From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Julien Danjou <julien@danjou.info>
Newsgroups: gmane.emacs.devel
Subject: GnuTLS and certificate verification
Date: Thu, 06 Sep 2012 00:13:06 +0200
Message-ID: <87sjaw2k5p.fsf@dex.adm.naquadah.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
X-Trace: ger.gmane.org 1346883220 8557 80.91.229.3 (5 Sep 2012 22:13:40 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 5 Sep 2012 22:13:40 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 06 00:13:43 2012
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1T9Nqw-0008TP-Jf
	for ged-emacs-devel@m.gmane.org; Thu, 06 Sep 2012 00:13:42 +0200
Original-Received: from localhost ([::1]:34609 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1T9Nqt-0005he-Is
	for ged-emacs-devel@m.gmane.org; Wed, 05 Sep 2012 18:13:39 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:53112)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <julien@danjou.info>) id 1T9Nqr-0005fD-24
	for emacs-devel@gnu.org; Wed, 05 Sep 2012 18:13:37 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <julien@danjou.info>) id 1T9Nqp-00015j-Ki
	for emacs-devel@gnu.org; Wed, 05 Sep 2012 18:13:36 -0400
Original-Received: from prometheus.naquadah.org ([212.85.154.174]:47318
	helo=mx1.naquadah.org) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <julien@danjou.info>) id 1T9Nqp-00015P-Dw
	for emacs-devel@gnu.org; Wed, 05 Sep 2012 18:13:35 -0400
Original-Received: from dex.adm.naquadah.org (unknown
	[IPv6:2a01:e34:ec03:2920:5653:edff:fe1b:bb5f])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.naquadah.org (Postfix) with ESMTPSA id 46DD35C1BB
	for <emacs-devel@gnu.org>; Thu,  6 Sep 2012 00:13:33 +0200 (CEST)
Mail-Followup-To: emacs-devel@gnu.org
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2.50 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 212.85.154.174
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:153080
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/153080>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi,

I'd like gnutls to check that the server I connect to are trusted. Using
Gnus and smtpmail, currently, the check is disable because
the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
It seems nothing uses it for now.

I wonder if adding a global defcustom would be helpful here. WDYT?

OTOH, I've tried to set it manually to t, and I added my CA to the know
certificates. gnutls-bin is now happy to connect to my IMAP server and
considers it secure ("Peer's certificate is trusted"). But with
gnutls.c, I keep hitting:

  if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
    GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
		 c_hostname);

Note that the trustfile used seems correct too.

If anybody has a clue, I'd be glad=E2=80=A6=20

=2D-=20
Julien Danjou
/* Free Software hacker & freelance
   http://julien.danjou.info */

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQR85zAAoJEGEbqVCLeKXCU74QAL7GBlQw32A6iggDXW9rYsr2
JaD0/3OC+0JsTcuXpR27m2qaMiwQzCTC6UlhDImwH6+iNFAN32jTD/FxFEcbfYMt
b4L46UwWw96N9b8k0dZCPyLh7dOozahil1c8jGTWXaz5SbUROLj+fY5rhJAp0Ud3
KXUMHj69YGQuUlMHvG9YTsVbhV5aELlW5NBKl8/fjv6c4CuUuSoCKcetNpRN7QHO
nOlctdmxszCmyEXm4mlfg0mHC/QjzRvzhboUhKQuqba/MuXgWaHNcqMr/arvkM7A
M/5EBsa8eTU1SU3Mj3lf8okJYCcftuzlrIk2an502HhG5Xv9ggOPuaWsvHYinfJr
wQYmOTLacSFfcUy3XuCprenqbq0tk0ZXs1cLwsqeCvWgLj5N5/ypHa0i/8b9V5fo
6+KL+ambAwRPDcdk5RIne83yjSUiN6kCYqg/VKri1n9Ze0QEC9skpV6sHa+KZm9n
PI0rDbqWqB55N6tauGYrkjTJRTr5SpJ4do1Bklr/+/MEpSqlE/PIBfXnlezyLS3a
YJ9zDaupx1bmnVZuSYIfZt78HAsx782wtz9NO97DJZPqw6EHu0p33l1+maGCCOFL
Oa94m9X89yNJpI5neKs88AfSO9n9t+uiSvREpZpSk5OldWuFObPLI0qT0boZqSw+
U0OwxPlpA37h83JFs3Uf
=n12e
-----END PGP SIGNATURE-----
--=-=-=--