GNU bug report logs - #23759
25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist

Previous Next

Full log

Message #29 received at 23759 <at> debbugs.gnu.org (full text, mbox):

From: Konstantin Kliakhandler <kosta <at> slumpy.org>
To: 23759 <at> debbugs.gnu.org
Subject: Re: bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed
 gnutls-cli command if trusted cert files don't exist
Date: Sat, 2 Jul 2016 10:09:50 +0300

[Message part 1 (text/plain, inline)]

Hello,

First, I apologize for the double posting - I realize that I sent the
previous message with a messed up subject and this caused it not to be
grouped with the rest of the messages in this bug, and to not appear in the
tracker. I hope this second one will work now.

I am using emacs on OSX 10.12 from https://emacsformacosx.com/builds:

(emacs-version)
"GNU Emacs 25.1.50.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version
10.9.5 (Build 13F1603))
 of 2016-05-30"

And experience the same problem when running emacs -Q. Furthermore, I
diagnosed the cause to be incorrect building of formatted-cmd in
open-tls-stream from the given arguments. Attached is a patch that fixes
the problem on my end. To make the patch smaller, I did not reindent the
whole function - I hope this is alright.

Finally, I'd like to reply to:


> Fran <flitterio <at> gmail.com> writes:

> If Cygwin is installed, open-tls-stream works, because gnutls-cli and
> openssl
> > are available. It has worked for some time. I routinely use this feature
> to
> > enable ERC to connect to servers using TLS using function erc-tls.



> At some point, tls.el will be deprecated. Why aren't you just using
> Emacs with the built-in TLS support?


In my honest opinion, a feature is either deprecated or not, and while it
is not yet deprecated, bugs should not be ignored. I hope you would agree
at least to the point of testing the patch and incorporating it if it works
well :-)

Fuller description of the problem and the fix:

The problem: `open-tls-stream' replaces %t with exactly one element, which
is nil if none of gnutls-trustfiles is readable, and the first element of
gnutls-trustfiles is more than one is readable.
The Solution: In the patch I make the test iterate on all the trustfiles as
a user might have more than one relevant. In addition, I made the default
setting for tls-program have entries that do not explicitly specify the
trustfile.

One thing to note here perhaps, is that if (gnutls-trustfiles) returns an
empty list and one has the %t substitution in one of the tls-program
entries, then that entry will not be run at all. I feel that this is
reasonable since by setting --x509cafile nil one makes gnutls-cli fail
anyway.

Finally, I'm experiencing the above behavior, as far as I can tell, by
default in e.g. erc-tls. What is the proper way to move to the built in
TLS? Is it likely to be something in my config or in the implementation of
ERC?

Thanks,
Kosta

[Message part 2 (text/html, inline)]

[0001-tls-Make-open-tls-stream-try-all-gnutls-trustfiles-a.patch (application/octet-stream, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.