From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.bugs Subject: bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist Date: Tue, 05 Jul 2016 10:36:04 -0400 Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos Message-ID: <87wpl0gnjf.fsf@lifelogs.com> References: <87y46ahz23.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1467729776 10162 80.91.229.3 (5 Jul 2016 14:42:56 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 5 Jul 2016 14:42:56 +0000 (UTC) Cc: 23759@debbugs.gnu.org To: Konstantin Kliakhandler Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jul 05 16:42:44 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bKRYf-000380-N4 for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jul 2016 16:42:41 +0200 Original-Received: from localhost ([::1]:55508 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKRYf-0003mQ-2W for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jul 2016 10:42:41 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45848) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKRTF-00066P-S3 for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 10:37:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bKRTC-0005h2-L3 for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 10:37:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:54256) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKRTC-0005gr-7y for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 10:37:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bKRTB-0003yj-Ug for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 10:37:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 05 Jul 2016 14:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23759 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 23759-submit@debbugs.gnu.org id=B23759.146772938215248 (code B ref 23759); Tue, 05 Jul 2016 14:37:01 +0000 Original-Received: (at 23759) by debbugs.gnu.org; 5 Jul 2016 14:36:22 +0000 Original-Received: from localhost ([127.0.0.1]:38360 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bKRSX-0003xs-N0 for submit@debbugs.gnu.org; Tue, 05 Jul 2016 10:36:21 -0400 Original-Received: from mail-pa0-f46.google.com ([209.85.220.46]:34075) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bKRSV-0003xe-0W for 23759@debbugs.gnu.org; Tue, 05 Jul 2016 10:36:19 -0400 Original-Received: by mail-pa0-f46.google.com with SMTP id bz2so67946549pad.1 for <23759@debbugs.gnu.org>; Tue, 05 Jul 2016 07:36:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version; bh=I8xqkgsV5zPfAq0qgrR7hhKN9G2nuEJ6xr1hh5R+Fnw=; b=slvC0AXT7TMF9HkcUrh6FwHnRQgbxr3FFjmk+h35w2IAM+wikm8p4+RE+ERbfkslLo rPBj6IGDgrvJSsulhot1E3gHEA5zc/7T2vx1ZN2V6+NIivnVhDu0lsNbyq3WHGkHIjwF YvE68Ei3QSjMI8ZnJXSd1wTuW8DBK7Nd1q7Gs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version; bh=I8xqkgsV5zPfAq0qgrR7hhKN9G2nuEJ6xr1hh5R+Fnw=; b=mxRvzSq+VSJxqoiFAFfmy4qjWmHVTAuYgToydcgz0FIrYmorN5KPHb+eMu3px9Bwpc Z2bwUuxW1WWnKjYH4LH5FC+VLo2fyWXJrEd4FII8NJCmAtW0oVPTRV62W4atNtMhmHmz vlFaqs5ZA+NKVskaHjNyK7UfJMha8mGLeLtYLmOdaF5VCOImDPdO0ThLfgGnVaCYowzf bRa71F+hC1xhOJmNbacmy5R7fGpFFLMM8Y+hGFR71WkuIBjIifIpQK0+HqGTJsD2O3S3 5MQLlc8qgz24F6RnzXvb3I470dm2OLNSDhyrYZ+DVKOIt/Un4ZhadmKcT5pdyV5Rjl9L iNjA== X-Gm-Message-State: ALyK8tJbvBXsThAhrcH7KjQ/MzEiuJKrTmwigczUc3tzSizwPthc45HjS43lSAQCE/t2mQ== X-Received: by 10.66.86.103 with SMTP id o7mr33299294paz.5.1467729372534; Tue, 05 Jul 2016 07:36:12 -0700 (PDT) Original-Received: from flea (c-98-229-60-157.hsd1.ma.comcast.net. [98.229.60.157]) by smtp.gmail.com with ESMTPSA id bt5sm5876418pac.47.2016.07.05.07.36.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Jul 2016 07:36:09 -0700 (PDT) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: (Konstantin Kliakhandler's message of "Sat, 2 Jul 2016 10:09:50 +0300") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:120434 Archived-At: On Sat, 2 Jul 2016 10:09:50 +0300 Konstantin Kliakhandler wrote: KK> The problem: `open-tls-stream' replaces %t with exactly one element, which KK> is nil if none of gnutls-trustfiles is readable, and the first element of KK> gnutls-trustfiles is more than one is readable. KK> The Solution: In the patch I make the test iterate on all the trustfiles as KK> a user might have more than one relevant. In addition, I made the default KK> setting for tls-program have entries that do not explicitly specify the KK> trustfile. KK> One thing to note here perhaps, is that if (gnutls-trustfiles) returns an KK> empty list and one has the %t substitution in one of the tls-program KK> entries, then that entry will not be run at all. I feel that this is KK> reasonable since by setting --x509cafile nil one makes gnutls-cli fail KK> anyway. As you said, one of the key points of your patch is this: - '("gnutls-cli --x509cafile %t -p %p %h" + '("gnutls-cli -p %p %h" + "gnutls-cli --x509cafile %t -p %p %h" Which replaces the specific call with a generic call (no CA file specified). This is probably less secure because it will use the system CA trustfiles regardless of the user's preferred `gnutls-trustfiles', so I'd rather not make it the first thing attempted. KK> Finally, I'm experiencing the above behavior, as far as I can tell, by KK> default in e.g. erc-tls. What is the proper way to move to the built in KK> TLS? Is it likely to be something in my config or in the implementation of KK> ERC? On Mac OS X, you can use Homebrew to build it with all the nice libraries, or use one of the pre-built binary packages. brew update && brew reinstall emacs --HEAD --use-git-head --cocoa --with-gnutls --with-rsvg --with-imagemagick On W32, you need the right DLLs installed. Once the libraries are installed, you're all set, they'll be used automatically. Ted