From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: need help with certificate bundles for ALL the platforms Emacs supports Date: Mon, 13 Feb 2012 08:24:30 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87ipja7to1.fsf@lifelogs.com> References: <4F25FA2F.2010401@gmail.com> <4F27F4A1.6030907@gmail.com> <6E4BE1E758D04283A7C3A660ED379966@us.oracle.com> <87liolnipl.fsf@lifelogs.com> <50081AA79F2F4860A3B9DCEDFC1ABEC8@us.oracle.com> <877h04nc2e.fsf@lifelogs.com> <83ehucfjc8.fsf@gnu.org> <87r4ycjbjz.fsf_-_@lifelogs.com> <83mx8zev8s.fsf@gnu.org> <87vcnnj1xm.fsf@lifelogs.com> <87ipjgw0r3.fsf_-_@lifelogs.com> <87zkcqr4td.fsf@lifelogs.com> <87fwef8zui.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1329139538 1198 80.91.229.3 (13 Feb 2012 13:25:38 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 13 Feb 2012 13:25:38 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Feb 13 14:25:38 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RwvuT-0000Zb-Bm for ged-emacs-devel@m.gmane.org; Mon, 13 Feb 2012 14:25:37 +0100 Original-Received: from localhost ([::1]:51873 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RwvuS-0001Q4-F4 for ged-emacs-devel@m.gmane.org; Mon, 13 Feb 2012 08:25:36 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:52713) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RwvuL-0001Pt-FM for emacs-devel@gnu.org; Mon, 13 Feb 2012 08:25:34 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RwvuF-0005Gr-KZ for emacs-devel@gnu.org; Mon, 13 Feb 2012 08:25:29 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:32937) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RwvuF-0005Gk-FR for emacs-devel@gnu.org; Mon, 13 Feb 2012 08:25:23 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1RwvuC-0000Kh-QE for emacs-devel@gnu.org; Mon, 13 Feb 2012 14:25:20 +0100 Original-Received: from c-76-28-40-19.hsd1.vt.comcast.net ([76.28.40.19]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 13 Feb 2012 14:25:20 +0100 Original-Received: from tzz by c-76-28-40-19.hsd1.vt.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 13 Feb 2012 14:25:20 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 53 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-76-28-40-19.hsd1.vt.comcast.net User-Agent: Gnus/5.130002 (Ma Gnus v0.2) Emacs/24.0.93 (gnu/linux) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Cancel-Lock: sha1:4l5k2amuUI0mYw65bZWnp+Xnz3Q= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:148546 Archived-At: On Sun, 12 Feb 2012 22:28:24 -0500 Stefan Monnier wrote: >> +(defcustom gnutls-trustfiles '( >> + ;; Debian, Ubuntu, Gentoo and Arch Linux >> + "/etc/ssl/certs/ca-certificates.crt" >> + ;; Fedora and RHEL >> + "/etc/pki/tls/certs/ca-bundle.crt" >> + ;; Suse >> + "/etc/ssl/ca-bundle.pem" >> + ) >> + "List of functions or filenames yielding CA bundle locations. >> +The files may be in PEM or DER format, as per the GnuTLS documentation. >> +The files may not exist, in which case they will be ignored. >> +Functions will be called and may return a filename or a list of filenames." >> + :group 'gnutls >> + :type '(repeat (choice (function :tag "Function") >> + (file :tag "Bundle filename")))) SM> How 'bout something like (defcustom gnutls-trustfile (let ((file (if (boundp 'cert-bundle-location) cert-bundle-location)) (candidates '("/etc/ssl/certs/ca-certificates.crt" ; Debian, Gentoo, Arch. "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL. "/etc/ssl/ca-bundle.pem" ; Suse. ))) (while candidates (if (file-readable-p (car candidates)) (setq file (car candidate) candidates nil) (setq candidates (cdr candidates)))) file) "Name of the CA bundle file. The file may be in PEM or DER format, as per the GnuTLS documentation." :group 'gnutls :type '(choice (const nil) (file :tag "Bundle filename"))) The trustfiles parameter is a list of files, all the way through to gnutls.c. I don't think it should be demoted to a single file in the customization interface, and it still needs a function choice. Also I don't want to decide the default bundle file names at the time the defcustom is evaluated. Since `gnutls-trustfiles' can contain function calls, I'd like it to be called when it's needed. For instance, it's very common to store certificates as PEM files in a directory, and the user should be able to choose that approach instead of managing a concatenated bundle. If we built the file list only once, the modular approach would fail. Another situation is on W32, where the cert bundle has to be dynamically built (which will require some caching but should still be done as close to using the bundle as possible). Ted