From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83973
Path: news.gmane.org!not-for-mail
From: Katsumi Yamaoka <yamaoka@jpl.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Mon, 16 Dec 2013 10:39:48 +0900
Organization: Emacsen advocacy group
Message-ID: <b4md2kxo9p7.fsf@jpl.org>
References: <87iowbt5dq.fsf@guybrush.luffy.cx>
 <878ux782na.fsf@dex.adm.naquadah.org> <874n7uu2gg.fsf@guybrush.luffy.cx>
 <87txftsnub.fsf@flea.lifelogs.com> <m3zjpkndsd.fsf@neo.luffy.cx>
 <87li13q3dy.fsf@flea.lifelogs.com> <87a9hjaj2d.fsf@guybrush.luffy.cx>
 <87r4anhrh3.fsf@flea.lifelogs.com> <m338mwsig3.fsf@neo.luffy.cx>
 <871u2g1ofu.fsf@dex.adm.naquadah.org> <87vbz0vun4.fsf@flea.lifelogs.com>
 <87y53v7n44.fsf@guybrush.luffy.cx> <87ob4rwcjx.fsf@flea.lifelogs.com>
 <87sitvmhnj.fsf@flea.lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1387158053 16832 80.91.229.3 (16 Dec 2013 01:40:53 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 16 Dec 2013 01:40:53 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M32225@lists.math.uh.edu Mon Dec 16 02:40:57 2013
Return-path: <ding-owner+M32225@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M32225@lists.math.uh.edu>)
	id 1VsNB1-0005jh-CK
	for ding-account@gmane.org; Mon, 16 Dec 2013 02:40:55 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M32225@lists.math.uh.edu>)
	id 1VsNAF-0004QN-B5; Sun, 15 Dec 2013 19:40:07 -0600
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <yamaoka@jpl.org>)
	id 1VsNAD-0004Q9-Br
	for ding@lists.math.uh.edu; Sun, 15 Dec 2013 19:40:05 -0600
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1:AES128-SHA:128)
	(Exim 4.76)
	(envelope-from <yamaoka@jpl.org>)
	id 1VsNAB-0001FA-MN
	for ding@lists.math.uh.edu; Sun, 15 Dec 2013 19:40:04 -0600
Original-Received: from mail-hampton.hostforweb.net ([216.246.15.223] helo=hampton.hostforweb.net)
	by quimby.gnus.org with esmtp (Exim 4.80)
	(envelope-from <yamaoka@jpl.org>)
	id 1VsNA9-0003SQ-Rl
	for ding@gnus.org; Mon, 16 Dec 2013 02:40:02 +0100
Original-Received: from localhost.localdomain ([127.0.0.1]:41684 helo=localhost)
	by hampton.hostforweb.net with smtp (Exim 4.80.1)
	(envelope-from <yamaoka@jpl.org>)
	id 1VsNA1-003Blg-Le
	for ding@gnus.org; Sun, 15 Dec 2013 19:39:54 -0600
X-Face: #kKnN,xUnmKia.'[pp`;Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk
 B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu;B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw=
 L&i*6&(
User-Agent: Gnus/5.130008 (=?iso-2022-jp?B?GyRCPz8bKEI=?= Gnus v0.8)
 Emacs/24.3.50 (i686-pc-cygwin)
Cancel-Lock: sha1:Y2rbXDkrDrH8PeXOrRDpDWYGOEs=
X-OutGoing-Spam-Status: No, score=-2.9
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hampton.hostforweb.net
X-AntiAbuse: Original Domain - gnus.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jpl.org
X-Get-Message-Sender-Via: hampton.hostforweb.net: acl_c_authenticated_local_user: root
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:83973
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/83973>

Ted Zlatanov wrote:
> I pushed this work to the Emacs trunk with the old behavior (connections
> never abort, just warn).  Please customize `gnutls-verify-error' to get
> the new behavior, erroring out on validation failures.  I encourage you
> to try it and report any issues.

One of my POP mail sources got to not work for today's Emacs build
from the trunk.

First, `mapcan' that `gnutls-negotiate' uses is a cl run-time
function, so I needed to load cl manually.

If `gnutls-verify-error' is nil, `mail-source-fetch-pop' fails
for the error: (wrong-type-argument listp nil)
This is what the built-in function `gnutls-boot' issues.
The arguments passed to it then are:
#<prosess POP>
gnutls-x509pki
(:priority "NORMAL" :hostname "my.pop.server" :loglevel 0
 :min-prime-bits 1024 :trustfiles ("/usr/ssl/certs/ca-bundle.crt")
 :crlfiles nil :keylist nil :verify-flags nil :verify-error nil
 :callbacks nil)

If I set `gnutls-verify-error' to t, `gnutls-boot' issues the error
(wrong-type-argument listp t) because :verify-error is t.

The mail-source for this case is:

(pop :server "my.pop.server"
     :user "User Name"
     :password "Password"
     :leave 7)

Server's response is:

+OK Dovecot ready.^M
+OK^M
CAPA^M
TOP^M
UIDL^M
RESP-CODES^M
PIPELINING^M
STLS^M
USER^M
SASL PLAIN LOGIN^M
.^M
+OK Begin TLS negotiation now.^M

And a workaround to make it work is:

(defadvice open-network-stream (before
				never-use-stls
				(name buffer host service &rest parameters)
				activate)
  "Never use starttls."
  (when (member name '("nntpd" "POP"))
    (setq parameters (copy-sequence parameters))
    (plist-put parameters :starttls-function nil)))

Thanks.