emacs-diffs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Emacs-diffs] Changes to emacs/lisp/net/tls.el,v


From: Miles Bader
Subject: [Emacs-diffs] Changes to emacs/lisp/net/tls.el,v
Date: Thu, 06 Dec 2007 00:21:08 +0000

CVSROOT:        /cvsroot/emacs
Module name:    emacs
Changes by:     Miles Bader <miles>     07/12/06 00:21:02

Index: lisp/net/tls.el
===================================================================
RCS file: /cvsroot/emacs/emacs/lisp/net/tls.el,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -b -r1.27 -r1.28
--- lisp/net/tls.el     9 Nov 2007 18:22:03 -0000       1.27
+++ lisp/net/tls.el     6 Dec 2007 00:20:59 -0000       1.28
@@ -85,26 +85,93 @@
 Each entry in the list is tried until a connection is successful.
 %h is replaced with server hostname, %p with port to connect to.
 The program should read input on stdin and write output to
-stdout.  Also see `tls-success' for what the program should output
-after successful negotiation."
-  :type '(repeat string)
+stdout.
+
+See `tls-checktrust' on how to check trusted root certs.
+
+Also see `tls-success' for what the program should output after
+successful negotiation."
+  :type
+  '(choice
+    (list :tag "Choose commands"
+         :value
+         ("gnutls-cli -p %p %h"
+          "gnutls-cli -p %p %h --protocols ssl3"
+          "openssl s_client -connect %h:%p -no_ssl2")
+         (set :inline t
+              ;; FIXME: add brief `:tag "..."' descriptions.
+              ;; (repeat :inline t :tag "Other" (string))
+              ;; See `tls-checktrust':
+              (const "gnutls-cli --x509cafile 
/etc/ssl/certs/ca-certificates.crt -p %p %h")
+              (const "gnutls-cli --x509cafile 
/etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
+              (const "openssl s_client -connect %h:%p -CAfile 
/etc/ssl/certs/ca-certificates.crt -no_ssl2")
+              ;; No trust check:
+              (const "gnutls-cli -p %p %h")
+              (const "gnutls-cli -p %p %h --protocols ssl3")
+              (const "openssl s_client -connect %h:%p -no_ssl2"))
+         (repeat :inline t :tag "Other" (string)))
+    (const :tag "Default list of commands"
+          ("gnutls-cli -p %p %h"
+           "gnutls-cli -p %p %h --protocols ssl3"
+           "openssl s_client -connect %h:%p -no_ssl2"))
+    (list :tag "List of commands"
+         (repeat :tag "Command" (string))))
   :version "22.1"
   :group 'tls)
 
 (defcustom tls-process-connection-type nil
-  "*Value for `process-connection-type' to use when starting TLS process."
+  "Value for `process-connection-type' to use when starting TLS process."
   :version "22.1"
   :type 'boolean
   :group 'tls)
 
 (defcustom tls-success "- Handshake was completed\\|SSL handshake has read "
-  "*Regular expression indicating completed TLS handshakes.
+  "Regular expression indicating completed TLS handshakes.
 The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
 \"openssl s_client\" outputs."
   :version "22.1"
   :type 'regexp
   :group 'tls)
 
+(defcustom tls-checktrust nil
+  "Indicate if certificates should be checked against trusted root certs.
+If this is `ask', the user can decide whether to accept an
+untrusted certificate.  You may have to adapt `tls-program' in
+order to make this feature work properly, i.e., to ensure that
+the external program knows about the root certificates you
+consider trustworthy, e.g.:
+
+\(setq tls-program
+      '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
+       \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h 
--protocols ssl3\"
+       \"openssl s_client -connect %h:%p -CAfile 
/etc/ssl/certs/ca-certificates.crt -no_ssl2\"))"
+  :type '(choice (const :tag "Always" t)
+                (const :tag "Never" nil)
+                (const :tag "Ask" ask))
+  :version "23.0" ;; No Gnus
+  :group 'tls)
+
+(defcustom tls-untrusted
+  "- Peer's certificate is NOT trusted\\|Verify return code: \\([^0] \\|.[^ 
]\\)"
+  "Regular expression indicating failure of TLS certificate verification.
+The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
+\"openssl s_client\" return in the event of unsuccessful
+verification."
+  :type 'regexp
+  :version "23.0" ;; No Gnus
+  :group 'tls)
+
+(defcustom tls-hostmismatch
+  "# The hostname in the certificate does NOT match"
+  "Regular expression indicating a host name mismatch in certificate.
+When the host name specified in the certificate doesn't match the
+name of the host you are connecting to, gnutls-cli issues a
+warning to this effect.  There is no such feature in openssl.  Set
+this to nil if you want to ignore host name mismatches."
+  :type 'regexp
+  :version "23.0" ;; No Gnus
+  :group 'tls)
+
 (defcustom tls-certtool-program (executable-find "certtool")
   "Name of  GnuTLS certtool.
 Used by `tls-certificate-information'."
@@ -141,7 +208,7 @@
 Input and output work as for subprocesses; `delete-process' closes it.
 Args are NAME BUFFER HOST PORT.
 NAME is name for process.  It is modified if necessary to make it unique.
-BUFFER is the buffer (or buffer-name) to associate with the process.
+BUFFER is the buffer (or buffer name) to associate with the process.
  Process output goes at end of that buffer, unless you specify
  an output stream or filter function to handle the output.
  BUFFER may be also nil, meaning that this process is not associated
@@ -177,25 +244,31 @@
              (sit-for 1)))
          (message "Opening TLS connection with `%s'...%s" cmd
                   (if done "done" "failed"))
-         (if (not done)
-             (delete-process process)
-           ;; advance point to after all informational messages that
-           ;; `openssl s_client' and `gnutls' print
-           (let ((start-of-data nil))
-             (while
-                 (not (setq start-of-data
-                            ;; the string matching `tls-end-of-info'
-                            ;; might come in separate chunks from
-                            ;; `accept-process-output', so start the
-                            ;; search where `tls-success' ended
+         (if done
+             (setq done process)
+           (delete-process process))))
+      (when done
                             (save-excursion
-                              (if (re-search-forward tls-end-of-info nil t)
-                                  (match-end 0)))))
-               (accept-process-output process 1))
-             (if start-of-data
-                 ;; move point to start of client data
-                 (goto-char start-of-data)))
-           (setq done process))))
+         (set-buffer buffer)
+         (when
+             (or
+              (and tls-checktrust
+                   (progn
+                     (goto-char (point-min))
+                     (re-search-forward tls-untrusted nil t))
+                   (or
+                    (and (not (eq tls-checktrust 'ask))
+                         (message "The certificate presented by `%s' is NOT 
trusted." host))
+                    (not (yes-or-no-p
+                          (format "The certificate presented by `%s' is NOT 
trusted. Accept anyway? " host)))))
+              (and tls-hostmismatch
+                   (progn
+                     (goto-char (point-min))
+                     (re-search-forward tls-hostmismatch nil t))
+                   (not (yes-or-no-p
+                         (format "Host name in certificate doesn't match `%s'. 
Connect anyway? " host)))))
+           (setq done nil)
+           (delete-process process))))
       (message "Opening TLS connection to `%s'...%s"
               host (if done "done" "failed")))
     (when use-temp-buffer




reply via email to

[Prev in Thread] Current Thread [Next in Thread]