreeBSD to `lisp/net/gnutls.el', and update the documentation accordingly.
Let me know if there is anything more I can do to make it commit-worthy.
References:
[1] https://glyph.twistedmatrix.com/2015/11/editor-malware.html
[2] http://www.freshports.org/security/ca_root_nss
Thanks!
--
Ashish SHUKLA
“Genius does what it must, and Talent does what it can.”
(Owen Meredith)
Sent from my Emacs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-net-gnutls.el-gnutls-trustfiles-Add-FreeBSD-location.patch --]
[-- Type: text/x-patch, Size: 1306 bytes --]
From f5d1f02986ec10ab301fddfeb19e04c7977cc2fa Mon Sep 17 00:00:00 2001
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Fri, 13 Nov 2015 18:47:33 +0530
Subject: [PATCH 1/2] net/gnutls.el (gnutls-trustfiles): Add FreeBSD location
---
lisp/net/gnutls.el | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 479c9a5..ccaef8a 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -67,10 +67,11 @@ set this variable to \"normal:-dhe-rsa\"."
(defcustom gnutls-trustfiles
'(
- "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
- "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
- "/etc/ssl/ca-bundle.pem" ; Suse
- "/usr/ssl/certs/ca-bundle.crt" ; Cygwin
+ "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
+ "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
+ "/etc/ssl/ca-bundle.pem" ; Suse
+ "/usr/ssl/certs/ca-bundle.crt" ; Cygwin
+ "/usr/local/share/certs/ca-root-nss.crt" ; FreeBSD
)
"List of CA bundle location filenames or a function returning said list.
The files may be in PEM or DER format, as per the GnuTLS documentation.
--
2.6.2
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: 0002-emacs-gnutls.texi-Help-For-Users-Update-gnutls-trust.patch --]
[-- Type: text/x-patch, Size: 1709 bytes --]
From 90ad6f4e93cc1f8dd0021c1706cadaabf71bd975 Mon Sep 17 00:00:00 2001
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Fri, 13 Nov 2015 19:02:13 +0530
Subject: [PATCH 2/2] * emacs-gnutls.texi (Help For Users): Update
`gnutls-trustfiles'
---
doc/misc/emacs-gnutls.texi | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi
index 4f6ef01..0ea775b 100644
--- a/doc/misc/emacs-gnutls.texi
+++ b/doc/misc/emacs-gnutls.texi
@@ -123,14 +123,15 @@ The @code{gnutls-trustfiles} variable is a list of trustfiles
host name (although @code{gnutls-negotiate} supports a trustfile per
connection so it could be done if needed). The trustfiles can be in
PEM or DER format and examples can be found in most Unix
-distributions. By default four locations are tried in this order:
+distributions. By default five locations are tried in this order:
@file{/etc/ssl/certs/ca-certificates.crt} for Debian, Ubuntu, Gentoo
and Arch Linux; @file{/etc/pki/tls/certs/ca-bundle.crt} for Fedora
and RHEL; @file{/etc/ssl/ca-bundle.pem} for Suse;
-@file{/usr/ssl/certs/ca-bundle.crt} for Cygwin. You can easily
-customize @code{gnutls-trustfiles} to be something else, but let us
-know if you do, so we can make the change to benefit the other users
-of that platform.
+@file{/usr/ssl/certs/ca-bundle.crt} for Cygwin;
+@file{/usr/local/share/certs/ca-root-nss.crt} for FreeBSD. You can
+easily customize @code{gnutls-trustfiles} to be something else, but
+let us know if you do, so we can make the change to benefit the other
+users of that platform.
@end defvar
@defvar gnutls-verify-error
--
2.6.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Add FreeBSD CA bundle location to GnuTLS
2015-11-13 13:49 [PATCH] Add FreeBSD CA bundle location to GnuTLS Ashish SHUKLA
@ 2015-12-24 17:55 ` Lars Ingebrigtsen
0 siblings, 0 replies; 2+ messages in thread
From: Lars Ingebrigtsen @ 2015-12-24 17:55 UTC (permalink / raw)
To: Ashish SHUKLA; +Cc: emacs-devel
ashish.is@lostca.se (Ashish SHUKLA) writes:
> I've come across this interesting article[1], and noticed that
> `gnutls-trustfiles' is missing the CA certificate path listed for FreeBSD, as
> installed by FreeBSD port security/ca_root_nss[2].
>
> So as per the documentation, here is the attached diffs add CA bundle location
> for FreeBSD to `lisp/net/gnutls.el', and update the documentation accordingly.
Thanks; applied to the trunk.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-12-24 17:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-13 13:49 [PATCH] Add FreeBSD CA bundle location to GnuTLS Ashish SHUKLA
2015-12-24 17:55 ` Lars Ingebrigtsen
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).