[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Testing the gnutls support

From: Ted Zlatanov
Subject: Re: Testing the gnutls support
Date: Fri, 01 Apr 2011 09:35:59 -0500
User-agent: Gnus/5.110016 (No Gnus v0.16) Emacs/24.0.50 (gnu/linux)

On Tue, 29 Mar 2011 22:29:59 +0200 Lars Magne Ingebrigtsen <address@hidden> 

LMI> Ted Zlatanov <address@hidden> writes:
>> It's probably cleaner to save every invalid certificate in a list and
>> give the user a UI to choose which certificates they wish to accept,
>> perhaps linking to the last validation failure and whatever else will
>> help the user identify which certificates he wants to accept (maybe a
>> hash ID of the certificate in the messages buffer).

LMI> What's the use case here?

LMI> If I'm connecting to imap.gmail.com, I probably do want to be prompted
LMI> with a "invalid certificate" if the certificate is invalid.  And
LMI> possibly a "view certificate" before accepting it anyway.  Is anything
LMI> more complicated than that necessary?

Normally GnuTLS-using programs, through a callback, do the prompting and
viewing when the invalid certificate is presented.  I think, considering
Emacs as an environment, that doing minibuffer prompting during a C
callback from an external library can cause serious problems.  So I'd
rather save the invalid certificate in a list at the time it's
presented and fail the connection.

After the connection fails, the code that uses gnutls.el can look at
`gnutls-rejected-certificates' (which will have the certificate and
enough information about the connection to figure out what it's for).
And it can then save some of those certificates and `gnutls-negotiate'
will pick them up.

`gnutls-negotiate' can pick up certificates either implicitly by trying
~/.emacs.d/certs/SERVER[.PORT].pem or explicitly if they are passed in
externally.  The GnuTLS maintainers suggested the former approach.  I
think it's more manageable long-term as well.

So, from the proto-stream.el perspective, you would try the connection
and if it fails, look at `gnutls-rejected-certificates' for an entry
relevant to the connection you just failed to make.  You would then ask
the user "do you want to accept certificate?" and show the info; if they
accept you'd save to ~/.emacs.d/certs/SERVER[.PORT].pem.

To know if you need to save the port in the name you could ask
auth-source for all the entries for SERVER or you could ask the user.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]