From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@stupidchicken.com>
Newsgroups: gmane.emacs.devel
Subject: Re: url library and GnuTLS, and Emacs-issued certificates
Date: Thu, 24 Mar 2011 14:42:29 -0400
Message-ID: <87pqpgpdgq.fsf@stupidchicken.com>
References: <N1B-YVQM_S62hr@Safe-mail.net> <87mxkojpk4.fsf@lifelogs.com>
	<87hbawtbq7.fsf@stupidchicken.com> <878vw8hznm.fsf_-_@lifelogs.com>
	<87ei5xsvl6.fsf@lifelogs.com> <87hbatofix.fsf@stupidchicken.com>
	<m3sjudlk3f.fsf@quimbies.gnus.org> <87ei5xo695.fsf@stupidchicken.com>
	<m34o6ti0cd.fsf@quimbies.gnus.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1300992176 4029 80.91.229.12 (24 Mar 2011 18:42:56 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Thu, 24 Mar 2011 18:42:56 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Mar 24 19:42:49 2011
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Q2pUd-0005Jz-TF
	for ged-emacs-devel@m.gmane.org; Thu, 24 Mar 2011 19:42:48 +0100
Original-Received: from localhost ([127.0.0.1]:42162 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1Q2pUd-0003TX-86
	for ged-emacs-devel@m.gmane.org; Thu, 24 Mar 2011 14:42:47 -0400
Original-Received: from [140.186.70.92] (port=50338 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q2pUR-0003Q6-3o
	for emacs-devel@gnu.org; Thu, 24 Mar 2011 14:42:37 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cyd@stupidchicken.com>) id 1Q2pUM-0006TV-SB
	for emacs-devel@gnu.org; Thu, 24 Mar 2011 14:42:34 -0400
Original-Received: from vm-emlprdomr-05.its.yale.edu ([130.132.50.146]:47728)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cyd@stupidchicken.com>) id 1Q2pUM-0006TI-QP
	for emacs-devel@gnu.org; Thu, 24 Mar 2011 14:42:30 -0400
Original-Received: from furball (dhcp128036014187.central.yale.edu [128.36.14.187])
	(authenticated bits=0)
	by vm-emlprdomr-05.its.yale.edu (8.14.4/8.14.4) with ESMTP id
	p2OIgT68005942
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <emacs-devel@gnu.org>; Thu, 24 Mar 2011 14:42:30 -0400
Original-Received: by furball (Postfix, from userid 1000)
	id 4C280160788; Thu, 24 Mar 2011 14:42:29 -0400 (EDT)
In-Reply-To: <m34o6ti0cd.fsf@quimbies.gnus.org> (Lars Magne Ingebrigtsen's
	message of "Thu, 24 Mar 2011 05:55:30 +0100")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)
X-Scanned-By: MIMEDefang 2.71 on 130.132.50.146
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 130.132.50.146
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:137643
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/137643>

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> tls.el is quite simple.  You start openssl/gnutls-cli as a subprocess
> with the correct parameters, parse the output slightly, and then talk
> over the socket.
>
> starttls.el is a bit different.  You call `open-starttls-stream', which
> starts gnutls-cli in unencrypted mode.  Then you do protocol-specific
> things to see whether the server supports STARTTLS.  If it does, you
> issue the commands necessary for the server to start talking TLS.  You
> then call `startls-negotiate' which sends a signal to gnutls-cli which
> makes gnutls-cli go to encrypted mode, parses the output from
> gnutls-cli, and returns the status of the now-encrypted socket.

I see.  Thanks for the explanation.  A couple more questions:

How about gnutls.el?  If I understand correctly, open-gnutls-stream
works just like open-tls-stream, except it uses the gnutls library
directly instead of using a command line client---and it does not
support the mode of operation provided in starttls.el.  Correct?

Also, does this mean it's impossible to use open-tls-stream and
open-gnutls-stream to opportunistically open a TLS stream?  I see that
proto-stream.el, in `network' mode, opens a connection using
starttls-open-stream and then uses gnutls-negotiate from gnutls.el to do
the negotiation; what's the advantage of doing this?