* GnuTLS and certificate verification
@ 2012-09-05 22:13 Julien Danjou
2012-12-21 17:17 ` Ted Zlatanov
0 siblings, 1 reply; 3+ messages in thread
From: Julien Danjou @ 2012-09-05 22:13 UTC (permalink / raw)
To: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 893 bytes --]
Hi,
I'd like gnutls to check that the server I connect to are trusted. Using
Gnus and smtpmail, currently, the check is disable because
the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
It seems nothing uses it for now.
I wonder if adding a global defcustom would be helpful here. WDYT?
OTOH, I've tried to set it manually to t, and I added my CA to the know
certificates. gnutls-bin is now happy to connect to my IMAP server and
considers it secure ("Peer's certificate is trusted"). But with
gnutls.c, I keep hitting:
if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
c_hostname);
Note that the trustfile used seems correct too.
If anybody has a clue, I'd be glad…
--
Julien Danjou
/* Free Software hacker & freelance
http://julien.danjou.info */
[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: GnuTLS and certificate verification
2012-09-05 22:13 GnuTLS and certificate verification Julien Danjou
@ 2012-12-21 17:17 ` Ted Zlatanov
2012-12-22 14:49 ` Julien Danjou
0 siblings, 1 reply; 3+ messages in thread
From: Ted Zlatanov @ 2012-12-21 17:17 UTC (permalink / raw)
To: emacs-devel
On Thu, 06 Sep 2012 00:13:06 +0200 Julien Danjou <julien@danjou.info> wrote:
JD> I'd like gnutls to check that the server I connect to are trusted. Using
JD> Gnus and smtpmail, currently, the check is disable because
JD> the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
JD> It seems nothing uses it for now.
JD> I wonder if adding a global defcustom would be helpful here. WDYT?
Yes, if the underlying code works.
JD> OTOH, I've tried to set it manually to t, and I added my CA to the know
JD> certificates. gnutls-bin is now happy to connect to my IMAP server and
JD> considers it secure ("Peer's certificate is trusted"). But with
JD> gnutls.c, I keep hitting:
JD> if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
JD> GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
JD> c_hostname);
JD> Note that the trustfile used seems correct too.
JD> If anybody has a clue, I'd be glad…
I tested this but not thoroughly with self-signed certs (which it seems
you're using, though I can't be sure from your description).
This specific error could be due to many things; you need to either look
at the GnuTLS context yourself, post a recipe for duplicating the issue
here or in a bug, or ask in the gnutls-devel mailing list with that
recipe. Either way I will try to help you find the solution.
Ted
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: GnuTLS and certificate verification
2012-12-21 17:17 ` Ted Zlatanov
@ 2012-12-22 14:49 ` Julien Danjou
0 siblings, 0 replies; 3+ messages in thread
From: Julien Danjou @ 2012-12-22 14:49 UTC (permalink / raw)
To: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 740 bytes --]
On Fri, Dec 21 2012, Ted Zlatanov wrote:
> I tested this but not thoroughly with self-signed certs (which it seems
> you're using, though I can't be sure from your description).
It's not a self-signed certificate, it's a certificate signed by my CA,
which I've imported onto my system.
> This specific error could be due to many things; you need to either look
> at the GnuTLS context yourself, post a recipe for duplicating the issue
> here or in a bug, or ask in the gnutls-devel mailing list with that
> recipe. Either way I will try to help you find the solution.
Thanks Ted. I'll do that will get back to you once I know more!
--
Julien Danjou
-- Free Software hacker & freelance
-- http://julien.danjou.info
[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-12-22 14:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-05 22:13 GnuTLS and certificate verification Julien Danjou
2012-12-21 17:17 ` Ted Zlatanov
2012-12-22 14:49 ` Julien Danjou
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.