-2015-12-29 Lars Ingebrigtsen <larsi@gnus.org>
-
- Remove --insecure from gnutls-cli invocation;
- make tls.el use trustfiles by default
-
- * tls.el (tls-program):
- Default to using secure TLS connections (bug#19284);
- add a certfile by default (bug#21227).
- (open-tls-stream):
- Insert the trustfile by looking at `gnutls-trustfiles'.
-
2015-12-28 Katsumi Yamaoka <yamaoka@jpl.org>
* mml-sec.el (mml-secure-bcc-is-safe):
;;; Code:
-(require 'gnutls)
-
(autoload 'format-spec "format-spec")
(autoload 'format-spec-make "format-spec")
:type 'regexp
:group 'tls)
-(defcustom tls-program
- '("gnutls-cli --x509cafile %t -p %p %h"
- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
- "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+(defcustom tls-program '("gnutls-cli --insecure -p %p %h"
+ "gnutls-cli --insecure -p %p %h --protocols ssl3"
+ "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
"List of strings containing commands to start TLS stream to a host.
Each entry in the list is tried until a connection is successful.
%h is replaced with server hostname, %p with port to connect to.
:type
'(choice
(const :tag "Default list of commands"
- ("gnutls-cli --x509cafile %t -p %p %h"
- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
- "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
+ ("gnutls-cli --insecure -p %p %h"
+ "gnutls-cli --insecure -p %p %h --protocols ssl3"
+ "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
(list :tag "Choose commands"
:value
- ("gnutls-cli --x509cafile %t -p %p %h"
- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+ ("gnutls-cli --insecure -p %p %h"
+ "gnutls-cli --insecure -p %p %h --protocols ssl3"
"openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
(set :inline t
;; FIXME: add brief `:tag "..."' descriptions.
;; (repeat :inline t :tag "Other" (string))
+ ;; See `tls-checktrust':
+ (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")
+ (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
+ (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
;; No trust check:
(const "gnutls-cli --insecure -p %p %h")
(const "gnutls-cli --insecure -p %p %h --protocols ssl3")
(format-spec
cmd
(format-spec-make
- ?t (car (gnutls-trustfiles))
?h host
?p (if (integerp port)
(int-to-string port)