From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking. Date: Tue, 07 Oct 2014 23:35:04 +0200 Message-ID: References: <1412716565-7786-1-git-send-email-toke@toke.dk> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1412717749 5601 80.91.229.3 (7 Oct 2014 21:35:49 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 7 Oct 2014 21:35:49 +0000 (UTC) Cc: emacs-devel@gnu.org To: Toke =?iso-8859-1?Q?H=F8iland-J=F8rgensen?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Oct 07 23:35:44 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XbcQ1-0005tW-Aq for ged-emacs-devel@m.gmane.org; Tue, 07 Oct 2014 23:35:41 +0200 Original-Received: from localhost ([::1]:60955 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XbcQ0-0001O7-WB for ged-emacs-devel@m.gmane.org; Tue, 07 Oct 2014 17:35:41 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57244) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XbcPt-0001NT-KK for emacs-devel@gnu.org; Tue, 07 Oct 2014 17:35:38 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XbcPo-0008Dg-LM for emacs-devel@gnu.org; Tue, 07 Oct 2014 17:35:33 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:40127) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XbcPo-0008BX-3S for emacs-devel@gnu.org; Tue, 07 Oct 2014 17:35:28 -0400 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1XbcPQ-0001mH-KQ; Tue, 07 Oct 2014 23:35:04 +0200 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAD1BMVEXm3ZrQxItbUz3++6uq nnLi/qgPAAACa0lEQVQ4jZVTwbXjMAhEXypA2BQQsypA/koBQqb/mnZQctzLyu/FjscMDANUTzFm qjSNE1FlIhp5DHIWXW1p0zhL9VpNAnine+lyVcct7iyXPABu7rTMFa+aH+ae3NcfAH3SSc2XtdVM 5AOcAIYlSoc7vlVmFkuNbQPIRF29uC2UJ5VbqZF8JBp3fru7iE7z+3rZBvK7Ah36Cwa/zI6rzBRU 502j5/H+cbbS2KUKpx0BAEpv8VTl4qMhAO8H0Z034JbYKq+mM/WI6DcIz9HdWHAtPSptYHQAdWRz 9iZQ+TsrBVWnOkY52cQXGrBeP5RGAGPYuG0UdlYD8Ajl/AXySP2doPwqq70E3PkDnFBfEqgu0fY4 5Q2cw1HTyUVg1qH6+J13VZ7LOW6yZCsMXABGjxylCdpTrRih8YoCUt7AG39OaICz+9iV5q7qDWr3 CnPXF8jukSNhDOZI06FwR81ZONoOh0w6V+fDb8SpgODZc0WWuyS+YIYXhLhswLins5eU/JK31xXM HDnit6dS6zFXnrbqamk7aExhE3Or+LQgQ7O+k8etLZELzhYKlXP3qvkfq17gkKiWKSp6Rd9J7WGe 0B/j/kIfXR8O5U2fs8+feA1FmNW1eLdEW89VAnCHtGZ42J6L5VqKQgUmjoNx6dzlplr0ClUJz9ic dWrbRlUKG1YdN7/Ggb2rSL8jdlPh990fmrJiIWOj9DqiUgxVcoklnIjfwA2tFSMyURZEYGs/QJud jlhN2YuLsn5050BtUpp+93ybu7YfDYOTQx0W4AOizZvKRU3dwPc9LYwI5RKrvzb/d1D4M7v/Pv8P /AX/ibH6kK0zbwAAAABJRU5ErkJggg== X-Now-Playing: Baby Dee's _Goes Down to Amsterdam (1)_: "So Bad" X-Hashcash: 1:23:141007:emacs-devel@gnu.org::gVnoX9AxU7XqBD5o:0000000000000000000000000000000000000000004FSr X-Hashcash: 1:23:141007:toke@toke.dk::3lI9hsavtv9PbhNz:000018ZC0 In-Reply-To: <1412716565-7786-1-git-send-email-toke@toke.dk> ("Toke \=\?iso-8859-1\?Q\?H\=F8iland-J\=F8rgensen\=22's\?\= message of "Tue, 7 Oct 2014 23:16:05 +0200") User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux) X-MailScanner-ID: 1XbcPQ-0001mH-KQ MailScanner-NULL-Check: 1413322504.94165@QwchS5Cbx5vAJUI9tGXRaw X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175098 Archived-At: Toke H=F8iland-J=F8rgensen writes: > (require 'gnutls) > (setq gnutls-verify-error '((".*" :tofu)) > (open-gnutls-stream "test" nil "google.com" 443) ; this should fail > > To add the certificate to the trust store, execute (in a shell) > `gnutls-cli --tofu -p 443 google.com` and answer yes when it asks > whether to trust the certificate. Doing so should cause the open to > success the next time around. I think all the certificate checking should just work out of the box without the user having to do any configuration or shell commands. I.e., it should be done by `open-network-stream'. See http://permalink.gmane.org/gmane.emacs.devel/174908 for how I think this should work from the user's standpoint, if you want to implement it. >"? --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no