Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

[Lars Magne Ingebrigtsen]

Toke Høiland-Jørgensen <address@hidden> writes:

> (require 'gnutls)
> (setq gnutls-verify-error '((".*" :tofu))
> (open-gnutls-stream "test" nil "google.com" 443) ; this should fail
>
> To add the certificate to the trust store, execute (in a shell)
> `gnutls-cli --tofu -p 443 google.com` and answer yes when it asks
> whether to trust the certificate. Doing so should cause the open to
> success the next time around.

I think all the certificate checking should just work out of the box
without the user having to do any configuration or shell commands.
I.e., it should be done by `open-network-stream'.

See

http://permalink.gmane.org/gmane.emacs.devel/174908

for how I think this should work from the user's standpoint, if you want
to implement it.  >"?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no