Enclosed is a patch to gnutls.el to allow users
to specify the default 'verify_flags' used by
gnutls_negotiate / gnutls_boot_parameters.

But still, I am getting error:

(set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
"192.168.1.1" "https"))
gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
(/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
:keylist nil :verify-flags 251 :verify-error nil :callbacks nil)

I was now able to specify "verify-flags 251" by customizing
the new 'gnutls-verify-flags' variable (was 256) .

I'll have to dig in to precisely what flags 'curl -k --tlsv1.0'
uses to duplicate for Emac's gnutls ...



On 14/02/2022, Jason Vas Dias <jason.vas.dias@gmail.com> wrote:
> Thanks, Eli -
>
>   I did try setting :
>
>   (set-variable gnutls-algorithm-priority
>    "LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0"
>   )
>   (set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
> "192.168.1.1" "https")
>   )
>
>  but still no joy :
>
> gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
> LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
> 192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
> (/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
> :keylist nil :verify-flags nil :verify-error nil :callbacks nil)
> gnutls-negotiate: GnuTLS error: #<process tls>, -50
>
>   On browsers, once I have got one to accept trying to use
>   TLSv1.0 , which ATM stiil seems not to be possible,
>   the next thing is I have to add the router's self-signed
>   certificate to the browser's trust store, usually through some
>   Advanced -> Add Security Exception "Site Security Exception List" -
>   is there such a list for GnuTLS ? Or a way of specifying the
>   equivalent of curls' '-k': 'do not validate certificate trust chain'
> option ?
>
> Thanks, All the best,
> Jason
>
> On 13/02/2022, Eli Zaretskii <eliz@gnu.org> wrote:
>>> From: Jason Vas Dias <jason.vas.dias@gmail.com>
>>> Date: Sun, 13 Feb 2022 16:48:00 +0000
>>> Cc: emacs-devel@gnu.org
>>>
>>> Still no joy with Firefox 96, Chrome Unstable, EWW, W3M -
>>> ideally, it would be nice if EWW or W3M would let me set
>>> the TLS protocol version to use, with some variable setting -
>>> that is really why I was posting to the emacs-devel list.
>>
>> AFAIU, in Emacs you should be able to request SSLv1 via the :priority
>> setting of gnutls-boot.  E.g., try to customize
>> gnutls-algorithm-priority to include "VERS-TLS1.1".
>>
>