Re: Emacs core TLS support

[Ted Zlatanov]

On Mon, 13 Sep 2010 09:49:30 +0200 Nikos Mavrogiannopoulos <address@hidden> 
wrote: 

NM> 2010/9/11 Ted Zlatanov <address@hidden>:
>> - no SRP anywhere, just anon and x509 (I'll add SRP if we need it and
>>  when the other two are working)
>> Now I get GNUTLS_E_INSUFFICIENT_CREDENTIALS when I open a x509
>> connection to an IMAP TLS server so I think there's still work to do.
>> The trust file seems to be wrong (see lisp/net/gnutls.el, I tried both
>> "/etc/ssl/certs/ca-certificates.crt" and "/etc/ssl/certs/ca.pem").
>> The GnuTLS examples don't seem to cover the standard situation of
>> talking to a web server over SSL and possibly accepting an insecure
>> connection if the server credentials are bad.  I must have missed
>> something.  Could the GnuTLS developers look at my patch and help me
>> out?

NM> I cannot look at the patch but the example you are looking for is:
NM> 
http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support
NM> to do the connection, and this one to verify the certificate:
NM> 
http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html#Verifying-peer_0027s-certificate

What ca.pem should I use?  There's one in GnuTLS and one in
/etc/ssl/certs/ca.pem on my Ubuntu system.  It should Just Work so it
may make sense to ship ca.pem with Emacs.  WDYT?

The simple client code is implemented in my current patch.  Without
verifying anything I keep getting GNUTLS_E_AGAIN when I try to handshake
against an SSL server.  See gnutls-boot, the control flow is really
simple and I think correct.  What am I missing?

Thanks!
Ted