bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#8080: 24.0.50; Sending mail failed with Gmail/GnuTLS on Windows

From: Ted Zlatanov
Subject: Re: bug#8080: 24.0.50; Sending mail failed with Gmail/GnuTLS on Windows
Date: Fri, 25 Feb 2011 14:54:00 -0600
User-agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux) 
On Fri, 25 Feb 2011 19:42:14 +0100 claudio.bley@gmail.com (Claudio Bley) wrote: 

CB> At Wed, 23 Feb 2011 15:47:05 -0600,
CB> Ted Zlatanov wrote:

>> Are you interested in adding support for the more recent versions of
>> GnuTLS as well (2.10+)?  I stopped with the one generally available in
>> Debian at the time (see
>> http://permalink.gmane.org/gmane.emacs.gnus.general/75001).  It's on my
>> TODO list to upgrade to 2.10 and add callbacks for certificate
>> verification, but if you want to try it I would be grateful.

CB> Actually, I'm using GnuTLS 2.10 (2.10.1 and 2.10.4) right now. What
CB> are the differences between 2.8 and 2.10? I would be glad to help out
CB> implementing the missing callback support.

Thanks for your interest.  W32 users are the biggest reason for GnuTLS
support in Emacs: you've sen how hard it is to wrap the command-line
tools.  So your experience will be valuable.

2.10 is backwards compatible so everything works as you'd expect with
2.8.  That's good news.

The big difference is that 2.10 and higher have callbacks on credential
verification.  See gnutls_certificate_set_verify_function() (see
http://lists.gnu.org/archive/html/gnutls-devel/2010-06/msg00042.html for
the list of API/ABI changes in 2.10.0).

Note you have to use gnutls_malloc() and gnutls_free() in callbacks.

Also I think we should support (as in
http://www.gnu.org/software/gnutls/manual/html_node/Using-a-callback-to-select-the-certificate-to-use.html
which works in 2.8 as well) using
gnutls_certificate_client_set_retrieve_function() to set the callback to
cert_callback().  That way the client can decide which certificate to
present at connection time.

The reason is that if we write C-level verification code as in
http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html#Verifying-peer_0027s-certificate
it will be harder to manage the certificates and do fancy verification
on them.  That's my recollection anyhow, it's been a while since I
worked on that.  Take a look at `gnutls-negotiate' in net/gnutls.el for
the current state of things; it has a :callbacks key which is currently
unused.  I was going to make it an alist but let's continue the
discussion on emacs-devel after you've looked at the 2.10.x API, the
current gnutls.el, and maybe have some ideas about how to proceed.

I'm OK with changing the gnutls.el interface as long as it keeps working
with Gnus' proto-stream.el.  Lars Magne Ingebrigtsen can help us proceed
on that front.

CB> Incidently, I had a car crash yesterday. Nothing serious, still
CB> feeling a bit dizzy, though. That probably means I won't have any time
CB> preparing a patch this weekend. So, don't hold your breath on it...

Sorry to hear that.  Better take time to get better, of course.  If I
get something done before you, I'll be surprised :) 

Ted
reply via email to
[Prev in Thread] Current Thread [Next in Thread]