Re: eww + w3m / GnuTLS TLSv1 support ?

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Jason Vas Dias <jason.vas.dias@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>
Cc: herbert@gojira.at, emacs-devel@gnu.org
Subject: Re: eww + w3m / GnuTLS TLSv1 support ?
Date: Mon, 14 Feb 2022 13:36:38 +0000	[thread overview]
Message-ID: <CALyZvKyZYij=VnUfCS86uCNeFNp8+2vRpLi+-ej4BypBj0z6wg@mail.gmail.com> (raw)
In-Reply-To: <CALyZvKz8WGoFZcMmjO5JkGSixN7MspvV7zCLN=Hm5zNdPkw34A@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2648 bytes --]

Enclosed is a patch to gnutls.el to allow users
to specify the default 'verify_flags' used by
gnutls_negotiate / gnutls_boot_parameters.

But still, I am getting error:

(set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
"192.168.1.1" "https"))
gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
(/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
:keylist nil :verify-flags 251 :verify-error nil :callbacks nil)

I was now able to specify "verify-flags 251" by customizing
the new 'gnutls-verify-flags' variable (was 256) .

I'll have to dig in to precisely what flags 'curl -k --tlsv1.0'
uses to duplicate for Emac's gnutls ...



On 14/02/2022, Jason Vas Dias <jason.vas.dias@gmail.com> wrote:
> Thanks, Eli -
>
>   I did try setting :
>
>   (set-variable gnutls-algorithm-priority
>    "LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0"
>   )
>   (set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
> "192.168.1.1" "https")
>   )
>
>  but still no joy :
>
> gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
> LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
> 192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
> (/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
> :keylist nil :verify-flags nil :verify-error nil :callbacks nil)
> gnutls-negotiate: GnuTLS error: #<process tls>, -50
>
>   On browsers, once I have got one to accept trying to use
>   TLSv1.0 , which ATM stiil seems not to be possible,
>   the next thing is I have to add the router's self-signed
>   certificate to the browser's trust store, usually through some
>   Advanced -> Add Security Exception "Site Security Exception List" -
>   is there such a list for GnuTLS ? Or a way of specifying the
>   equivalent of curls' '-k': 'do not validate certificate trust chain'
> option ?
>
> Thanks, All the best,
> Jason
>
> On 13/02/2022, Eli Zaretskii <eliz@gnu.org> wrote:
>>> From: Jason Vas Dias <jason.vas.dias@gmail.com>
>>> Date: Sun, 13 Feb 2022 16:48:00 +0000
>>> Cc: emacs-devel@gnu.org
>>>
>>> Still no joy with Firefox 96, Chrome Unstable, EWW, W3M -
>>> ideally, it would be nice if EWW or W3M would let me set
>>> the TLS protocol version to use, with some variable setting -
>>> that is really why I was posting to the emacs-devel list.
>>
>> AFAIU, in Emacs you should be able to request SSLv1 via the :priority
>> setting of gnutls-boot.  E.g., try to customize
>> gnutls-algorithm-priority to include "VERS-TLS1.1".
>>
>

[-- Attachment #2: gnutls.el.patch --]
[-- Type: text/x-patch, Size: 2073 bytes --]

diff -up ./gnutls.el.old ./gnutls.el
--- ./gnutls.el.old	2022-02-14 12:59:06.442427021 +0000
+++ ./gnutls.el	2022-02-14 13:34:59.580342409 +0000
@@ -222,6 +222,27 @@ trust and key files, and priority string
 (declare-function gnutls-boot "gnutls.c" (proc type proplist))
 (declare-function gnutls-errorp "gnutls.c" (error))
 (defvar gnutls-log-level)               ; gnutls.c
+(defcustom gnutls-verify-flags 256
+  "Set the default verify flags used - default is 256.
+VERIFY-FLAGS is a numeric OR of verification flags only for
+`gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
+here's a recent version of the list.
+
+    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
+    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
+    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
+    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
+
+It must be omitted, a number, or nil; if omitted or nil it
+defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT (256)."
+  :group 'gnutls
+  :type '(choice (const nil) number)
+)
 
 (cl-defun gnutls-negotiate
     (&rest spec
@@ -247,7 +268,7 @@ For the meaning of the rest of the param
                   :crlfiles crlfiles
                   :keylist keylist
                   :min-prime-bits min-prime-bits
-                  :verify-flags verify-flags
+                  :verify-flags (or verify-flags gnutls-verify-flags)
                   :verify-error verify-error
                   :verify-hostname-error verify-hostname-error))
          ret)
@@ -356,7 +377,7 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_
                 :trustfiles ,trustfiles
                 :crlfiles ,crlfiles
                 :keylist ,keylist
-                :verify-flags ,verify-flags
+                :verify-flags ,(or verify-flags gnutls-verify-flags)
                 :verify-error ,verify-error
                 :callbacks nil)))

next prev parent reply	other threads:[~2022-02-14 13:36 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-13 14:58 eww + w3m / GnuTLS TLSv1 support ? Jason Vas Dias
2022-02-13 15:44 ` Herbert J. Skuhra
2022-02-13 16:48   ` Jason Vas Dias
2022-02-13 17:07     ` Eli Zaretskii
2022-02-14 12:34       ` Jason Vas Dias
2022-02-14 13:25         ` Herbert J. Skuhra
2022-02-14 13:36         ` Jason Vas Dias [this message]
2022-02-14 18:51 ` chad
2022-02-15 12:52   ` Jason Vas Dias
2022-02-15 12:55     ` Jason Vas Dias

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALyZvKyZYij=VnUfCS86uCNeFNp8+2vRpLi+-ej4BypBj0z6wg@mail.gmail.com' \
    --to=jason.vas.dias@gmail.com \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=herbert@gojira.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).