Make tls.el use trustfiles by default

* lisp/net/tls.el (tls-program): Add a certfile by default (bug#21227). (open-tls-stream): Insert the trustfile by looking at `gnutls-trustfiles'.
author: Lars Ingebrigtsen 2015-12-29 14:46:20 +0100
committer: Lars Ingebrigtsen 2015-12-29 14:46:20 +0100
commit: de5c44fe8811b07eaad6ab5fc53d498e465a43d4 (patch)
tree: e1be39b72ff322fdcd482840bbf91a7d8289693d
parent: 1ba1e35fbed820ec9d9e1dafbe150f88f29342d8 (diff)
download: emacs-de5c44fe8811b07eaad6ab5fc53d498e465a43d4.tar.gz
emacs-de5c44fe8811b07eaad6ab5fc53d498e465a43d4.zip
1 files changed, 14 insertions, 14 deletions
diff --git a/lisp/net/tls.el b/lisp/net/tls.el
index 6745e5d8282..72fb50ed923 100644
--- a/lisp/net/tls.el
+++ b/lisp/net/tls.el
@@ -44,6 +44,8 @@
 ;;; Code:
+(require 'gnutls)
 (autoload 'format-spec "format-spec")
 (autoload 'format-spec-make "format-spec")
@@ -74,9 +76,10 @@ and `gnutls-cli' (version 2.0.1) output."
  :type 'regexp
  :group 'tls)
-(defcustom tls-program '("gnutls-cli -p %p %h"
+(defcustom tls-program
-                         "gnutls-cli -p %p %h --protocols ssl3"
+  '("gnutls-cli --x509cafile %t -p %p %h"
-                         "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
  "List of strings containing commands to start TLS stream to a host.
 Each entry in the list is tried until a connection is successful.
 %h is replaced with server hostname, %p with port to connect to.
@@ -89,24 +92,20 @@ successful negotiation."
  :type
  '(choice
    (const :tag "Default list of commands"
-           ("gnutls-cli -p %p %h"
+           ("gnutls-cli --x509cafile %t -p %p %h"
-            "gnutls-cli -p %p %h --protocols ssl3"
+            "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
-            "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+            "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
    (list :tag "Choose commands"
          :value
-          ("gnutls-cli -p %p %h"
+          ("gnutls-cli --x509cafile %t -p %p %h"
-           "gnutls-cli -p %p %h --protocols ssl3"
+           "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
           "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
          (set :inline t
               ;; FIXME: add brief `:tag "..."' descriptions.
               ;; (repeat :inline t :tag "Other" (string))
-               ;; See `tls-checktrust':
-               (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")
-               (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
-               (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
               ;; No trust check:
-               (const "gnutls-cli -p %p %h")
+               (const "gnutls-cli --insecure -p %p %h")
-               (const "gnutls-cli -p %p %h --protocols ssl3")
+               (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
               (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
          (repeat :inline t :tag "Other" (string)))
    (list :tag "List of commands"
@@ -232,6 +231,7 @@ Fourth arg PORT is an integer specifying a port to connect to."
               (format-spec
                cmd
                (format-spec-make
+                 ?t (car (gnutls-trustfiles))
                 ?h host
                 ?p (if (integerp port)
                        (int-to-string port)
author	Lars Ingebrigtsen	2015-12-29 14:46:20 +0100
committer	Lars Ingebrigtsen	2015-12-29 14:46:20 +0100
commit	de5c44fe8811b07eaad6ab5fc53d498e465a43d4 (patch)
tree	e1be39b72ff322fdcd482840bbf91a7d8289693d
parent	1ba1e35fbed820ec9d9e1dafbe150f88f29342d8 (diff)
download	emacs-de5c44fe8811b07eaad6ab5fc53d498e465a43d4.tar.gz emacs-de5c44fe8811b07eaad6ab5fc53d498e465a43d4.zip