From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Elias Oltmanns Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel Subject: [Patch] Make tls.el support certificate verification Date: Mon, 17 Sep 2007 01:08:48 +0200 Message-ID: <877imqtdhb.fsf@denkblock.local> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: sea.gmane.org 1189984581 9122 80.91.229.12 (16 Sep 2007 23:16:21 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sun, 16 Sep 2007 23:16:21 +0000 (UTC) Cc: emacs-devel@gnu.org To: ding@gnus.org Original-X-From: ding-owner+M13712@lists.math.uh.edu Mon Sep 17 01:16:19 2007 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.50) id 1IX3L5-0002Q0-0C for ding-account@gmane.org; Mon, 17 Sep 2007 01:15:43 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1IX3Kh-00034P-HS; Sun, 16 Sep 2007 18:15:19 -0500 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1IX3Ke-000347-MM for ding@lists.math.uh.edu; Sun, 16 Sep 2007 18:15:16 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtp (Exim 4.67) (envelope-from ) id 1IX3Kb-0006Gf-6m for ding@lists.math.uh.edu; Sun, 16 Sep 2007 18:15:16 -0500 Original-Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1IX3KR-0000ju-00 for ; Mon, 17 Sep 2007 01:15:03 +0200 Original-Received: from list by ciao.gmane.org with local (Exim 4.43) id 1IX3Hi-0005iv-CF for ding@gnus.org; Mon, 17 Sep 2007 01:12:14 +0200 Original-Received: from pd9e84be8.dip.t-dialin.net ([217.232.75.232]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 17 Sep 2007 01:12:14 +0200 Original-Received: from eo by pd9e84be8.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 17 Sep 2007 01:12:14 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Followup-To: gmane.emacs.gnus.general Original-Lines: 95 Original-X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: pd9e84be8.dip.t-dialin.net User-Agent: Gnus/5.110007 (No Gnus v0.7) Cancel-Lock: sha1:CmOicKgvL8Ru7AeBI0+HFhl0rQk= X-Spam-Score: -2.6 (--) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:65199 gmane.emacs.devel:79054 Archived-At: --=-=-= Hi all, since there is a copy of tls.el in gnus but the emacs22 copy is moved to lisp/net, I'm not quite sure as to who is ultimately maintaining it. Hence, I'm sending this to both lists. Please find attached a patch (to current gnus trunk) that adds all it needs to facilitate the certificate verification features of gnutls-cli and openssl. Regards, Elias --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=tls.patch Index: lisp/tls.el =================================================================== RCS file: /usr/local/cvsroot/gnus/lisp/tls.el,v retrieving revision 7.14 diff -u -r7.14 tls.el --- lisp/tls.el 9 Apr 2007 23:44:06 -0000 7.14 +++ lisp/tls.el 16 Sep 2007 15:40:39 -0000 @@ -82,6 +82,38 @@ :type 'regexp :group 'tls) +(defcustom tls-checktrust nil + "Indicate if certificates should be checked against trusted root certs. +If this is `ask', the user can decide whether to accept an untrusted +certificate. You may have to adapt `tls-program' in order to make this feature +work properly, i.e., to ensure that the external program knows about the +root certificates you consider trustworthy. An appropriate entry in .emacs +might look like this: +(setq tls-program + '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\" + \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\" + \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2\"))" + :type '(choice (const :tag "Always" t) + (const :tag "Never" nil) + (const :tag "Ask" ask)) + :group 'tls) + +(defcustom tls-untrusted "- Peer's certificate is NOT trusted\\|Verify return code: \\([^0] \\|.[^ ]\\)" + "*Regular expression indicating failure of TLS certificate verification. +The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's +\"openssl s_client\" return in the event of unsuccessful verification." + :type 'regexp + :group 'tls) + +(defcustom tls-hostmismatch "# The hostname in the certificate does NOT match" + "*Regular expression indicating a host name mismatch in certificate. +When the host name specified in the certificate doesn't match the name of the +host you are connecting to, gnutls-cli issues a warning to this effect. There +is no such feature in openssl. Set this to nil if you want to ignore host name +mismatches." + :type 'regexp + :group 'tls) + (defcustom tls-certtool-program (executable-find "certtool") "Name of GnuTLS certtool. Used by `tls-certificate-information'." @@ -156,6 +188,25 @@ (if done "done" "failed")) (if done (setq done process) + (delete-process process)))) + (when done + (save-excursion + (set-buffer buffer) + (when + (or + (and tls-untrusted + (progn + (goto-char (point-min)) + (re-search-forward tls-untrusted nil t)) + (not (yes-or-no-p + (format "The certificate presented by `%s' is NOT trusted. Accept anyway? " host)))) + (and tls-hostmismatch + (progn + (goto-char (point-min)) + (re-search-forward tls-hostmismatch nil t)) + (not (yes-or-no-p + (format "Host name in certificate doesn't match `%s'. Connect anyway? " host))))) + (setq done nil) (delete-process process)))) (message "Opening TLS connection to `%s'...%s" host (if done "done" "failed")) --=-=-=--