Re: url library and GnuTLS, and Emacs-issued certificates

[Lars Magne Ingebrigtsen]

Chong Yidong <address@hidden> writes:

> How about gnutls.el?  If I understand correctly, open-gnutls-stream
> works just like open-tls-stream, except it uses the gnutls library
> directly instead of using a command line client---and it does not
> support the mode of operation provided in starttls.el.  Correct?

No, with gnutls.c, we just open a normal network stream (with
`open-network-stream'), and then if it turns out that the server
supports STARTTLS, we just put the server in STARTTLS mode and then
issue a `gnutls-negotiate' call.

> Also, does this mean it's impossible to use open-tls-stream and
> open-gnutls-stream to opportunistically open a TLS stream?  I see that
> proto-stream.el, in `network' mode, opens a connection using
> starttls-open-stream and then uses gnutls-negotiate from gnutls.el to do
> the negotiation; what's the advantage of doing this?

Looking at the code in `proto-stream-open-network', I can see why you
think it's doing that, but it's not.  I hope.  :-)  That function is
somewhat hairy because of all the combinations in the
do-opportunistic-upgrade/do-forced-upgrade/starttls.el/gnutls.c/do-support-STARTTLS
matrix, as well as error handling...

But for the "gnutls where the server supports STARTTLS and there's no
errors" case, it should just be doing

(defun proto-stream-open-network (name buffer host service parameters)

[...]

         (stream (open-network-stream name buffer host service))

[...]

            ;; The server said it was OK to start doing STARTTLS negotiations.
            (if (fboundp 'open-gnutls-stream)
                (gnutls-negotiate stream nil)                

-- 
(domestic pets only, the antidote for overdose, milk.)
  address@hidden * Lars Magne Ingebrigtsen