diff options
| author | Lars Ingebrigtsen <larsi@gnus.org> | 2015-12-29 14:46:20 +0100 |
|---|---|---|
| committer | Lars Ingebrigtsen <larsi@gnus.org> | 2015-12-29 14:46:20 +0100 |
| commit | de5c44fe8811b07eaad6ab5fc53d498e465a43d4 (patch) | |
| tree | e1be39b72ff322fdcd482840bbf91a7d8289693d | |
| parent | 1ba1e35fbed820ec9d9e1dafbe150f88f29342d8 (diff) | |
| download | emacs-de5c44fe8811b07eaad6ab5fc53d498e465a43d4.tar.gz | |
Make tls.el use trustfiles by default
* lisp/net/tls.el (tls-program): Add a certfile by default (bug#21227).
(open-tls-stream): Insert the trustfile by looking at
`gnutls-trustfiles'.
| -rw-r--r-- | lisp/net/tls.el | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/lisp/net/tls.el b/lisp/net/tls.el index 6745e5d8282..72fb50ed923 100644 --- a/lisp/net/tls.el +++ b/lisp/net/tls.el @@ -44,6 +44,8 @@ ;;; Code: +(require 'gnutls) + (autoload 'format-spec "format-spec") (autoload 'format-spec-make "format-spec") @@ -74,9 +76,10 @@ and `gnutls-cli' (version 2.0.1) output." :type 'regexp :group 'tls) -(defcustom tls-program '("gnutls-cli -p %p %h" - "gnutls-cli -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") +(defcustom tls-program + '("gnutls-cli --x509cafile %t -p %p %h" + "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" + "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") "List of strings containing commands to start TLS stream to a host. Each entry in the list is tried until a connection is successful. %h is replaced with server hostname, %p with port to connect to. @@ -89,24 +92,20 @@ successful negotiation." :type '(choice (const :tag "Default list of commands" - ("gnutls-cli -p %p %h" - "gnutls-cli -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) + ("gnutls-cli --x509cafile %t -p %p %h" + "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" + "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof")) (list :tag "Choose commands" :value - ("gnutls-cli -p %p %h" - "gnutls-cli -p %p %h --protocols ssl3" + ("gnutls-cli --x509cafile %t -p %p %h" + "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") (set :inline t ;; FIXME: add brief `:tag "..."' descriptions. ;; (repeat :inline t :tag "Other" (string)) - ;; See `tls-checktrust': - (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h") - (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3") - (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof") ;; No trust check: - (const "gnutls-cli -p %p %h") - (const "gnutls-cli -p %p %h --protocols ssl3") + (const "gnutls-cli --insecure -p %p %h") + (const "gnutls-cli --insecure -p %p %h --protocols ssl3") (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) (repeat :inline t :tag "Other" (string))) (list :tag "List of commands" @@ -232,6 +231,7 @@ Fourth arg PORT is an integer specifying a port to connect to." (format-spec cmd (format-spec-make + ?t (car (gnutls-trustfiles)) ?h host ?p (if (integerp port) (int-to-string port) |