From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.comp.encryption.gpg.gnutls.devel,gmane.emacs.devel Subject: Re: Emacs core TLS support Date: Tue, 14 Sep 2010 13:30:47 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <8739tcch48.fsf@lifelogs.com> References: <878wc1vfh3.fsf@lifelogs.com> <87r5ptpnz2.fsf@stupidchicken.com> <871vhsvkut.fsf@lifelogs.com> <87d41csktn.fsf@lifelogs.com> <87k4v0n0m8.fsf@lifelogs.com> <87wrrvfnc4.fsf@lifelogs.com> <87r5i2d00q.fsf@lifelogs.com> <87zkwqijye.fsf@stupidchicken.com> <878w4actmg.fsf@lifelogs.com> <877hju123h.fsf@stupidchicken.com> <8762yklrdk.fsf@lifelogs.com> <87wrqzhrjv.fsf@lifelogs.com> <87fwxmihyz.fsf@lifelogs.com> <8762ycfhqo.fsf@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1284489076 27522 80.91.229.12 (14 Sep 2010 18:31:16 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 14 Sep 2010 18:31:16 +0000 (UTC) Cc: emacs-devel@gnu.org To: gnutls-devel@gnu.org Original-X-From: gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org Tue Sep 14 20:31:15 2010 Return-path: Envelope-to: pgp-gnutls-dev@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1OvaHc-0002Db-Sz for pgp-gnutls-dev@m.gmane.org; Tue, 14 Sep 2010 20:31:09 +0200 Original-Received: from localhost ([127.0.0.1]:42141 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OvaHc-0007zf-Az for pgp-gnutls-dev@m.gmane.org; Tue, 14 Sep 2010 14:31:08 -0400 Original-Received: from [140.186.70.92] (port=38117 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OvaHZ-0007yK-Ch for gnutls-devel@gnu.org; Tue, 14 Sep 2010 14:31:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OvaHX-0006Hv-JS for gnutls-devel@gnu.org; Tue, 14 Sep 2010 14:31:05 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:41484) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OvaHX-0006Hj-9T for gnutls-devel@gnu.org; Tue, 14 Sep 2010 14:31:03 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OvaHT-00025D-O8 for gnutls-devel@gnu.org; Tue, 14 Sep 2010 20:30:59 +0200 Original-Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 14 Sep 2010 20:30:59 +0200 Original-Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 14 Sep 2010 20:30:59 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 31 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:jD+iol9/NLAyP2fvtiKgtceEw6I= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: gnutls-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GnuTLS development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org Errors-To: gnutls-devel-bounces+pgp-gnutls-dev=m.gmane.org@gnu.org Xref: news.gmane.org gmane.comp.encryption.gpg.gnutls.devel:4507 gmane.emacs.devel:130142 Archived-At: On Mon, 13 Sep 2010 09:49:30 +0200 Nikos Mavrogiannopoulos wrote: NM> 2010/9/11 Ted Zlatanov : >> - no SRP anywhere, just anon and x509 (I'll add SRP if we need it and >>  when the other two are working) >> Now I get GNUTLS_E_INSUFFICIENT_CREDENTIALS when I open a x509 >> connection to an IMAP TLS server so I think there's still work to do. >> The trust file seems to be wrong (see lisp/net/gnutls.el, I tried both >> "/etc/ssl/certs/ca-certificates.crt" and "/etc/ssl/certs/ca.pem"). >> The GnuTLS examples don't seem to cover the standard situation of >> talking to a web server over SSL and possibly accepting an insecure >> connection if the server credentials are bad.  I must have missed >> something.  Could the GnuTLS developers look at my patch and help me >> out? NM> I cannot look at the patch but the example you are looking for is: NM> http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support NM> to do the connection, and this one to verify the certificate: NM> http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html#Verifying-peer_0027s-certificate What ca.pem should I use? There's one in GnuTLS and one in /etc/ssl/certs/ca.pem on my Ubuntu system. It should Just Work so it may make sense to ship ca.pem with Emacs. WDYT? The simple client code is implemented in my current patch. Without verifying anything I keep getting GNUTLS_E_AGAIN when I try to handshake against an SSL server. See gnutls-boot, the control flow is really simple and I think correct. What am I missing? Thanks! Ted