[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs core TLS support
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Emacs core TLS support |
|
Date: |
Tue, 14 Sep 2010 20:55:51 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7 |
On 09/14/2010 08:30 PM, Ted Zlatanov wrote:
> On Mon, 13 Sep 2010 09:49:30 +0200 Nikos Mavrogiannopoulos <address@hidden>
> wrote:
>
> NM> 2010/9/11 Ted Zlatanov <address@hidden>:
>>> - no SRP anywhere, just anon and x509 (I'll add SRP if we need it and
>>> when the other two are working)
>>> Now I get GNUTLS_E_INSUFFICIENT_CREDENTIALS when I open a x509
>>> connection to an IMAP TLS server so I think there's still work to do.
>>> The trust file seems to be wrong (see lisp/net/gnutls.el, I tried both
>>> "/etc/ssl/certs/ca-certificates.crt" and "/etc/ssl/certs/ca.pem").
>>> The GnuTLS examples don't seem to cover the standard situation of
>>> talking to a web server over SSL and possibly accepting an insecure
>>> connection if the server credentials are bad. I must have missed
>>> something. Could the GnuTLS developers look at my patch and help me
>>> out?
> NM> I cannot look at the patch but the example you are looking for is:
> NM>
> http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support
> NM> to do the connection, and this one to verify the certificate:
> NM>
> http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html#Verifying-peer_0027s-certificate
>
> What ca.pem should I use? There's one in GnuTLS and one in
> /etc/ssl/certs/ca.pem on my Ubuntu system. It should Just Work so it
> may make sense to ship ca.pem with Emacs. WDYT?
This is local policy, I don't think that it has to be shipped with
emacs. Just give the option of someone specifying it.
> The simple client code is implemented in my current patch. Without
> verifying anything I keep getting GNUTLS_E_AGAIN when I try to handshake
> against an SSL server. See gnutls-boot, the control flow is really
> simple and I think correct. What am I missing?
GNUTLS_E_AGAIN is returned only if the transport layer function
(recv/send) return -1 and EAGAIN. Usually this is normal behavior and is
enough to loop around them. Do you use non-blocking IO?
regards,
Nikos
- Re: Emacs core TLS support, (continued)
- Message not available
- Re: Emacs core TLS support, Stefan Monnier, 2010/09/06
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/06
- re: Emacs core TLS support, Ted Zlatanov, 2010/09/11
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/11
- Re: Emacs core TLS support, Stefan Monnier, 2010/09/12
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/14
- Re: Emacs core TLS support, Nikos Mavrogiannopoulos, 2010/09/13
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/14
- Re: Emacs core TLS support,
Nikos Mavrogiannopoulos <=
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/15
- Re: Emacs core TLS support, Nikos Mavrogiannopoulos, 2010/09/15
- Message not available
- Re: Emacs core TLS support, Lars Magne Ingebrigtsen, 2010/09/26
- Message not available
- Re: Emacs core TLS support, James Cloos, 2010/09/26
- Message not available
- Re: Emacs core TLS support, James Cloos, 2010/09/27
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/27
- Re: Emacs core TLS support, Lars Magne Ingebrigtsen, 2010/09/27
- Re: Emacs core TLS support, Simon Josefsson, 2010/09/21
- Re: Emacs core TLS support, Ted Zlatanov, 2010/09/26
- Re: Emacs core TLS support, Simon Josefsson, 2010/09/30