From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: NSM certificate prompt Date: Sat, 13 Dec 2014 21:13:50 +0200 Message-ID: <83vblf4b2p.fsf@gnu.org> References: <83a92r625n.fsf@gnu.org> <87wq5vefiz.fsf@gmx.de> <83388j5wrs.fsf@gnu.org> <87mw6reaxu.fsf@gmx.de> <83y4qb4eeg.fsf@gnu.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1418498066 6890 80.91.229.3 (13 Dec 2014 19:14:26 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 13 Dec 2014 19:14:26 +0000 (UTC) Cc: emacs-devel@gnu.org To: michael.albinus@gmx.de, Ted Zlatanov Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 13 20:14:19 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xzs8w-0007e3-TJ for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 20:14:19 +0100 Original-Received: from localhost ([::1]:34067 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xzs8w-0005Tz-7m for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 14:14:18 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57448) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xzs8m-0005To-TH for emacs-devel@gnu.org; Sat, 13 Dec 2014 14:14:14 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xzs8g-00075F-Vi for emacs-devel@gnu.org; Sat, 13 Dec 2014 14:14:08 -0500 Original-Received: from mtaout21.012.net.il ([80.179.55.169]:39416) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xzs8g-000758-N5 for emacs-devel@gnu.org; Sat, 13 Dec 2014 14:14:02 -0500 Original-Received: from conversion-daemon.a-mtaout21.012.net.il by a-mtaout21.012.net.il (HyperSendmail v2007.08) id <0NGJ00100BS0F200@a-mtaout21.012.net.il> for emacs-devel@gnu.org; Sat, 13 Dec 2014 21:14:01 +0200 (IST) Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout21.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NGJ001NLC3C6Q80@a-mtaout21.012.net.il>; Sat, 13 Dec 2014 21:14:01 +0200 (IST) In-reply-to: <83y4qb4eeg.fsf@gnu.org> X-012-Sender: halo1@inter.net.il X-detected-operating-system: by eggs.gnu.org: Solaris 10 X-Received-From: 80.179.55.169 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:180031 Archived-At: > Date: Sat, 13 Dec 2014 20:01:59 +0200 > From: Eli Zaretskii > Cc: emacs-devel@gnu.org > > GnuTLS on Windows uses the CertEnumCertificatesInStore API to retrieve > all the Root and Certification Authority certificates known to the > system. I suppose at least IE uses the same API, so I wonder how come > GnuTLS fails to validate the certificates, while IE succeeds. > > I guess some debugging is in order. Ha! It's very simple: we don't call the GnuTLS function that adds system's default trusted CAs to the data used for certificate verification. The simple patch below solves the problem for me. Any objections to installing this? Including on the branch? Ted? What about Posix systems -- won't calling gnutls_certificate_set_x509_system_trust remove the need to load gnutls-trustfiles explicitly for every TLS connection? diff --git a/src/gnutls.c b/src/gnutls.c index ad4d997..bbe5d49 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -103,6 +103,11 @@ enum extra_peer_verification DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_key_file, (gnutls_certificate_credentials_t, const char *, const char *, gnutls_x509_crt_fmt_t)); +#if GNUTLS_VERSION_MAJOR + \ + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3 +DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_system_trust, + (gnutls_certificate_credentials_t)); +#endif DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_trust_file, (gnutls_certificate_credentials_t, const char *, gnutls_x509_crt_fmt_t)); @@ -227,6 +232,10 @@ enum extra_peer_verification LOAD_GNUTLS_FN (library, gnutls_certificate_set_verify_flags); LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_crl_file); LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_key_file); +#if GNUTLS_VERSION_MAJOR + \ + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3 + LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_system_trust); +#endif LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_trust_file); LOAD_GNUTLS_FN (library, gnutls_certificate_type_get); LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2); @@ -314,6 +323,10 @@ enum extra_peer_verification #define fn_gnutls_certificate_set_verify_flags gnutls_certificate_set_verify_flags #define fn_gnutls_certificate_set_x509_crl_file gnutls_certificate_set_x509_crl_file #define fn_gnutls_certificate_set_x509_key_file gnutls_certificate_set_x509_key_file +#if GNUTLS_VERSION_MAJOR + \ + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3 +#define fn_gnutls_certificate_set_x509_system_trust gnutls_certificate_set_x509_system_trust +#endif #define fn_gnutls_certificate_set_x509_trust_file gnutls_certificate_set_x509_trust_file #define fn_gnutls_certificate_type_get gnutls_certificate_type_get #define fn_gnutls_certificate_verify_peers2 gnutls_certificate_verify_peers2 @@ -1308,6 +1321,14 @@ one trustfile (usually a CA bundle). */) int file_format = GNUTLS_X509_FMT_PEM; Lisp_Object tail; +#if GNUTLS_VERSION_MAJOR + \ + (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3 + ret = fn_gnutls_certificate_set_x509_system_trust (x509_cred); + if (ret < GNUTLS_E_SUCCESS) + GNUTLS_LOG2i (4, max_log_level, "setting system trust failed with code ", + ret); +#endif + for (tail = trustfiles; CONSP (tail); tail = XCDR (tail)) { Lisp_Object trustfile = XCAR (tail);