From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: need help with certificate bundles for ALL the platforms Emacs supports Date: Mon, 13 Feb 2012 11:30:07 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87mx8m66i8.fsf@lifelogs.com> References: <4F25FA2F.2010401@gmail.com> <4F27F4A1.6030907@gmail.com> <6E4BE1E758D04283A7C3A660ED379966@us.oracle.com> <87liolnipl.fsf@lifelogs.com> <50081AA79F2F4860A3B9DCEDFC1ABEC8@us.oracle.com> <877h04nc2e.fsf@lifelogs.com> <83ehucfjc8.fsf@gnu.org> <87r4ycjbjz.fsf_-_@lifelogs.com> <83mx8zev8s.fsf@gnu.org> <87vcnnj1xm.fsf@lifelogs.com> <87ipjgw0r3.fsf_-_@lifelogs.com> <87zkcqr4td.fsf@lifelogs.com> <87fwef8zui.fsf@lifelogs.com> <87ipja7to1.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: dough.gmane.org 1329150649 29554 80.91.229.3 (13 Feb 2012 16:30:49 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 13 Feb 2012 16:30:49 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Feb 13 17:30:46 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RwynZ-0001S3-4A for ged-emacs-devel@m.gmane.org; Mon, 13 Feb 2012 17:30:41 +0100 Original-Received: from localhost ([::1]:41458 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RwynY-000562-Jo for ged-emacs-devel@m.gmane.org; Mon, 13 Feb 2012 11:30:40 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:45961) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RwynP-00055X-LP for emacs-devel@gnu.org; Mon, 13 Feb 2012 11:30:37 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RwynJ-0004hR-NA for emacs-devel@gnu.org; Mon, 13 Feb 2012 11:30:31 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:48349) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RwynJ-0004hJ-EO for emacs-devel@gnu.org; Mon, 13 Feb 2012 11:30:25 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1RwynF-00015T-NN for emacs-devel@gnu.org; Mon, 13 Feb 2012 17:30:21 +0100 Original-Received: from c-76-28-40-19.hsd1.vt.comcast.net ([76.28.40.19]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 13 Feb 2012 17:30:21 +0100 Original-Received: from tzz by c-76-28-40-19.hsd1.vt.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 13 Feb 2012 17:30:21 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 95 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-76-28-40-19.hsd1.vt.comcast.net User-Agent: Gnus/5.130002 (Ma Gnus v0.2) Emacs/24.0.93 (gnu/linux) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Cancel-Lock: sha1:ABuY6YmaODmvkn4zbOZrSG4hWgE= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:148560 Archived-At: --=-=-= Content-Type: text/plain On Mon, 13 Feb 2012 10:12:17 -0500 Stefan Monnier wrote: >> Also I don't want to decide the default bundle file names at the time >> the defcustom is evaluated. Since `gnutls-trustfiles' can contain >> function calls, I'd like it to be called when it's needed. For >> instance, it's very common to store certificates as PEM files in a >> directory, and the user should be able to choose that approach instead >> of managing a concatenated bundle. If we built the file list only once, >> the modular approach would fail. Another situation is on W32, where the >> cert bundle has to be dynamically built (which will require some caching >> but should still be done as close to using the bundle as possible). SM> OK, but the variable should not be a "list of (function or filename)". SM> That's ugly. I see how it's confusing. SM> Maybe we can have it be "a function or a list of files". OK. Patch attached for your review. The code is simpler now and the list flattening function is not needed. If approved I think I should also write a manual entry for this new variable. Should I make a new manual subsection for GnuTLS-related things? Where? Now we'll have three customizable variables in gnutls.el (`gnutls-algorithm-priority', `gnutls-trustfiles', and `gnutls-min-prime-bits') which is tipping the scales I think. Plus it will be good to explain what gnutls.el+gnutls.c do and how to debug problems with them, since most users and developers don't know how widely they are used in Emacs 24. Thanks! Ted --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=gnutls-trustfiles.patch === modified file 'lisp/net/gnutls.el' --- lisp/net/gnutls.el 2012-02-12 21:40:25 +0000 +++ lisp/net/gnutls.el 2012-02-13 16:20:13 +0000 @@ -51,6 +51,19 @@ :type '(choice (const nil) string)) +(defcustom gnutls-trustfiles + '( + "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux + "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL + "/etc/ssl/ca-bundle.pem" ; Suse + ) + "List of CA bundle location filenames or a function returning said list. +The files may be in PEM or DER format, as per the GnuTLS documentation. +The files may not exist, in which case they will be ignored." + :group 'gnutls + :type '(choice (function :tag "Function to produce list of bundle filenames") + (repeat (file :tag "Bundle filename")))) + ;;;###autoload (defcustom gnutls-min-prime-bits nil "The minimum number of bits to be used in Diffie-Hellman key exchange. @@ -118,7 +131,7 @@ PROCESS is a process returned by `open-network-stream'. HOSTNAME is the remote hostname. It must be a valid string. PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\". -TRUSTFILES is a list of CA bundles. +TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'. CRLFILES is a list of CRL files. KEYLIST is an alist of (client key file, client cert file) pairs. MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys @@ -156,10 +169,12 @@ It must be omitted, a number, or nil; if omitted or nil it defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." (let* ((type (or type 'gnutls-x509pki)) - (default-trustfile "/etc/ssl/certs/ca-certificates.crt") (trustfiles (or trustfiles - (when (file-exists-p default-trustfile) - (list default-trustfile)))) + (delq nil + (mapcar (lambda (f) (and f (file-exists-p f) f)) + (if (functionp gnutls-trustfiles) + (funcall gnutls-trustfiles) + gnutls-trustfiles))))) (priority-string (or priority-string (cond ((eq type 'gnutls-anon) --=-=-=--