diff options
| -rw-r--r-- | doc/lispref/processes.texi | 8 | ||||
| -rw-r--r-- | etc/NEWS | 6 | ||||
| -rw-r--r-- | lisp/net/network-stream.el | 26 |
3 files changed, 36 insertions, 4 deletions
diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index 287221a184d..5caf0a24265 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi | |||
| @@ -2516,12 +2516,16 @@ Emacs will warn if the connection isn't encrypted. This is useful for | |||
| 2516 | protocols like @acronym{IMAP} and the like, where most users would | 2516 | protocols like @acronym{IMAP} and the like, where most users would |
| 2517 | expect the network traffic to be encrypted. | 2517 | expect the network traffic to be encrypted. |
| 2518 | 2518 | ||
| 2519 | @vindex network-stream-use-client-certificates | ||
| 2519 | @item :client-certificate @var{list-or-t} | 2520 | @item :client-certificate @var{list-or-t} |
| 2520 | Either a list of the form @code{(@var{key-file} @var{cert-file})}, | 2521 | Either a list of the form @code{(@var{key-file} @var{cert-file})}, |
| 2521 | naming the certificate key file and certificate file itself, or | 2522 | naming the certificate key file and certificate file itself, or |
| 2522 | @code{t}, meaning to query @code{auth-source} for this information | 2523 | @code{t}, meaning to query @code{auth-source} for this information |
| 2523 | (@pxref{Top,,Overview, auth, The Auth-Source Manual}). | 2524 | (@pxref{Help for users,,auth-source, auth, Emacs auth-source Library}). |
| 2524 | Only used for @acronym{TLS} or @acronym{STARTTLS}. | 2525 | Only used for @acronym{TLS} or @acronym{STARTTLS}. If |
| 2526 | @code{:client-certificate} is not specified, behave as if it were t, | ||
| 2527 | customize @code{network-stream-use-client-certificates} to change | ||
| 2528 | this. | ||
| 2525 | 2529 | ||
| 2526 | @item :return-list @var{cons-or-nil} | 2530 | @item :return-list @var{cons-or-nil} |
| 2527 | The return value of this function. If omitted or @code{nil}, return a | 2531 | The return value of this function. If omitted or @code{nil}, return a |
| @@ -322,6 +322,12 @@ Previously, this support was only available when using the external | |||
| 322 | certificates via 'auth-source'. | 322 | certificates via 'auth-source'. |
| 323 | 323 | ||
| 324 | +++ | 324 | +++ |
| 325 | ** New user option 'network-stream-use-client-certificates'. | ||
| 326 | When non-nil, 'open-network-stream' performs lookups of client | ||
| 327 | certificates using 'auth-source' as if ':client-certificate t' were | ||
| 328 | specified. Defaults to t. | ||
| 329 | |||
| 330 | +++ | ||
| 325 | ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'. | 331 | ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'. |
| 326 | It blocks line breaking after a one-letter word, also in the case when | 332 | It blocks line breaking after a one-letter word, also in the case when |
| 327 | this word is preceded by a non-space, but non-alphanumeric character. | 333 | this word is preceded by a non-space, but non-alphanumeric character. |
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el index 2b3292b71ba..4050c83eb0c 100644 --- a/lisp/net/network-stream.el +++ b/lisp/net/network-stream.el | |||
| @@ -58,6 +58,21 @@ | |||
| 58 | (defvar starttls-gnutls-program) | 58 | (defvar starttls-gnutls-program) |
| 59 | (defvar starttls-program) | 59 | (defvar starttls-program) |
| 60 | 60 | ||
| 61 | (defcustom network-stream-use-client-certificates t | ||
| 62 | "Whether to use client certificates for network connections. | ||
| 63 | |||
| 64 | When non-nil, `open-network-stream' will automatically look for | ||
| 65 | matching client certificates (via 'auth-source') for a | ||
| 66 | destination server, if it is called without a :client-certificate | ||
| 67 | keyword. | ||
| 68 | |||
| 69 | Set to nil to disable this lookup globally. To disable on a | ||
| 70 | per-connection basis, specify ':client-certificate nil' when | ||
| 71 | calling `open-network-stream'." | ||
| 72 | :group 'network | ||
| 73 | :type 'boolean | ||
| 74 | :version "27.1") | ||
| 75 | |||
| 61 | ;;;###autoload | 76 | ;;;###autoload |
| 62 | (defun open-network-stream (name buffer host service &rest parameters) | 77 | (defun open-network-stream (name buffer host service &rest parameters) |
| 63 | "Open a TCP connection to HOST, optionally with encryption. | 78 | "Open a TCP connection to HOST, optionally with encryption. |
| @@ -132,7 +147,9 @@ values: | |||
| 132 | element is the certificate file name itself, or t, which | 147 | element is the certificate file name itself, or t, which |
| 133 | means that `auth-source' will be queried for the key and the | 148 | means that `auth-source' will be queried for the key and the |
| 134 | certificate. This parameter will only be used when doing TLS | 149 | certificate. This parameter will only be used when doing TLS |
| 135 | or STARTTLS connections. | 150 | or STARTTLS connections. If :client-certificate is not |
| 151 | specified, behave as if it were t, customize | ||
| 152 | `network-stream-use-client-certificates' to change this. | ||
| 136 | 153 | ||
| 137 | :use-starttls-if-possible is a boolean that says to do opportunistic | 154 | :use-starttls-if-possible is a boolean that says to do opportunistic |
| 138 | STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality. | 155 | STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality. |
| @@ -181,6 +198,11 @@ gnutls-boot (as returned by `gnutls-boot-parameters')." | |||
| 181 | ((memq type '(tls ssl)) 'network-stream-open-tls) | 198 | ((memq type '(tls ssl)) 'network-stream-open-tls) |
| 182 | ((eq type 'shell) 'network-stream-open-shell) | 199 | ((eq type 'shell) 'network-stream-open-shell) |
| 183 | (t (error "Invalid connection type %s" type)))) | 200 | (t (error "Invalid connection type %s" type)))) |
| 201 | (parameters | ||
| 202 | (if (and network-stream-use-client-certificates | ||
| 203 | (not (plist-member parameters :client-certificate))) | ||
| 204 | (plist-put parameters :client-certificate t) | ||
| 205 | parameters)) | ||
| 184 | result) | 206 | result) |
| 185 | (unwind-protect | 207 | (unwind-protect |
| 186 | (setq result (funcall fun name work-buffer host service parameters)) | 208 | (setq result (funcall fun name work-buffer host service parameters)) |
| @@ -209,7 +231,7 @@ gnutls-boot (as returned by `gnutls-boot-parameters')." | |||
| 209 | :port service))) | 231 | :port service))) |
| 210 | (key (plist-get auth-info :key)) | 232 | (key (plist-get auth-info :key)) |
| 211 | (cert (plist-get auth-info :cert))) | 233 | (cert (plist-get auth-info :cert))) |
| 212 | (and key cert | 234 | (and key cert (file-readable-p key) (file-readable-p cert) |
| 213 | (list key cert))))))) | 235 | (list key cert))))))) |
| 214 | 236 | ||
| 215 | ;;;###autoload | 237 | ;;;###autoload |