From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: GnuTLS and certificate verification Date: Fri, 21 Dec 2012 12:17:25 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87623vjpei.fsf@lifelogs.com> References: <87sjaw2k5p.fsf@dex.adm.naquadah.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1356110259 23150 80.91.229.3 (21 Dec 2012 17:17:39 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 21 Dec 2012 17:17:39 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Dec 21 18:17:54 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tm6EI-0006m2-VQ for ged-emacs-devel@m.gmane.org; Fri, 21 Dec 2012 18:17:51 +0100 Original-Received: from localhost ([::1]:50616 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tm6E5-0003qi-4T for ged-emacs-devel@m.gmane.org; Fri, 21 Dec 2012 12:17:37 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:42792) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tm6E0-0003pU-Ha for emacs-devel@gnu.org; Fri, 21 Dec 2012 12:17:35 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tm6Du-00028u-N8 for emacs-devel@gnu.org; Fri, 21 Dec 2012 12:17:32 -0500 Original-Received: from z.lifelogs.com ([173.255.230.239]:54638) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tm6Du-00028n-K1 for emacs-devel@gnu.org; Fri, 21 Dec 2012 12:17:26 -0500 Original-Received: from heechee (c-65-96-148-157.hsd1.ma.comcast.net [65.96.148.157]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: tzz) by z.lifelogs.com (Postfix) with ESMTPSA id A4F98DE0AE for ; Fri, 21 Dec 2012 17:17:25 +0000 (UTC) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: <87sjaw2k5p.fsf@dex.adm.naquadah.org> (Julien Danjou's message of "Thu, 06 Sep 2012 00:13:06 +0200") User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 173.255.230.239 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155735 Archived-At: On Thu, 06 Sep 2012 00:13:06 +0200 Julien Danjou wrote= :=20 JD> I'd like gnutls to check that the server I connect to are trusted. Using JD> Gnus and smtpmail, currently, the check is disable because JD> the argument :verify-hostname-error to `gnutls-negotiate' is always nil. JD> It seems nothing uses it for now. JD> I wonder if adding a global defcustom would be helpful here. WDYT? Yes, if the underlying code works. JD> OTOH, I've tried to set it manually to t, and I added my CA to the know JD> certificates. gnutls-bin is now happy to connect to my IMAP server and JD> considers it secure ("Peer's certificate is trusted"). But with JD> gnutls.c, I keep hitting: JD> if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND) JD> GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:", JD> c_hostname); JD> Note that the trustfile used seems correct too. JD> If anybody has a clue, I'd be glad=E2=80=A6=20 I tested this but not thoroughly with self-signed certs (which it seems you're using, though I can't be sure from your description). This specific error could be due to many things; you need to either look at the GnuTLS context yourself, post a recipe for duplicating the issue here or in a bug, or ask in the gnutls-devel mailing list with that recipe. Either way I will try to help you find the solution. Ted