Re: GnuTLS invasion of Emacs published)

[Ted Zlatanov]

On Fri, 03 Feb 2012 18:29:07 +0200 Eli Zaretskii <address@hidden> wrote: 

>> From: Ted Zlatanov <address@hidden>
>> Date: Fri, 03 Feb 2012 08:23:12 -0500
>> Cc: address@hidden
>> 
EZ> What other features in Emacs use TLS as of this writing?  I thought
EZ> only email protocols do, which is why I described GnuTLS as I did.
>> 
>> Any network connection can use it.

EZ> I asked about actual use, not potential uses.

I think the potential use is just as important, since much of Emacs's
utility is in 3rd party packages.  But Stefan answered about the actual
uses in the Emacs trunk; the URL package is most important (because of
package.el) to the Emacs users in general.

>> I think Lars introduced that option, and at least HTTP/S connections
>> can use it.

EZ> Then this needs to be documented somewhere.

I agree.

`open-network-stream' has some documentation, and is most useful as an
API.

User customization of gnutls.el is minimal right now, just
`gnutls-algorithm-priority' and `gnutls-min-prime-bits'.  But those are
tricky: the specific library that uses the API may need to override them
too.  And generally they should not be tweaked.  So I'm not sure those
two deserve more mention in the manual.

>> It's a replacement for the previous libraries that managed secure
>> connections, except it doesn't depend on external binaries.  So it
>> really doesn't change much in terms of Emacs functionality, only in the
>> underlying implementation.

EZ> Lisp programmers should know they can use TLS when Emacs was compiled
EZ> with GnuTLS support.  Users should know that as well, because they
EZ> will need to set up their machines for that.  E.g., this:

>> There is one annoying detail with the cert bundle on W32.  It
>> defaults to /etc/ssl/certs/ca-certificates.crt which is not valid on
>> W32 and on many other platforms.

I mentioned this because it's the only important GnuTLS-related
configuration bit on all platforms.  It should be in the manual, I
think, but consider that I proposed a while back that Emacs should ship
with its own version of the Mozilla cert bundle, so that this works on
all platforms, but that was not OK with the maintainers.  

So that leaves us with the options of 1) trusting the platform (which
doesn't work on W32, AFAIK it doesn't have a cert bundle we can use; and
many GNU/Linux distros don't have a cert bundle in a standard place or
at all), or 2) making the cert bundle a GNU ELPA package than any
installer or user can activate.

Because of these concerns, currently we don't verify the peer
certificate in SSL and TLS connections.  See `gnutls-negotiate' for how
that would work.  The connections are still encrypted, but you could be
talking to an impostor.

I prefer the GNU ELPA package approach instead of trusting the platform,
but I also think the user should be able to customize this (and an
installer should offer the choice).  Coming back to documentation, I'd
like to settle the greater question of how to distribute the cert bundle
before we document the configuration options for it.

WDYT?

Ted