From: ashish.is@lostca.se (Ashish SHUKLA)
To: emacs-devel@gnu.org
Subject: [PATCH] Add FreeBSD CA bundle location to GnuTLS
Date: Fri, 13 Nov 2015 19:19:27 +0530 [thread overview]
Message-ID: <86y4e2m2l4.fsf@chateau.d.if> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 749 bytes --]
Hi,
I've come across this interesting article[1], and noticed that
`gnutls-trustfiles' is missing the CA certificate path listed for FreeBSD, as
installed by FreeBSD port security/ca_root_nss[2].
So as per the documentation, here is the attached diffs add CA bundle location
for FreeBSD to `lisp/net/gnutls.el', and update the documentation accordingly.
Let me know if there is anything more I can do to make it commit-worthy.
References:
[1] https://glyph.twistedmatrix.com/2015/11/editor-malware.html
[2] http://www.freshports.org/security/ca_root_nss
Thanks!
--
Ashish SHUKLA
“Genius does what it must, and Talent does what it can.”
(Owen Meredith)
Sent from my Emacs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-net-gnutls.el-gnutls-trustfiles-Add-FreeBSD-location.patch --]
[-- Type: text/x-patch, Size: 1306 bytes --]
From f5d1f02986ec10ab301fddfeb19e04c7977cc2fa Mon Sep 17 00:00:00 2001
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Fri, 13 Nov 2015 18:47:33 +0530
Subject: [PATCH 1/2] net/gnutls.el (gnutls-trustfiles): Add FreeBSD location
---
lisp/net/gnutls.el | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 479c9a5..ccaef8a 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -67,10 +67,11 @@ set this variable to \"normal:-dhe-rsa\"."
(defcustom gnutls-trustfiles
'(
- "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
- "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
- "/etc/ssl/ca-bundle.pem" ; Suse
- "/usr/ssl/certs/ca-bundle.crt" ; Cygwin
+ "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux
+ "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL
+ "/etc/ssl/ca-bundle.pem" ; Suse
+ "/usr/ssl/certs/ca-bundle.crt" ; Cygwin
+ "/usr/local/share/certs/ca-root-nss.crt" ; FreeBSD
)
"List of CA bundle location filenames or a function returning said list.
The files may be in PEM or DER format, as per the GnuTLS documentation.
--
2.6.2
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: 0002-emacs-gnutls.texi-Help-For-Users-Update-gnutls-trust.patch --]
[-- Type: text/x-patch, Size: 1709 bytes --]
From 90ad6f4e93cc1f8dd0021c1706cadaabf71bd975 Mon Sep 17 00:00:00 2001
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Fri, 13 Nov 2015 19:02:13 +0530
Subject: [PATCH 2/2] * emacs-gnutls.texi (Help For Users): Update
`gnutls-trustfiles'
---
doc/misc/emacs-gnutls.texi | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi
index 4f6ef01..0ea775b 100644
--- a/doc/misc/emacs-gnutls.texi
+++ b/doc/misc/emacs-gnutls.texi
@@ -123,14 +123,15 @@ The @code{gnutls-trustfiles} variable is a list of trustfiles
host name (although @code{gnutls-negotiate} supports a trustfile per
connection so it could be done if needed). The trustfiles can be in
PEM or DER format and examples can be found in most Unix
-distributions. By default four locations are tried in this order:
+distributions. By default five locations are tried in this order:
@file{/etc/ssl/certs/ca-certificates.crt} for Debian, Ubuntu, Gentoo
and Arch Linux; @file{/etc/pki/tls/certs/ca-bundle.crt} for Fedora
and RHEL; @file{/etc/ssl/ca-bundle.pem} for Suse;
-@file{/usr/ssl/certs/ca-bundle.crt} for Cygwin. You can easily
-customize @code{gnutls-trustfiles} to be something else, but let us
-know if you do, so we can make the change to benefit the other users
-of that platform.
+@file{/usr/ssl/certs/ca-bundle.crt} for Cygwin;
+@file{/usr/local/share/certs/ca-root-nss.crt} for FreeBSD. You can
+easily customize @code{gnutls-trustfiles} to be something else, but
+let us know if you do, so we can make the change to benefit the other
+users of that platform.
@end defvar
@defvar gnutls-verify-error
--
2.6.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
next reply other threads:[~2015-11-13 13:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-13 13:49 Ashish SHUKLA [this message]
2015-12-24 17:55 ` [PATCH] Add FreeBSD CA bundle location to GnuTLS Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86y4e2m2l4.fsf@chateau.d.if \
--to=ashish.is@lostca.se \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.