[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Testing the gnutls support
From: |
Ted Zlatanov |
Subject: |
Re: Testing the gnutls support |
Date: |
Fri, 01 Apr 2011 09:35:59 -0500 |
User-agent: |
Gnus/5.110016 (No Gnus v0.16) Emacs/24.0.50 (gnu/linux) |
On Tue, 29 Mar 2011 22:29:59 +0200 Lars Magne Ingebrigtsen <address@hidden>
wrote:
LMI> Ted Zlatanov <address@hidden> writes:
>> It's probably cleaner to save every invalid certificate in a list and
>> give the user a UI to choose which certificates they wish to accept,
>> perhaps linking to the last validation failure and whatever else will
>> help the user identify which certificates he wants to accept (maybe a
>> hash ID of the certificate in the messages buffer).
LMI> What's the use case here?
LMI> If I'm connecting to imap.gmail.com, I probably do want to be prompted
LMI> with a "invalid certificate" if the certificate is invalid. And
LMI> possibly a "view certificate" before accepting it anyway. Is anything
LMI> more complicated than that necessary?
Normally GnuTLS-using programs, through a callback, do the prompting and
viewing when the invalid certificate is presented. I think, considering
Emacs as an environment, that doing minibuffer prompting during a C
callback from an external library can cause serious problems. So I'd
rather save the invalid certificate in a list at the time it's
presented and fail the connection.
After the connection fails, the code that uses gnutls.el can look at
`gnutls-rejected-certificates' (which will have the certificate and
enough information about the connection to figure out what it's for).
And it can then save some of those certificates and `gnutls-negotiate'
will pick them up.
`gnutls-negotiate' can pick up certificates either implicitly by trying
~/.emacs.d/certs/SERVER[.PORT].pem or explicitly if they are passed in
externally. The GnuTLS maintainers suggested the former approach. I
think it's more manageable long-term as well.
So, from the proto-stream.el perspective, you would try the connection
and if it fails, look at `gnutls-rejected-certificates' for an entry
relevant to the connection you just failed to make. You would then ask
the user "do you want to accept certificate?" and show the info; if they
accept you'd save to ~/.emacs.d/certs/SERVER[.PORT].pem.
To know if you need to save the port in the name you could ask
auth-source for all the entries for SERVER or you could ask the user.
Ted
- Re: Testing the gnutls support,
Ted Zlatanov <=