Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

[Toke Høiland-Jørgensen]

Ted Zlatanov <address@hidden> writes:

> Emacs has this function already, e.g. `(locate-user-emacs-file "certs")'
>
> I think it's better to make the store private than shared by default, so
> I'd just give the user the choice to use nil (translated to NULL in
> C).

Ah, yes, this should come from the lisp side of course. Silly me, hadn't
even thought of that.

> That would be great, please see how far you get with the exploration.
> Your contribution is already very useful so I am excited to see it
> evolve.

Well, gnutls-cli asks the user in a callback (set with
gnutls_certificate_set_verify_function). The TOFU verification starts at
line 461 of
https://gitorious.org/gnutls/gnutls/source/ce47098eecba5fb3256b855f9674ee0ca458c60c:src/cli.c

so it seems it's just pausing in the middle of the handshake.

> OK; Lars and I will probably work on it as well as time allows in
> order to get something into trunk.

Oh, by all means. I didn't mean that as "don't touch it", more as "don't
expect anything more too soon" :)

Have updated the patch to use a configurable credentials file and put in
the autoconf stuff. Will resend it once I have tested it :)

-Toke