[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using GnuTLS 3.x and certificate checks
From: |
Ted Zlatanov |
Subject: |
Re: using GnuTLS 3.x and certificate checks |
Date: |
Thu, 06 Jun 2013 09:06:04 -0400 |
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) |
On Wed, 05 Jun 2013 16:55:39 -0400 Ted Zlatanov <address@hidden> wrote:
TZ> On Wed, 05 Jun 2013 11:13:18 -0400 Ted Zlatanov <address@hidden> wrote:
TZ> Without comments, I will assume a general OK on these two things:
TZ> - move to the GnuTLS 3.x API and require that version of the libraries.
TZ> - enable SSL certificate verification by default (I have some questions
TZ> about non-interactive cases in a separate thread).
TZ> ...and after Stefan's comments:
TZ> - SSL certificates will be run through a user-supplied acceptance
TZ> function/regex/whatever. If they are not accepted by it, the behavior
TZ> forks. In batch mode, we always refuse to accept. In interactive
TZ> mode, we do yes/no/save prompting, waiting forever. Saving the
TZ> certificate will put it in ~/.emacs.d/certificates or something
TZ> similar.
TZ> The interactive behavior may have a connection time out while waiting,
TZ> which will cause surprises. We'll try to reopen the connection but
TZ> the user may not enjoy the experience and it could get refused the
TZ> second time and so on.
...adding Christopher Schmidt's comments to the last item:
The user will also have an option to reject by default interactively, to
inspect the offered certificate, and so on. Basically the choice will
be this alist:
'((interactive . x)
(non-interactive . y))
where x and y can be:
'ask => prompt y/n/Y (permanent)/N (permanent)/inspect
'maybe-reject => goes through the acceptance function and rejects if it fails
nil => always reject unknown
t => always accept, good for testing but discouraged otherwise
The symbols may evolve to specify the acceptance function inline. The
default will probably be
'((interactive ask)
(non-interactive maybe-reject))
I hope that's helpful :)
Ted