From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: ashish.is@lostca.se (Ashish SHUKLA) Newsgroups: gmane.emacs.devel Subject: [PATCH] Add FreeBSD CA bundle location to GnuTLS Date: Fri, 13 Nov 2015 19:19:27 +0530 Organization: Lost Case Message-ID: <86y4e2m2l4.fsf@chateau.d.if> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Trace: ger.gmane.org 1447422608 2481 80.91.229.3 (13 Nov 2015 13:50:08 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 13 Nov 2015 13:50:08 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Nov 13 14:49:59 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1ZxEji-00056Z-0H for ged-emacs-devel@m.gmane.org; Fri, 13 Nov 2015 14:49:54 +0100 Original-Received: from localhost ([::1]:53054 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZxEjh-0006lC-PS for ged-emacs-devel@m.gmane.org; Fri, 13 Nov 2015 08:49:53 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48396) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZxEjd-0006kv-40 for emacs-devel@gnu.org; Fri, 13 Nov 2015 08:49:50 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZxEjZ-0001aU-SG for emacs-devel@gnu.org; Fri, 13 Nov 2015 08:49:49 -0500 Original-Received: from aloka.lostca.se ([178.63.46.202]:65006) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZxEjZ-0001ZX-Fs for emacs-devel@gnu.org; Fri, 13 Nov 2015 08:49:45 -0500 Original-Received: from aloka.lostca.se (aloka [127.0.0.1]) by aloka.lostca.se (Postfix) with ESMTP id ED3319D7 for ; Fri, 13 Nov 2015 13:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lostca.se; h=from:to :subject:date:message-id:mime-version:content-type; s=howrah; bh=Yip5ijH7pyZZ4XDPbkh42efPWbQ=; b=skyEIRCnKDCqIOftDxaACkHdTSOl umWuqp8T4q8Qms5HOhpBLy3Ghs7wmGmok9xz2vRgVgrV/x7NC/OZRse9Y/j2URHf KzpRMVCYAdLhlyEdSwV/pZml6hGVYFj0U+VkfKgJdI2S6F/6pq1LJZBeh472PjgF 5rZar09v3W4/IDY= Original-Received: from chateau.d.if (aloka [IPv6:::1]) by aloka.lostca.se (Postfix) with ESMTPSA id 6B2579D6 for ; Fri, 13 Nov 2015 13:49:42 +0000 (UTC) Original-Received: from chateau.d.if (localhost [IPv6:::1]) by chateau.d.if (OpenSMTPD) with ESMTP id a8a860f6 for ; Fri, 13 Nov 2015 19:19:38 +0530 (IST) X-Hashcash: 1:20:151113:emacs-devel@gnu.org::MPFua1aFumEfUHZc:0000000000000000000000000000000000000000002G9g X-Face: )vGQ9yK7Y$Flebu1C>(B\gYBm)[$zfKM+p&TT[[JWl6:]S>cc$%-z7-`46Zf0B*syL.C]oCq[upTG~zuS0.$"_%)|Q@$hA=9{3l{%u^h3jJ^Zl; t7 X-Uptime: 7:12PM up 48 mins, 5 users, load averages: 0.03, 0.11, 0.14 X-Operating-System: FreeBSD/FreeBSD 10.2-RELEASE-p7/amd64 X-OpenPGP-Fingerprint: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 X-Attribution: =?utf-8?B?4KSG4KS24KWA4KS3?= Organisation: Lost Case User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (amd64-portbld-freebsd10.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJ1BMVEWpqal/f39tbW1jY2Md HR2goKCenp6UlJROTk7////9/f35+fnT09ORJdieAAACVklEQVQ4jXXUP2vbQBQA8AvUTkgz5OzY Z0iGWhpS6BSrkECn0mvx0MEJ6AjtYrfoBCVDlD8naJYmNlRfwZq8+mkKlIZaGpJSYmP7Q/XkJDrJ Td8i/H68u3vHPaPufwLdf32AMA4A6GcAgvAamY1pOJiDIFqicTwLswDhfr3uxfFtkAY/GFHPMwzD 8zpnACmIOnE6js7rQb+v4NJrG9od0C+QgpHMy5jBewV+UDSMWiw1Y4fWfyV7+NGFzDsYa3pth9LJ Q4XvXxFHcJRvHOmygn5NAEabnDcQQguarnfoiwSCJ99jmKKcphsZONmWsDK9Ro7cvZOCtQdg8nje egLhc2LNlkLmsezzTFUUy5w18ocox/f0LaLgJy0zO75zk+9pp85GAj36xjqhdI0y3tq2m4dqqcWX zQWBTz8L1irvolXV4J+3q7eCDgVnttjNq6X8H+9KOZsuNk1uCzx8pSp+E9HImfJOTLdcGqo+YKnG EIovizkEn48V7BO+ch2DXcD4ENSpWiU+q8hjjbgTBZCXnZtyj0Ws4Q1Q0B2WXFtYZo65Bbyeeldw RS6qFueM80LlLA29YlVwGRYvFD+kwI/0O+A2PlpOP9GwslUVciHuYGechuBTp922YiDZCrghTknm XSyOM+D3aoRZlo0Jb42zY7DN4p2x4AeZ+QAYutx1sHwTHzMT5cMNduQ9yW3GczN4KZ86kb0c9O8T yXDeFqpl2fryPEAYGXIlezAPXYh2NgVr/gvdoHIuDwuPwOhcWE8f8mmICq41eATkn8x0kuRTIKcB wE9+/QUtiiAnYcaN7wAAAABJRU5ErkJggg== X-detected-operating-system: by eggs.gnu.org: FreeBSD 9.x [fuzzy] X-Received-From: 178.63.46.202 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:194359 Archived-At: --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, I've come across this interesting article[1], and noticed that `gnutls-trustfiles' is missing the CA certificate path listed for FreeBSD, = as installed by FreeBSD port security/ca_root_nss[2]. So as per the documentation, here is the attached diffs add CA bundle locat= ion for FreeBSD to `lisp/net/gnutls.el', and update the documentation according= ly. Let me know if there is anything more I can do to make it commit-worthy. References: [1] https://glyph.twistedmatrix.com/2015/11/editor-malware.html [2] http://www.freshports.org/security/ca_root_nss Thanks! =2D-=20 Ashish SHUKLA =E2=80=9CGenius does what it must, and Talent does what it can.=E2=80=9D (Owen Meredith) Sent from my Emacs --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-net-gnutls.el-gnutls-trustfiles-Add-FreeBSD-location.patch Content-Transfer-Encoding: quoted-printable From=20f5d1f02986ec10ab301fddfeb19e04c7977cc2fa Mon Sep 17 00:00:00 2001 From: Ashish SHUKLA Date: Fri, 13 Nov 2015 18:47:33 +0530 Subject: [PATCH 1/2] net/gnutls.el (gnutls-trustfiles): Add FreeBSD location =2D-- lisp/net/gnutls.el | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 479c9a5..ccaef8a 100644 =2D-- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -67,10 +67,11 @@ set this variable to \"normal:-dhe-rsa\"." =20 (defcustom gnutls-trustfiles '( =2D "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Ar= ch Linux =2D "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL =2D "/etc/ssl/ca-bundle.pem" ; Suse =2D "/usr/ssl/certs/ca-bundle.crt" ; Cygwin + "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and = Arch Linux + "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL + "/etc/ssl/ca-bundle.pem" ; Suse + "/usr/ssl/certs/ca-bundle.crt" ; Cygwin + "/usr/local/share/certs/ca-root-nss.crt" ; FreeBSD ) "List of CA bundle location filenames or a function returning said list. The files may be in PEM or DER format, as per the GnuTLS documentation. =2D-=20 2.6.2 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0002-emacs-gnutls.texi-Help-For-Users-Update-gnutls-trust.patch Content-Transfer-Encoding: quoted-printable From=2090ad6f4e93cc1f8dd0021c1706cadaabf71bd975 Mon Sep 17 00:00:00 2001 From: Ashish SHUKLA Date: Fri, 13 Nov 2015 19:02:13 +0530 Subject: [PATCH 2/2] * emacs-gnutls.texi (Help For Users): Update `gnutls-trustfiles' =2D-- doc/misc/emacs-gnutls.texi | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi index 4f6ef01..0ea775b 100644 =2D-- a/doc/misc/emacs-gnutls.texi +++ b/doc/misc/emacs-gnutls.texi @@ -123,14 +123,15 @@ The @code{gnutls-trustfiles} variable is a list of tr= ustfiles host name (although @code{gnutls-negotiate} supports a trustfile per connection so it could be done if needed). The trustfiles can be in PEM or DER format and examples can be found in most Unix =2Ddistributions. By default four locations are tried in this order: +distributions. By default five locations are tried in this order: @file{/etc/ssl/certs/ca-certificates.crt} for Debian, Ubuntu, Gentoo and Arch Linux; @file{/etc/pki/tls/certs/ca-bundle.crt} for Fedora and RHEL; @file{/etc/ssl/ca-bundle.pem} for Suse; =2D@file{/usr/ssl/certs/ca-bundle.crt} for Cygwin. You can easily =2Dcustomize @code{gnutls-trustfiles} to be something else, but let us =2Dknow if you do, so we can make the change to benefit the other users =2Dof that platform. +@file{/usr/ssl/certs/ca-bundle.crt} for Cygwin; +@file{/usr/local/share/certs/ca-root-nss.crt} for FreeBSD. You can +easily customize @code{gnutls-trustfiles} to be something else, but +let us know if you do, so we can make the change to benefit the other +users of that platform. @end defvar =20 @defvar gnutls-verify-error =2D-=20 2.6.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWRepnAAoJEMdGz6nnT6SwnzcQAIGw8q7Gy/Vq7CLydUKt+N/d TASS6xPZn/U2+/ux3Fm55u8qZAOPMxyvmQDDvc3NqywcJRa5iH/VI2heV+sUtZUJ 9NRI/jAkcjPUjfWHJpNXyzxUfxF5BPAYmrEqwO1t0S4uPIwBdZejns63vxkm9tez hjZLVi5AMJ2bJM2GoIY587R73ta4a6cpQ85tVdy3b1Lw8gEker666s+KIVpfuXUN 0ttvaW901F758OhgGSPR60um5jm/+j83ASqLyS7yo8W/SL1R2Yc4kMeFjdj16YC8 Hg5xETWcpr2sQf/EYjSR4d+g8gSgvMjYbHbTpNLn9vTjhdwbNtCoDBs9424J2ycj yi32n2ztrN0Jfr6OivGG5YcqPTKABQXLC/GGf9cm8DQDxCdNuN+9mA1R8+wPmsNp 7pk9Wka4r7Ts9k4LAQdKvVp2eq+NCSIOIJELJL0aLx0j6OoH5AVnpr/zEDk4/lC/ Ap3NK1RT8eW+Pq5uFWJ3i2IX/sPtq8agP/LsBCEHW0klJvwkSF1DIUXNqx2d/9KC S/Pg9O9WGkdCuuXScy7NEnCPrhb4yZdrckRjLLHyhJ6riI6MZ6aTJC685TfiPBi9 K4nokQYqBPdiOAjNnfoz3EdlQuRJmrmiRYOGz92PC8SOmzcfycdRlWEy47RJMaxn iplMtGiP5ENHhCBLtju+ =wayf -----END PGP SIGNATURE----- --==-=-=--