Re: NSM certificate prompt

[Eli Zaretskii]

> Date: Sat, 13 Dec 2014 20:01:59 +0200
> From: Eli Zaretskii <address@hidden>
> Cc: address@hidden
> 
> GnuTLS on Windows uses the CertEnumCertificatesInStore API to retrieve
> all the Root and Certification Authority certificates known to the
> system.  I suppose at least IE uses the same API, so I wonder how come
> GnuTLS fails to validate the certificates, while IE succeeds.
> 
> I guess some debugging is in order.

Ha!  It's very simple: we don't call the GnuTLS function that adds
system's default trusted CAs to the data used for certificate
verification.  The simple patch below solves the problem for me.

Any objections to installing this?  Including on the branch?  Ted?

What about Posix systems -- won't calling
gnutls_certificate_set_x509_system_trust remove the need to load
gnutls-trustfiles explicitly for every TLS connection?

diff --git a/src/gnutls.c b/src/gnutls.c
index ad4d997..bbe5d49 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -103,6 +103,11 @@ enum extra_peer_verification
 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_key_file,
               (gnutls_certificate_credentials_t, const char *, const char *,
                gnutls_x509_crt_fmt_t));
+#if GNUTLS_VERSION_MAJOR +                                     \
+  (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
+DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_system_trust,
+              (gnutls_certificate_credentials_t));
+#endif
 DEF_GNUTLS_FN (int, gnutls_certificate_set_x509_trust_file,
               (gnutls_certificate_credentials_t, const char *,
                gnutls_x509_crt_fmt_t));
@@ -227,6 +232,10 @@ enum extra_peer_verification
   LOAD_GNUTLS_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_key_file);
+#if GNUTLS_VERSION_MAJOR +                                     \
+  (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
+  LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_system_trust);
+#endif
   LOAD_GNUTLS_FN (library, gnutls_certificate_set_x509_trust_file);
   LOAD_GNUTLS_FN (library, gnutls_certificate_type_get);
   LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2);
@@ -314,6 +323,10 @@ enum extra_peer_verification
 #define fn_gnutls_certificate_set_verify_flags 
gnutls_certificate_set_verify_flags
 #define fn_gnutls_certificate_set_x509_crl_file        
gnutls_certificate_set_x509_crl_file
 #define fn_gnutls_certificate_set_x509_key_file 
gnutls_certificate_set_x509_key_file
+#if GNUTLS_VERSION_MAJOR +                                     \
+  (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
+#define fn_gnutls_certificate_set_x509_system_trust 
gnutls_certificate_set_x509_system_trust
+#endif
 #define fn_gnutls_certificate_set_x509_trust_file 
gnutls_certificate_set_x509_trust_file
 #define fn_gnutls_certificate_type_get         gnutls_certificate_type_get
 #define fn_gnutls_certificate_verify_peers2    gnutls_certificate_verify_peers2
@@ -1308,6 +1321,14 @@ one trustfile (usually a CA bundle).  */)
       int file_format = GNUTLS_X509_FMT_PEM;
       Lisp_Object tail;
 
+#if GNUTLS_VERSION_MAJOR +                                     \
+  (GNUTLS_VERSION_MINOR > 0 || GNUTLS_VERSION_PATCH >= 20) > 3
+      ret = fn_gnutls_certificate_set_x509_system_trust (x509_cred);
+      if (ret < GNUTLS_E_SUCCESS)
+       GNUTLS_LOG2i (4, max_log_level, "setting system trust failed with code 
",
+                     ret);
+#endif
+
       for (tail = trustfiles; CONSP (tail); tail = XCDR (tail))
        {
          Lisp_Object trustfile = XCAR (tail);