bug#9017: 24.0.50; gnutls.c: [0] (Emacs) fatal error: Key usage violation in certificate has been detected.

[Roland Winkler]

On Fri Jul 15 2011 Lars Magne Ingebrigtsen wrote:
> Roland, could you upgrade your Emacs and say
> 
> (setq gnutls-algorithm-priority "normal:-dhe-rsa")
> 
> and see whether that fixes the problem?

Similar to disabling gnutls-available-p, this now aborts with the
message

RCPT TO:<winkler@gnu.org>
554 <winkler@gnu.org>: Recipient address rejected: Access denied

But I am surprised that Emacs tries to send the message even though
the smtp server is configured such that it requires a username and
password for sending messages and I do not have yet an .authinfo
entry for the smtp server. It is my understanding that the emacs
code is such that emacs should ask me for username / password if
emacs believes it needs one for the smtp session. In other words, it
appears to me as if emacs and the smtp server do not communicate
properly so that emacs wants to send the message in a way that is
not supported by the smtp server. (I have no such problems with
emacs 23.)

On Fri Jul 15 2011 Ted Zlatanov wrote:
> I think there should be no such situations; the command-line GnuTLS
> tools are insecure and unreliable and should not have to be used.  As
> with the priority string option, whatever options users need should get
> added.  I see those cases as bugs rather than feature requests.

I understand your goal and in the long run it is probably the best
solution. I am merely looking at this from the perspective: if I had
been a regular user running into such a problem after release of
emacs 24, I would have been stuck. The new code is a substantial
change as compared to the old approach. And I do not see a simple
way to predict which other gnutls options might be needed by other
users. So even if the command line gnutls-cli is not perfect by
itself, it would give the user a more forgiving transition period if
with Emacs 24 the old approach remained available as a fallback.

Roland