From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: need help with certificate bundles for ALL the platforms Emacs supports (was: GnuTLS invasion of Emacs published)) Date: Thu, 09 Feb 2012 09:16:16 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87ipjgw0r3.fsf_-_@lifelogs.com> References: <4F25FA2F.2010401@gmail.com> <4F27F4A1.6030907@gmail.com> <6E4BE1E758D04283A7C3A660ED379966@us.oracle.com> <87liolnipl.fsf@lifelogs.com> <50081AA79F2F4860A3B9DCEDFC1ABEC8@us.oracle.com> <877h04nc2e.fsf@lifelogs.com> <83ehucfjc8.fsf@gnu.org> <87r4ycjbjz.fsf_-_@lifelogs.com> <83mx8zev8s.fsf@gnu.org> <87vcnnj1xm.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1328797012 4251 80.91.229.3 (9 Feb 2012 14:16:52 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 9 Feb 2012 14:16:52 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Feb 09 15:16:52 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RvUnm-0003AH-DT for ged-emacs-devel@m.gmane.org; Thu, 09 Feb 2012 15:16:46 +0100 Original-Received: from localhost ([::1]:51279 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RvUnl-0004Kc-Qm for ged-emacs-devel@m.gmane.org; Thu, 09 Feb 2012 09:16:45 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:43343) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RvUnd-0004K1-Ph for emacs-devel@gnu.org; Thu, 09 Feb 2012 09:16:43 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RvUnX-0000tu-MF for emacs-devel@gnu.org; Thu, 09 Feb 2012 09:16:37 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:50210) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RvUnX-0000tY-H3 for emacs-devel@gnu.org; Thu, 09 Feb 2012 09:16:31 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1RvUnV-0002wS-DH for emacs-devel@gnu.org; Thu, 09 Feb 2012 15:16:29 +0100 Original-Received: from c-76-28-40-19.hsd1.vt.comcast.net ([76.28.40.19]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 09 Feb 2012 15:16:29 +0100 Original-Received: from tzz by c-76-28-40-19.hsd1.vt.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 09 Feb 2012 15:16:29 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 48 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-76-28-40-19.hsd1.vt.comcast.net User-Agent: Gnus/5.130002 (Ma Gnus v0.2) Emacs/24.0.93 (gnu/linux) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Cancel-Lock: sha1:YQ6ipqXSftO+uBpcRTWMtmOyVIo= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:148403 Archived-At: On Fri, 03 Feb 2012 11:51:01 -0500 Ted Zlatanov wrote: >>> There is one annoying detail with the cert bundle on W32. It >>> defaults to /etc/ssl/certs/ca-certificates.crt which is not valid on >>> W32 and on many other platforms. TZ> I mentioned this because it's the only important GnuTLS-related TZ> configuration bit on all platforms. It should be in the manual, I TZ> think, but consider that I proposed a while back that Emacs should ship TZ> with its own version of the Mozilla cert bundle, so that this works on TZ> all platforms, but that was not OK with the maintainers. After discussing this with Stefan Monnier, I've decided to proceed as follows: New variable `gnutls-trustfiles' will be a list of trustfiles for your platform, filtered by file existence. It can take functions in the list, and the functions can return a list of files or a single file. When the list is empty, you'll get a message to look in the GNU ELPA for fallbacks. A new GNU ELPA package "cert-bundle-mozilla" will provide a fallback from Mozilla's certificate bundle. It will be versioned same as that bundle and updated periodically. When you install that package, it will add a function to `gnutls-trustfiles' to load the package's cert bundle file. I need a list of possible cert bundle locations on all the platforms Emacs supports, or methods to retrieve them. Please send to me directly or follow up here. The assembled list will help me greatly. I'll start with the easiest ones (please correct me if any are wrong, based on http://mercurial.selenic.com/wiki/CACertificates): Debian, Ubuntu, Gentoo and Arch Linux: /etc/ssl/certs/ca-certificates.crt (maintained by `update-ca-certificates'). Fedora and RHEL: /etc/pki/tls/certs/ca-bundle.crt Suse: /etc/ssl/ca-bundle.pem Mac OS X has the certificate list in the system keychain. If we had keychain access functions in Emacs, or a shell call to dump the contents, I could export it. Any help is welcome. W32 doesn't seem to have a system cert bundle and getting it from any specific browser is unreliable, but any suggestions are welcome. Ted