From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83836
Path: news.gmane.org!not-for-mail
From: Vincent Bernat <bernat@luffy.cx>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Sat, 02 Nov 2013 18:40:31 +0100
Message-ID: <874n7uu2gg.fsf@guybrush.luffy.cx>
References: <87iowbt5dq.fsf@guybrush.luffy.cx>
	<878ux782na.fsf@dex.adm.naquadah.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1383414086 14317 80.91.229.3 (2 Nov 2013 17:41:26 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 2 Nov 2013 17:41:26 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M32092@lists.math.uh.edu Sat Nov 02 18:41:31 2013
Return-path: <ding-owner+M32092@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M32092@lists.math.uh.edu>)
	id 1VcfCU-0004XA-I1
	for ding-account@gmane.org; Sat, 02 Nov 2013 18:41:30 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M32092@lists.math.uh.edu>)
	id 1VcfBf-000177-BB; Sat, 02 Nov 2013 12:40:39 -0500
Original-Received: from mx1.math.uh.edu ([129.7.128.32])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <bernat@luffy.cx>)
	id 1VcfBd-00016w-Ns
	for ding@lists.math.uh.edu; Sat, 02 Nov 2013 12:40:37 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx1.math.uh.edu with esmtps (TLSv1:AES128-SHA:128)
	(Exim 4.76)
	(envelope-from <bernat@luffy.cx>)
	id 1VcfBb-0003XB-MJ
	for ding@lists.math.uh.edu; Sat, 02 Nov 2013 12:40:37 -0500
Original-Received: from bart.luffy.cx ([78.47.78.131])
	by quimby.gnus.org with esmtp (Exim 4.80)
	(envelope-from <bernat@luffy.cx>)
	id 1VcfBZ-0005ia-J3
	for ding@gnus.org; Sat, 02 Nov 2013 18:40:33 +0100
Original-Received: from bart.luffy.cx (localhost [127.0.0.1])
	by bart.luffy.cx (Postfix) with ESMTP id E2D2F1446E
	for <ding@gnus.org>; Sat,  2 Nov 2013 18:40:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject
	:references:date:in-reply-to:message-id:mime-version
	:content-type:content-transfer-encoding; s=postfix; bh=yYHlp4Mcf
	P0jSo7o77rS3AuEO8I=; b=iA4ApuWCxA8hUuouCb+Ds13KiszAiCU2RcPm32Rjt
	HtqS4vhhMGls0+m7/i+GdpIvAU730ZQPFWYFQpXTHkhrSkl2VODdzWxQOTkQRp/t
	RTc/ZUgJCoDaY/jyLM42PN5IKZOBIk36Sqc7eMBv4rpDCnrY+S+EKu4vA58to6wh
	8M=
DomainKey-Signature: a=rsa-sha1; c=simple; d=luffy.cx; h=from:to:subject
	:references:date:in-reply-to:message-id:mime-version
	:content-type:content-transfer-encoding; q=dns; s=postfix; b=AFW
	ScDJC5H9QXmKB9HX5xCVzKktQUyPOqhsY1FPh80zfXGF+vPVcJlLweiWiFZkUS2H
	n5doVIGLAtovc3lqFVJ3+Wm4xq3v4Xx9w/xbm8vDwOtA7Yd/1aTHr+ZmGrGC+6GN
	J0C5Wm3WaQp2DQAxBPssPUJ8BZrXhRRS2N9i1Dbo=
Original-Received: from guybrush.luffy.cx (4vh54-1-88-121-64-64.fbx.proxad.net [88.121.64.64])
	by bart.luffy.cx (Postfix) with ESMTPS id 8FAA314063
	for <ding@gnus.org>; Sat,  2 Nov 2013 18:40:32 +0100 (CET)
Original-Received: by guybrush.luffy.cx (Postfix, from userid 1000)
	id 468FD33B; Sat,  2 Nov 2013 18:40:31 +0100 (CET)
In-Reply-To: <878ux782na.fsf@dex.adm.naquadah.org> (Julien Danjou's message of
	"Sat, 02 Nov 2013 12:27:21 +0100")
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)
X-Spam-Score: -2.5 (--)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:83836
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/83836>

 =E2=9D=A6  2 novembre 2013 12:27 CET, Julien Danjou <julien@danjou.info>=
=C2=A0:

>> Is there a way to enable certificate verification for Gnus? If not, is
>> there a way to force the old way to do TLS (by using an external
>> program)?
>
> This has been on my TODO list a year. There was a thread I launched on
> emacs-devel about that a year ago with Ted:
>
>   http://lists.gnu.org/archive/html/emacs-devel/2012-09/msg00154.html
>   http://lists.gnu.org/archive/html/emacs-devel/2012-12/msg00575.html
>
> I didn't have time to dig since then, but I'd appreciate any hint on
> this subject. :)

OK, I have just tested myself with:

#v+
(gnutls-negotiate
 :process (open-network-stream "test" nil "www.dailymotion.com" 443)
 :hostname "www.dailymotion.com"
 :verify-hostname-error t
 :verify-error t)
#v-

I don't know what "verify-error" is for since verify-hostname-error
seems to handle any error like certificate expired, mismatched name or
unknown root certificate. Example when the certificate is expired:

#v+
(gnutls-negotiate
 :process (open-network-stream "test" nil "www.pcwebshop.co.uk" 443)
 :hostname "www.pcwebshop.co.uk"
 :verify-hostname-error t
 :verify-error t)
#v-

It works for me. Now, if I understand correctly, you are also trying to
use `:trustfiles`.=20

#v+
(gnutls-negotiate
 :process (open-network-stream "test" nil "awesome.naquadah.org" 443)
 :hostname "awesome.naquadah.org"
 :verify-hostname-error t
 :verify-error t)
#v-

I get an error. Now, I extract the certificate and specify it with
trustfiles option:

#v+
(gnutls-negotiate
 :process (open-network-stream "test" nil "awesome.naquadah.org" 443)
 :hostname "awesome.naquadah.org"
 :trustfiles '("/home/bernat/tmp/root.crt")
 :verify-hostname-error t
 :verify-error t)
#v-

And it works.

I am using Emacs 24.3 from Debian unstable. So far, it seems that the
builtin support is working.
--=20
printk("??? No FDIV bug? Lucky you...\n");
	2.2.16 /usr/src/linux/include/asm-i386/bugs.h