(require 'starttls)
(require 'format-spec)
-(defcustom proto-stream-always-use-starttls t
+(defcustom proto-stream-always-use-starttls (fboundp 'open-gnutls-stream)
"If non-nil, always try to upgrade network connections with STARTTLS."
:version "24.1"
:type 'boolean
(executable-find "gnutls-cli"))
(unless (fboundp 'open-gnutls-stream)
(delete-process stream)
- (let ((starttls-extra-arguments
- (if (and starttls-use-gnutls
- (not (eq type 'starttls)))
- ;; When doing opportunistic TLS upgrades we
- ;; don't really care about the identity of the
- ;; peer.
- (cons "--insecure" starttls-extra-arguments)
- starttls-extra-arguments)))
+ (let* ((starttls-use-gnutls t)
+ (starttls-extra-arguments
+ (if (eq type 'starttls)
+ ;; When doing opportunistic TLS upgrades we
+ ;; don't really care about the identity of the
+ ;; peer.
+ (cons "--insecure" starttls-extra-arguments)
+ starttls-extra-arguments)))
(setq stream (starttls-open-stream name buffer host service)))
(proto-stream-get-response stream start eoc))
(proto-stream-command stream starttls-command eoc)
(if (fboundp 'open-gnutls-stream)
(gnutls-negotiate stream nil)
- (starttls-negotiate stream))
+ (unless (starttls-negotiate stream)
+ (delete-process stream)
+ (setq stream nil)))
+ (when (or (null stream)
+ (not (memq (process-status stream)
+ '(open run))))
+ ;; It didn't successfully negotiate STARTTLS, so we reopen
+ ;; the connection.
+ (setq stream (open-network-stream name buffer host service))
+ (proto-stream-get-response stream start eoc))
;; Re-get the capabilities, since they may have changed
;; after switching to TLS.
(list stream greeting