Hello,

I am using emacs on OSX 10.12 from https://emacsformacosx.com/builds

(emacs-version)
"GNU Emacs 25.1.50.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version 10.9.5 (Build 13F1603))
 of 2016-05-30"

And experience the same problem when running emacs -Q. Furthermore, I diagnosed the cause to be incorrect building of formatted-cmd in open-tls-stream from the given arguments. Attached is a patch that fixes the problem on my end. To make the patch smaller, I did not reindent the whole function - I hope this is alright. 

Finally, I'd like to reply to:
 
Fran <flitterio <at> gmail.com> writes:
> If Cygwin is installed, open-tls-stream works, because gnutls-cli and openssl
> are available. It has worked for some time. I routinely use this feature to
> enable ERC to connect to servers using TLS using function erc-tls.
 
At some point, tls.el will be deprecated. Why aren't you just using
Emacs with the built-in TLS support?

In my honest opinion, a feature is either deprecated or not, and while it is not yet deprecated, bugs should not be ignored. I hope you would agree at least to the point of testing the patch and incorporating it if it works well :-)

Fuller description of the problem and the fix:

The problem: `open-tls-stream' replaces %t with exactly one element, which is nil if none of gnutls-trustfiles is readable, and the first element of gnutls-trustfiles is more than one is readable.
The Solution: In the patch I make the test iterate on all the trustfiles as a user might have more than one relevant. In addition, I made the default setting for tls-program have entries that do not explicitly specify the trustfile.

One thing to note here perhaps, is that if (gnutls-trustfiles) returns an empty list and one has the %t substitution in one of the tls-program entries, then that entry will not be run at all. I feel that this is reasonable since by setting --x509cafile nil one makes gnutls-cli fail anyway. 

Finally, I'm experiencing the above behavior, as far as I can tell, by default in e.g. erc-tls. What is the proper way to move to the built in TLS? Is it likely to be something in my config or in the implementation of ERC?

Thanks,
Kosta

-- 
Konstantin Kliakhandler
    http://slumpy.org
          )°) )°( (°(