From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 17 14:16:30 2018 Received: (at submit) by debbugs.gnu.org; 17 Dec 2018 19:16:30 +0000 Received: from localhost ([127.0.0.1]:52146 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gYyNR-00081Y-WF for submit@debbugs.gnu.org; Mon, 17 Dec 2018 14:16:30 -0500 Received: from eggs.gnu.org ([208.118.235.92]:58036) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gYyAD-0007fd-RL for submit@debbugs.gnu.org; Mon, 17 Dec 2018 14:02:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gYyA7-0007gZ-Mf for submit@debbugs.gnu.org; Mon, 17 Dec 2018 14:02:44 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:46493) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gYyA7-0007g2-HH for submit@debbugs.gnu.org; Mon, 17 Dec 2018 14:02:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39393) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gYyA6-00029h-KP for bug-gnu-emacs@gnu.org; Mon, 17 Dec 2018 14:02:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gYyA3-0007Tw-US for bug-gnu-emacs@gnu.org; Mon, 17 Dec 2018 14:02:42 -0500 Received: from e2i510.smtp2go.com ([103.2.141.254]:58529) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gYyA3-0007L4-4f for bug-gnu-emacs@gnu.org; Mon, 17 Dec 2018 14:02:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpservice.net; s=m3dcb0.a1-4.dyn; x=1545074259; h=Feedback-ID: X-Smtpcorp-Track:Date:To:From:Subject:Message-ID:Reply-To:Sender: List-Unsubscribe; bh=Pro8Ao0gpaI0Rs/qiByyU5zvKudPqoT3C9FIUEDIRog=; b=pae6DiJQ duYWhGHS3RRp2MflKuJAjW1zwCNK51elEW+sQdsxWJLwsz9SQ1frBh11+fyS6yYH5ogxmpmUaGAuK ElrAulqWIxGRcVwmIzFoHb+zSjlCMki6lKzwpYsAUQe2LAMGH5tQigIzABU64ZWr8/FgZ7tqcwOit txklYdjO5ZXKyLnfoyLOi3XBtY+4LF0y5Dunzxnboyx/5NHMraDQ0prCIJijlQBDoc/J70THxmauU vgCrIrX2DzsEJ0Ux+LqEZ3BHDu9ElzVWdWvEjAfmQuWDOXmUS2385+WXlfChZOZACasB06LRfnZSv ZAmSgE+py85/bgB57gcvSnhHew==; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dracon.is; i=@dracon.is; q=dns/txt; s=s157259; t=1545073359; h=from : subject : to : message-id : date; bh=Pro8Ao0gpaI0Rs/qiByyU5zvKudPqoT3C9FIUEDIRog=; b=cUPnO0+19IiUmvw1v1d91evg3Xv4vt4X/Frsv2vllrEgZf16Wj1kOUEqnIxqeNctpU2cRI O7w8dE8WGq+Pf+ybUHr+TBP6YEbjDQV9Ya0qC4fzCU62Qg0BmLuxsLH3jfRglLizm4sbFRcv YfcHNlTGF9mM/w2/EfgGraZ+5RAtwQy01meadTaBdtdMNYUvtzGkKvOcNQBQ2GyOUISCiPjW Y2n3HXVSEaFUadfNvwPGyEWn4/kGOeMvBk5m3JngLu3OEh4XGeof4TDdbRbp8MpDMjhtW7Z0 6EkGrhY76WkMfhY8AK0u+q/h/MH04awKKocMDrHORRGjbbQnH+ZoIXfA== Received: from [10.45.33.53] (helo=SmtpCorp) by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.91) (envelope-from ) id 1gYy9t-TRk2vg-3G for bug-gnu-emacs@gnu.org; Mon, 17 Dec 2018 19:02:29 +0000 Received: from [94.173.179.81] (helo=sandhya.dracon.is) by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.91) (envelope-from ) id 1gYy9r-rlZ9go-Au for bug-gnu-emacs@gnu.org; Mon, 17 Dec 2018 19:02:27 +0000 Received: from 233.123.93.209.dyn.plus.net ([209.93.123.233] helo=ratna) by sandhya.dracon.is with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.91) (envelope-from ) id 1gYy9a-0001Ke-A2 for bug-gnu-emacs@gnu.org; Mon, 17 Dec 2018 19:02:17 +0000 Message-ID: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> Subject: network-stream.el: network-stream-certificate always returns nil From: Vinothan Shankar To: bug-gnu-emacs@gnu.org Date: Mon, 17 Dec 2018 19:02:08 +0000 Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.1-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Smtpcorp-Track: 1gYy9rr_Z9gojI.F0LCntxeL Feedback-ID: 157259m:157259aorYhhm:157259s-MRXoImQK X-Report-Abuse: Please forward a copy of this message, including all headers, to X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 17 Dec 2018 14:16:27 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) network-stream-certificate will *always* return nil, regardless of whether there actually is a client-certificate value-pair specified, because (plist-get :client-certificate parameters) is always nil. This is because plist-get takes the plist as the first argument, and the key as the second; trying to find a list in a token is always going to be nil. This makes it impossible to use client certificates with Emacs's built- in network-stream support, at least without overriding functions. The error is in net/network-stream.el. It has been there since the function was first written in 2011, according to git blame. I surmise that this, in combination with there being no support for client certificates in network-stream-tls (though it's available in network-stream-starttls) is part of the reason there are so many conflicting guides on, for example, using client-certificate SASL with ERC. From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 19 12:20:05 2018 Received: (at 33780) by debbugs.gnu.org; 19 Dec 2018 17:20:05 +0000 Received: from localhost ([127.0.0.1]:55042 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gZfVt-0006Cq-9Y for submit@debbugs.gnu.org; Wed, 19 Dec 2018 12:20:05 -0500 Received: from mail-wr1-f44.google.com ([209.85.221.44]:35080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gZfVr-0006CC-DC for 33780@debbugs.gnu.org; Wed, 19 Dec 2018 12:20:04 -0500 Received: by mail-wr1-f44.google.com with SMTP id 96so20352293wrb.2 for <33780@debbugs.gnu.org>; Wed, 19 Dec 2018 09:20:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:message-id:mime-version:content-transfer-encoding; bh=bAXUsHCEIAVJ58udfC3RMvRm39UHg+WN3JLHnFLSEAw=; b=ZXKhwAEDpqY7SDw+FLBf+MfZKlT0vCxHfbWlaUmllRXlse8YQI+YZDO8Z/xCUdNQlZ 6A31nYB+gltUD/HVekA6ZgFwLW8tM6sAeyCcpYgC11pMqPUenltt6aHxGSrT3S2ppAEK JDD8XxzMJTYBA/Y/xnnWYMKKLBSeXNNPpxF05SHf98t9z4Ne3swsHZinBg8gBs4M6hkj 4S4c5zGzjhVzV03LTyU4XaL3LJU7isC7EvzT1JPWwJxpPxJHkYGZWehrEHEsv1LOlSUf cA4LFCgoCQuZs1uGBIUS+yvCgC6N2dgwgrV4OTDfwL6qPWIpNEOijLSxeSx7WDAgzkUh hvzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:message-id:mime-version :content-transfer-encoding; bh=bAXUsHCEIAVJ58udfC3RMvRm39UHg+WN3JLHnFLSEAw=; b=jj4Og/fgL6qdqTglTU2sgchzZyGAubDmBQ6rVolukCnbtX2RJEI3nmQvvJVa/Z6HRD KdDSTBwla+oq7C9L3p6twnibfrzV4c0++CzrrxDYmZNVYRiijNLv64xygu5BC6oYIDDc VE4xv+IBOcfYD+to3DujR1QaH08JYC22uJ8kG1RhhKznjlv8KgCoagauL3wW5Q6Nc1uy Mu007lQHN6m0WvXfPI6qq5Mzig5FxvNWHT14gT23g0i4uvS5ZOgI2cMEh+bFS49RH4RM WSdTGSVHYWX4KUzu7WOFwvgqF5af2ShRMWjjtgvo3eJGcHsh3whnbJ3pH8Mor5eL8UYA 72+A== X-Gm-Message-State: AA+aEWbtJhBHVlKD3c+zvU6hW25CE18YgeIjoCDQpthF/m/lNGpWpxyp o1fHGSZmiPgFk9V9oFS75owgPx8X X-Google-Smtp-Source: AFSGD/X/tg6kWm/15IAP8A9ZsplHS8I76MZEez3TrqS9CSzYy3KlrUFG2+bjyy2syvw9slaWlJNsyg== X-Received: by 2002:adf:e247:: with SMTP id n7mr18544782wri.205.1545239997457; Wed, 19 Dec 2018 09:19:57 -0800 (PST) Received: from rpluim-mac (vav06-1-78-207-202-134.fbx.proxad.net. [78.207.202.134]) by smtp.gmail.com with ESMTPSA id k15sm6242786wru.8.2018.12.19.09.19.55 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 19 Dec 2018 09:19:56 -0800 (PST) From: Robert Pluim To: Vinothan Shankar Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Wed, 19 Dec 2018 18:19:53 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: larsi@gnus.org, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Vinothan Shankar writes: > network-stream-certificate will *always* return nil, regardless of > whether there actually is a client-certificate value-pair specified, > because (plist-get :client-certificate parameters) is always nil. This > is because plist-get takes the plist as the first argument, and the key > as the second; trying to find a list in a token is always going to be > nil. > > This makes it impossible to use client certificates with Emacs's built- > in network-stream support, at least without overriding functions. > > The error is in net/network-stream.el. It has been there since the > function was first written in 2011, according to git blame. Yes. Lars? > I surmise that this, in combination with there being no support for > client certificates in network-stream-tls (though it's available in > network-stream-starttls) is part of the reason there are so many > conflicting guides on, for example, using client-certificate SASL with=20 > ERC. Could you apply the following patch, and test something like (open-network-stream "*tls*" (current-buffer) "server.example.com" "443" :type 'tls :warn-unless-encrypted t :return-list t :client-certificate t) with the appropriate entries in your .authinfo (replace the servername and port number as needed)? It works in my limited testing, and doesn=CA=BCt appear to have broken Gnus (but none of my TLS connections require client certificates). It could be argued that this should all be transparent, i.e. we should assume ":client-certificate t" unless it=CA=BCs explicitly nil, which would avoid having to fix all the packages that just call `open-network-stream', but that we can revisit once things actually work. diff --git i/lisp/gnus/nnimap.el w/lisp/gnus/nnimap.el index 1a3b05ddb3..956c7144cb 100644 --- i/lisp/gnus/nnimap.el +++ w/lisp/gnus/nnimap.el @@ -456,6 +456,7 @@ nnimap-open-connection-1 :always-query-capabilities t :end-of-command "\r\n" :success " OK " + :client-certificate t :starttls-function (lambda (capabilities) (when (string-match-p "STARTTLS" capabilities) diff --git i/lisp/gnus/nntp.el w/lisp/gnus/nntp.el index be9e495510..efb4912a8f 100644 --- i/lisp/gnus/nntp.el +++ w/lisp/gnus/nntp.el @@ -1266,6 +1266,7 @@ nntp-open-connection :end-of-command "^\\([2345]\\|[.]\\).*\n" :capability-command "HELP\r\n" :success "^3" + :client-certificate t :starttls-function (lambda (capabilities) (if (not (string-match "STARTTLS" capabilities)) diff --git i/lisp/net/gnutls.el w/lisp/net/gnutls.el index 315932b7e6..625f11caa5 100644 --- i/lisp/net/gnutls.el +++ w/lisp/net/gnutls.el @@ -38,6 +38,9 @@ (require 'cl-lib) (require 'puny) =20 +(declare-function network-stream-certificate "network-stream" + (host service parameters)) + (defgroup gnutls nil "Emacs interface to the GnuTLS library." :version "24.1" @@ -138,7 +141,7 @@ gnutls-min-prime-bits (integer :tag "Number of bits" 512)) :group 'gnutls) =20 -(defun open-gnutls-stream (name buffer host service &optional nowait) +(defun open-gnutls-stream (name buffer host service &optional parameters) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. Input and output work as for subprocesses; `delete-process' closes it. @@ -152,9 +155,14 @@ open-gnutls-stream Third arg is name of the host to connect to, or its IP address. Fourth arg SERVICE is name of the service desired, or an integer specifying a port number to connect to. -Fifth arg NOWAIT (which is optional) means that the socket should -be opened asynchronously. The connection process will be -returned to the caller before TLS negotiation has happened. +Fifth arg PARAMETERS is a property list. It is currently checked for: + + :nowait which means that the socket should be opened + asynchronously. The connection process will be returned to + the caller before TLS negotiation has happened. + + :client-certificate which allows the specification of + client certificates and keys to use to set up the connection. =20 Usage example: =20 @@ -168,19 +176,22 @@ open-gnutls-stream documentation for the specific parameters you can use to open a GnuTLS connection, including specifying the credential type, trust and key files, and priority string." - (let ((process (open-network-stream - name buffer host service - :nowait nowait - :tls-parameters - (and nowait - (cons 'gnutls-x509pki - (gnutls-boot-parameters - :type 'gnutls-x509pki - :hostname (puny-encode-domain host))))))) + (let* ((cert (network-stream-certificate host service parameters)) + (nowait (plist-get parameters :nowait)) + (process (open-network-stream + name buffer host service + :nowait nowait + :tls-parameters + (and nowait + (cons 'gnutls-x509pki + (gnutls-boot-parameters + :type 'gnutls-x509pki + :hostname (puny-encode-domain host))))))) (if nowait process (gnutls-negotiate :process process :type 'gnutls-x509pki + :keylist (and cert (list cert)) :hostname (puny-encode-domain host))))) =20 (define-error 'gnutls-error "GnuTLS error") diff --git i/lisp/net/network-stream.el w/lisp/net/network-stream.el index a0589e25a4..8b813eef2c 100644 --- i/lisp/net/network-stream.el +++ w/lisp/net/network-stream.el @@ -196,7 +196,7 @@ open-network-stream (car result)))))) =20 (defun network-stream-certificate (host service parameters) - (let ((spec (plist-get :client-certificate parameters))) + (let ((spec (plist-get parameters :client-certificate))) (cond ((listp spec) ;; Either nil or a list with a key/certificate pair. @@ -389,7 +389,7 @@ network-stream-open-tls (stream (if (gnutls-available-p) (open-gnutls-stream name buffer host service - (plist-get parameters :nowait)) + parameters) (require 'tls) (open-tls-stream name buffer host service))) (eoc (plist-get parameters :end-of-command))) From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 20 06:25:56 2018 Received: (at 33780) by debbugs.gnu.org; 20 Dec 2018 11:25:56 +0000 Received: from localhost ([127.0.0.1]:55546 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gZwSh-0004ta-Q2 for submit@debbugs.gnu.org; Thu, 20 Dec 2018 06:25:56 -0500 Received: from e2i510.smtp2go.com ([103.2.141.254]:34073) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gZwSf-0004tS-Iz for 33780@debbugs.gnu.org; Thu, 20 Dec 2018 06:25:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpservice.net; s=m3dcb0.a1-4.dyn; x=1545306053; h=Feedback-ID: X-Smtpcorp-Track:Date:To:From:Subject:Message-ID:Reply-To:Sender: List-Unsubscribe; bh=kYm0LJUFt9u4LIg+x+CHabbpW/FVg9dCsnD18SkjIp0=; b=l6bnFG2j KHdbrsK+/VDYeDoTBl9NgNS+zKGiiFd+dbCTjV4yIsW4TMKrS/Z4m9JS5qgktGuU9dBIwyv4ptWRc rDszN5YEFOrdFk7wFWhdJDsz5RC4NiDtQOqrsbRnavfv6mFWr3p75maUlaCuLiQJTIzCCWGGdnsq4 tH5sn9hXBnb5HcpFF984SfDIIB11zOmVbP/JkcW8x80kUd7meolbU4v9zhxU3AEjSzpOl95sx24jI 4weSDumCTSKhCGbgkA6c+0D9bt45VEhJuq6oMyVI2qctce/kcV0S9jXtsphjwgF609hJzsEy9VrSP KKJHKaaaxSPoVV5v5WPQBoGfnQ==; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dracon.is; i=@dracon.is; q=dns/txt; s=s157259; t=1545305153; h=from : subject : to : message-id : date; bh=kYm0LJUFt9u4LIg+x+CHabbpW/FVg9dCsnD18SkjIp0=; b=D2edV/LEeODN2Ko/W+v6NITljOS8FhJ2f2TmZKoHVyfwuKrcqtjCvCtMynCVd+7T1xSrae il4fDYDaMpkc6thbi4X5hLecB7rTGIUpgcjgxb8DjymdT2P9sLgtA7oyGlTpxsp6GwVSYXPA GSe3dmw0fvZqGcDGaYv6WlHH5bWLmzzAu9UJKdqqed/eIaIstH3SJb+/CrXkR3khj3kbWNxj Bp0T/ZfQXSAEZksIOBR2IQ/TSSCETH4kiT6JHkktlOqzDHWYAi9a7JZIDL/dP3bEpe8mftdI Dy6FBAvYYn13dy+/UeydUqbKNk2H7vsl6ZiUyy5S3QqB2GEAZRwq6kyQ== Received: from [10.45.33.53] (helo=SmtpCorp) by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.91) (envelope-from ) id 1gZwSd-TRk1Lb-SU; Thu, 20 Dec 2018 11:25:51 +0000 Received: from [94.173.179.81] (helo=sandhya.dracon.is) by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.91) (envelope-from ) id 1gZwSc-rlZA0m-9m; Thu, 20 Dec 2018 11:25:50 +0000 Received: from 169.145.143.150.dyn.plus.net ([150.143.145.169] helo=ratna) by sandhya.dracon.is with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.91) (envelope-from ) id 1gZwRu-0002N0-Nu; Thu, 20 Dec 2018 11:25:24 +0000 Message-ID: <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil From: Vinothan Shankar To: Robert Pluim Date: Thu, 20 Dec 2018 11:24:12 +0000 In-Reply-To: References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.1-1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.9 X-Spam-Level: -- X-Spam-Report: Spam detection software, running on the system "sandhya.dracon.is", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Wed, 2018-12-19 at 18:19 +0100, Robert Pluim wrote: > Could you apply the following patch, and test something like > > (open-network-stream > "*tls*" (current-buffer) "server.example.com" > "443" > [...] Content analysis details: (-2.9 points, 7.5 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 TVD_RCVD_IP Message was received from an IP address X-Smtpcorp-Track: 1gZwScr_Zj0X9X.G8w8LvkdT Feedback-ID: 157259m:157259aorYhhm:157259s0-wfMPwks X-Report-Abuse: Please forward a copy of this message, including all headers, to X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Wed, 2018-12-19 at 18:19 +0100, Robert Pluim wrote: > Could you apply the following patch, and test something like > > (open-network-stream > "*tls*" (current-buffer) "server.example.com" > "443" > :type 'tls > :warn-unless-encrypted t > :return-list t > :client-certificate t) > > with the appropriate entries in your .authinfo (replace the > servername > and port number as needed)? It works in my limited testing, and > doesnʼt appear to have broken Gnus (but none of my TLS connections > require client certificates). OK, so a few minutes into the process of trying to do this, I came across a snag: the syntax for using certificates in authinfo files doesn't appear to be documented anywhere; I had to extract it from a stackexchange question. Docs bug, or lack of search-fu? Moving on... Results: Initial failure, but this is because I've been testing with ERC, which calls open-network-stream with ":nowait t". If I add the ":keylist (and cert (list cert))" stanza to the other branch of open-gnutls- stream as well, in the gnutls-boot-parameters call, it works perfectly: Freenode picks up my identity even when I supply a blank password. From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 20 13:45:35 2018 Received: (at 33780) by debbugs.gnu.org; 20 Dec 2018 18:45:36 +0000 Received: from localhost ([127.0.0.1]:56729 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ga3KB-0003U9-On for submit@debbugs.gnu.org; Thu, 20 Dec 2018 13:45:35 -0500 Received: from mail-wm1-f52.google.com ([209.85.128.52]:54481) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ga3KA-0003Tx-5s for 33780@debbugs.gnu.org; Thu, 20 Dec 2018 13:45:34 -0500 Received: by mail-wm1-f52.google.com with SMTP id a62so3092833wmh.4 for <33780@debbugs.gnu.org>; Thu, 20 Dec 2018 10:45:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :mime-version:content-transfer-encoding; bh=3y0aU+MoUB3+oEugtHeB2EuGzMhSumPqJn0Q85yRI2w=; b=hsrXzOitYGIENRcRzUsawbSvOFu4QXkr3Y6JxPEiXWIEU8cvI8d8Fqpr+uQpuHy6Un PzsxrGHcTohUyai8x5V70OPIFXq7v/SRIVzVV0bWgkxZQ2alym0UtkQJbHAoPsJ4wDXS R+YRa31Gfk9sm5a/PlUwUcttSfGs1RVTaVphUva9tuS7UlyZGvngJvk4LLSXvXXbHbbX kjj5R+o8J5mIFT+fF+3IINxhW+eoGjkx1zxIoPypFJHymROSJ8+lQeeXK+4oQaf2Guzn oHmW0VYxvj5j4DnRa7DxwobJlhiTD2do9j4oCKAcWsonLp2Ndm5jiYOmvjEyplYk+okl JAyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=3y0aU+MoUB3+oEugtHeB2EuGzMhSumPqJn0Q85yRI2w=; b=JJfQxpX+vWNkFI0VJuCFvaw884DcP8xqfjTw7yGa+4bueNSeMoaXCx4x/6x7HhhwGl bFUyNjcQwyRStuJ5D5MKo4bek9ez0LZ+5dy9b1jIEQ4P5byddgTor+m8KxIHb1hxnwMf 9dT9ckSu4qqPEx4gzpx93vnW4rWXlHzlHHFnxifddGqqcFMKriSJ7Mw3bVQxvO1NhjmU /ndfBRGc+gsc67pW1rYx/pXv+evgZZNoTlEeXOh12r6lqxntMMCe9eyW9LgfQBe/XV+o 5R1yHJpRMocYbO2PZmKaF7eQZX1Ujcd/2HgHcVOAonyYr5EgViUQs0FYhIi6nQ6jb52M Dr5A== X-Gm-Message-State: AA+aEWY76Ye/OV7uhOFMzPxfTkv3zqAhFto2jy7d9fM+aNDGw9oujoKS KVsp5MzFytpXjAWWN9czHXPIZbFg X-Google-Smtp-Source: AFSGD/VxXa4HkFaFJ+GGY+zP0S58DAQX6fED1W3Ozsq+EDfZA/3Wn501j1Ok499VRpsTQOmCiky+Xw== X-Received: by 2002:a1c:7fca:: with SMTP id a193mr12656008wmd.36.1545331527859; Thu, 20 Dec 2018 10:45:27 -0800 (PST) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id u10sm8344662wrr.33.2018.12.20.10.45.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 20 Dec 2018 10:45:26 -0800 (PST) From: Robert Pluim To: Vinothan Shankar Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> Date: Thu, 20 Dec 2018 19:45:25 +0100 In-Reply-To: <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> (Vinothan Shankar's message of "Thu, 20 Dec 2018 11:24:12 +0000") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Vinothan Shankar writes: > OK, so a few minutes into the process of trying to do this, I came > across a snag: the syntax for using certificates in authinfo files > doesn't appear to be documented anywhere; I had to extract it from a > stackexchange question. Docs bug, or lack of search-fu? Moving on... It=CA=BCs in the smptmail info manual, node 'Encryption'. It is linked from the main Emacs manual, from the 'Mail Sending' node, but there appears to be no description of the syntax in the auth-source manual. Patches welcome :-) > Results: > > Initial failure, but this is because I've been testing with ERC, which > calls open-network-stream with ":nowait t". If I add the ":keylist > (and cert (list cert))" stanza to the other branch of open-gnutls- > stream as well, in the gnutls-boot-parameters call, it works perfectly: > Freenode picks up my identity even when I supply a blank password. Thanks for testing. I=CA=BCll update my patch (and write a ChangeLog, and a NEWS entry) By my count there are at least 11 calls to open-network-stream in Emacs' sources which would need updating with ':client-certificate t' in order to trigger transparent use of user-specified certificates. By analogy to e.g. smtpmail looking up usernames and passwords by default using auth-source, I think Emacs should do the same for client-certificates by default. People without entries specifying certificates would be unaffected, and third-party packages would not need to be updated to take advantage of this new feature. Comments welcome. Robert From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 21 08:17:09 2018 Received: (at 33780) by debbugs.gnu.org; 21 Dec 2018 13:17:09 +0000 Received: from localhost ([127.0.0.1]:57220 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gaKft-0002NQ-0R for submit@debbugs.gnu.org; Fri, 21 Dec 2018 08:17:09 -0500 Received: from mail-wm1-f45.google.com ([209.85.128.45]:51753) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gaKfq-0002Ms-R5 for 33780@debbugs.gnu.org; Fri, 21 Dec 2018 08:17:07 -0500 Received: by mail-wm1-f45.google.com with SMTP id b11so5299155wmj.1 for <33780@debbugs.gnu.org>; Fri, 21 Dec 2018 05:17:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:in-reply-to:message-id:mime-version; bh=2LV/XIGbBjuU7ryNxhEnmQdr9vHjIeAOG9X0koUbf4g=; b=crNWnx52L2dfbUekc3txHmZR2CvYM5hfvsaKz9kqf7t/MOCrZdN5cpK3oHLpdsWXnG v713zBY8cpqQ7+SukfRGSRDUKu8YbDO3q6sByWFG0navsdxbfmDPALpKhet5Zhm0pI9o w3m24y/AdnZgWtRvbr2bonQkCMXgtSgcIahiGhhkx3CoWuwSx8YztbBp0Hz2d/UlZlGD NHCiSvozXO7OgetGokr1LMraT8zb2DNbL+LngFCjIAtOLtdaYZ3TYnUc7cQbVaCDFJjE De4zPY9Ujp7VEKsQvfVEBRx0T0/9gXYDYOnzMNHVbTcAcJP+SQl6umm1lOy4EvDKDs0x Tp5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version; bh=2LV/XIGbBjuU7ryNxhEnmQdr9vHjIeAOG9X0koUbf4g=; b=XBrXkRg2SJLXVcgr9n567dDXZag0oKbC3MD6dQvW2ryoAYts0JA5U3V8fPtqyXANnf Lqp5Re2gEw7NWgkXea3CuJygq5kbEP5TGoIBa+QI0xxf8ttO9KyqtgeCpZABPuVo9Foy lWY9S8Ji8aSXp0K8yp6ulFfdw+zWCUzZ8Dh93Kye+SnI2ExUJmhDDw3oQ0kp/ycPjmWB nBcoTsZaZKRAVzb34qt0snwc0JpuqlekCpdrU1eVPIgZf+22aLdC1r21mCny4Nc7o8TN V1W7IzirGBjaubTx2bDxWhd6GxtGm7yiDMRYoX9pqCk49ZHRkQ+NPsrMYzG6HOIVULif dmOg== X-Gm-Message-State: AA+aEWZ7nKhjyRjB9dX6pHYaSlf2k7BHVHdSFwcgqyOAncycUz9vc5Pn kTGtHh5YKRQQ+yUUhNguiU6pHqt+ X-Google-Smtp-Source: ALg8bN7ZGVGxSew8nvAyk4aEtnGBaafZCAZDXPnc1tmXLhas8zF6PLNabyQA6hB6c0lgr5AjS7+5Yw== X-Received: by 2002:a1c:6e06:: with SMTP id j6mr2930205wmc.3.1545398220725; Fri, 21 Dec 2018 05:17:00 -0800 (PST) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id b13sm15055440wrn.28.2018.12.21.05.16.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 21 Dec 2018 05:16:59 -0800 (PST) From: Robert Pluim To: Vinothan Shankar Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Fri, 21 Dec 2018 14:16:57 +0100 In-Reply-To: (Robert Pluim's message of "Thu, 20 Dec 2018 19:45:25 +0100") Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Robert Pluim writes: > Vinothan Shankar writes: > >> OK, so a few minutes into the process of trying to do this, I came >> across a snag: the syntax for using certificates in authinfo files >> doesn't appear to be documented anywhere; I had to extract it from a >> stackexchange question. Docs bug, or lack of search-fu? Moving on... > > It=CA=BCs in the smptmail info manual, node 'Encryption'. It is linked fr= om > the main Emacs manual, from the 'Mail Sending' node, but there appears > to be no description of the syntax in the auth-source manual. Patches > welcome :-) > I was looking there anyway, so I updated the manual. Proposed patch attached. At this time it just enables taking into account ':client-certificate t' in calls to 'open-network-stream' and applying any client certificates found, it doesn=CA=BCt change the default behaviour. I=CA=BCll follow up on emacs-devel afterwards about that. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Check-for-client-certificates-when-using-GnuTLS.patch >From 2f13e12882a32246d9b1d57e111ad17e0773ff54 Mon Sep 17 00:00:00 2001 From: Robert Pluim Date: Fri, 21 Dec 2018 11:58:00 +0100 Subject: [PATCH] Check for client certificates when using GnuTLS To: emacs-devel@gnu.org This fixes Bug#33780, and extends the documentation to describe how to enable use of client certificates. * lisp/net/network-stream.el (network-stream-certificate): Correct order of parameters to plist-get. (network-stream-open-tls): Pass all received parameters to open-gnutls-stream, not just :nowait. * lisp/net/gnutls.el (open-gnutls-stream): Add optional plist to arglist. Derive client certificate(s) and keys(s) from plist (maybe via auth-source) and pass to gnutls-boot-parameters and gnutls-negotiate. (network-stream-certificate): Add declare-function form for it. * doc/misc/auth.texi (Help for users): Describe format to use for client key/cert specification. * doc/misc/emacs-gnutls.texi (Help For Developers): Describe usage of new optional plist argument. Add crossref to description of .authinfo format for client key/cert specification. * etc/NEWS: Describe new client certificate functionality for 'open-network-stream' --- doc/misc/auth.texi | 9 +++++++++ doc/misc/emacs-gnutls.texi | 12 +++++++++++- etc/NEWS | 7 +++++++ lisp/net/gnutls.el | 31 +++++++++++++++++++++---------- lisp/net/network-stream.el | 5 +++-- 5 files changed, 51 insertions(+), 13 deletions(-) diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi index fcbc83ead5..68b8553d58 100644 --- a/doc/misc/auth.texi +++ b/doc/misc/auth.texi @@ -109,6 +109,15 @@ Help for users @code{auth-source-search} queries. You can also use @code{login} and @code{account}. +You can also use this file to specify client certificates to use when +setting up TLS connections. The format is: +@example +machine @var{mymachine} port @var{myport} key "@var{key}" cert "@var{cert}" +@end example + +@var{key} and @var{cert} are filenames containing the key and +certificate to use respectively. + You can use spaces inside a password or other token by surrounding the token with either single or double quotes. diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi index a690ccfcce..90c2d217e2 100644 --- a/doc/misc/emacs-gnutls.texi +++ b/doc/misc/emacs-gnutls.texi @@ -179,7 +179,7 @@ Help For Developers You should not have to use the @file{gnutls.el} functions directly. But you can test them with @code{open-gnutls-stream}. -@defun open-gnutls-stream name buffer host service &optional nowait +@defun open-gnutls-stream name buffer host service &optional nowait parameters This function creates a buffer connected to a specific @var{host} and @var{service} (port number or service name). The parameters and their syntax are the same as those given to @code{open-network-stream} @@ -191,6 +191,16 @@ Help For Developers asynchronous, and the connection process will be returned to the caller before TLS negotiation has happened. +@var{parameters} is a plist which is currently checked only for +@code{:client-certificate}. Any resulting client certificates are +passed down to the lower TLS layers. Set @code{:client certificate t} +to trigger looking up of the certificates using the auth-source +library. The format used by @file{.authinfo} to specify the +per-server keys is described in @xref{Help for users,,auth-source, +auth, Emacs auth-source Library}. + +Example calls: + @lisp ;; open a HTTPS connection (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https") diff --git a/etc/NEWS b/etc/NEWS index 0624c5690b..74943fb2ff 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -199,6 +199,13 @@ issued), you can either set 'network-security-protocol-checks' to nil, or adjust the elements in that variable to only happen on the 'high' security level (assuming you use the 'medium' level). ++++ +** Native GnuTLS connections can now use client certificates. +Previously, this support was only available when using the external +gnutls-cli command. Call 'open-network-stream' with +':client-certificate t' to trigger looking up of per-server +certificates via 'auth-source'. + +++ ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'. It blocks line breaking after a one-letter word, also in the case when diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 315932b7e6..30f933fa48 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -38,6 +38,9 @@ (require 'cl-lib) (require 'puny) +(declare-function network-stream-certificate "network-stream" + (host service parameters)) + (defgroup gnutls nil "Emacs interface to the GnuTLS library." :version "24.1" @@ -138,7 +141,7 @@ gnutls-min-prime-bits (integer :tag "Number of bits" 512)) :group 'gnutls) -(defun open-gnutls-stream (name buffer host service &optional nowait) +(defun open-gnutls-stream (name buffer host service &optional nowait parameters) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. Input and output work as for subprocesses; `delete-process' closes it. @@ -155,6 +158,10 @@ open-gnutls-stream Fifth arg NOWAIT (which is optional) means that the socket should be opened asynchronously. The connection process will be returned to the caller before TLS negotiation has happened. +Sixth arg PARAMETERS is an optional property list. It is currently +checked for :client-certificate only. This allows specifying the +client certificates and keys used to set up the connection. +See `open-network-stream' for a complete description. Usage example: @@ -168,19 +175,23 @@ open-gnutls-stream documentation for the specific parameters you can use to open a GnuTLS connection, including specifying the credential type, trust and key files, and priority string." - (let ((process (open-network-stream - name buffer host service - :nowait nowait - :tls-parameters - (and nowait - (cons 'gnutls-x509pki - (gnutls-boot-parameters - :type 'gnutls-x509pki - :hostname (puny-encode-domain host))))))) + (let* ((cert (network-stream-certificate host service parameters)) + (keylist (and cert (list cert))) + (process (open-network-stream + name buffer host service + :nowait nowait + :tls-parameters + (and nowait + (cons 'gnutls-x509pki + (gnutls-boot-parameters + :type 'gnutls-x509pki + :keylist keylist + :hostname (puny-encode-domain host))))))) (if nowait process (gnutls-negotiate :process process :type 'gnutls-x509pki + :keylist keylist :hostname (puny-encode-domain host))))) (define-error 'gnutls-error "GnuTLS error") diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el index a0589e25a4..26f92d5aa8 100644 --- a/lisp/net/network-stream.el +++ b/lisp/net/network-stream.el @@ -196,7 +196,7 @@ open-network-stream (car result)))))) (defun network-stream-certificate (host service parameters) - (let ((spec (plist-get :client-certificate parameters))) + (let ((spec (plist-get parameters :client-certificate))) (cond ((listp spec) ;; Either nil or a list with a key/certificate pair. @@ -389,7 +389,8 @@ network-stream-open-tls (stream (if (gnutls-available-p) (open-gnutls-stream name buffer host service - (plist-get parameters :nowait)) + (plist-get parameters :nowait) + parameters) (require 'tls) (open-tls-stream name buffer host service))) (eoc (plist-get parameters :end-of-command))) -- 2.19.1.816.gcd69ec8cde.dirty --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 09 05:48:58 2019 Received: (at 33780) by debbugs.gnu.org; 9 Jan 2019 10:48:58 +0000 Received: from localhost ([127.0.0.1]:50834 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ghBPt-0007sa-LK for submit@debbugs.gnu.org; Wed, 09 Jan 2019 05:48:58 -0500 Received: from mail-ed1-f46.google.com ([209.85.208.46]:44160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ghBPq-0007sL-Nb for 33780@debbugs.gnu.org; Wed, 09 Jan 2019 05:48:55 -0500 Received: by mail-ed1-f46.google.com with SMTP id y56so6887923edd.11 for <33780@debbugs.gnu.org>; Wed, 09 Jan 2019 02:48:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:in-reply-to:message-id:mime-version; bh=5blIFjyz6y+hNLP5vEreum+vTiiKtsqCEyORLha1vAU=; b=HiT8iY41HEziK6DGXwAoxgbMEmjiT9gw+qLOTHc8bMub4G6UyXEFFeL+Ptt6P0HkU0 D1ScAkcVZ2X8eohCyVgNTLwc+0/tvSjt4uNtrsu4TziDp0SNInf4THreSCwrv/jtBndd YEXQD8Q6kE/Xss1kA6B55FFi3a3XS76RitfK662e6yYB5UhmDL8s/vmkTJxUfkQYy5ol cOtVNCHOakA/uLtsi1lXc8IdCjGoiiggrj5K8TBCioCOJRFarY5bxhRodbYaOhGUCUzp ZJp2+dPAeFmUSErCAKssk2yqdmjP2nqaWlY132YsOEHP0abOxNrryL9/SHhlVZf+dRZ7 e6CA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version; bh=5blIFjyz6y+hNLP5vEreum+vTiiKtsqCEyORLha1vAU=; b=mCIiavScCCckQz/9RV0z0feHKyxyYE64+KXm5vTheeLljHwgY6Hju2NBnaJ9QonBac E6HKNKfElhCcnOjwgPrEwkFBesC7/YHhhMrj/TPJ7mVAAYj1trUizMPhKKTGMqLYSayX ZM5pH0EQaZBdy/jZwR17jvFeN3+mO0sIIzjRq6EOfYg+auYNkgyJAzCRNkJcVTYVXe1y jKkK/ghUDfjBUmZHG161lBrF0F95et2wyD8PfFy5ZwinYJmBqhFIeS67ZC4p3BJ3kspS gxqsCnXZnn63dtjyp/yvTQWBLBNHzMkEt92cAYeRsG5/xtKsaguhU5y6RcWVIh0Biuv0 siHQ== X-Gm-Message-State: AJcUukdfCvvg7HBM3xaJ6Y6oRB17JpQ2MUzEp2rR3qi8AGRjHLCM8Pqj ZzZSqqZT/y8axEboE3V/EmY= X-Google-Smtp-Source: ALg8bN6XtLYiqBSP23C7KxSI/wmzUymCtniruru5GN6G2tqt2RfAjLBe62H4d4yEoGIFjfDo+2YG0Q== X-Received: by 2002:a50:999b:: with SMTP id m27mr5601183edb.10.1547030928490; Wed, 09 Jan 2019 02:48:48 -0800 (PST) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id m44sm1340314edm.54.2019.01.09.02.48.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 09 Jan 2019 02:48:47 -0800 (PST) From: Robert Pluim To: 33780@debbugs.gnu.org Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Wed, 09 Jan 2019 11:48:46 +0100 In-Reply-To: (Robert Pluim's message of "Fri, 21 Dec 2018 14:16:57 +0100") Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: Vinothan Shankar , eliz@gnu.org, Ted Zlatanov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Following discussion on emacs-devel on how to do this, latest version of patch attached. This maintains backwards compatibility for open-gnutls-stream (assuming I haven't screwed up the checks), and updates the relevant documentation. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Check-for-client-certificates-when-using-GnuTLS.patch >From 6bdf3d94dc83e79394d109486f68810ef9f4b373 Mon Sep 17 00:00:00 2001 From: Robert Pluim Date: Fri, 21 Dec 2018 11:58:00 +0100 Subject: [PATCH] Check for client certificates when using GnuTLS To: emacs-devel@gnu.org This fixes Bug#33780, and extends the documentation to describe how to enable use of client certificates. * lisp/net/network-stream.el (network-stream-certificate): Correct order of parameters to plist-get. (network-stream-open-tls): Pass all received parameters to open-gnutls-stream as plist, not just :nowait. * lisp/net/gnutls.el (open-gnutls-stream): Change optional nowait arg to be plist. Derive nowait and client certificate(s) and keys(s) from plist (maybe via auth-source) and pass to gnutls-boot-parameters and gnutls-negotiate. (network-stream-certificate): Add declare-function form for it. * doc/misc/auth.texi (Help for users): Describe format to use for client key/cert specification. * doc/misc/emacs-gnutls.texi (Help For Developers): Describe usage of optional plist argument. Add crossreference to description of .authinfo format for client key/cert specification. * etc/NEWS: Describe new client certificate functionality for 'open-network-stream'. --- doc/misc/auth.texi | 9 ++++++ doc/misc/emacs-gnutls.texi | 38 ++++++++++++++++++------- etc/NEWS | 7 +++++ lisp/net/gnutls.el | 57 +++++++++++++++++++++++++------------- lisp/net/network-stream.el | 4 +-- 5 files changed, 84 insertions(+), 31 deletions(-) diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi index 495d9f53e1..ddfeabcba7 100644 --- a/doc/misc/auth.texi +++ b/doc/misc/auth.texi @@ -109,6 +109,15 @@ Help for users @code{auth-source-search} queries. You can also use @code{login} and @code{account}. +You can also use this file to specify client certificates to use when +setting up TLS connections. The format is: +@example +machine @var{mymachine} port @var{myport} key @var{key} cert @var{cert} +@end example + +@var{key} and @var{cert} are filenames containing the key and +certificate to use respectively. + You can use spaces inside a password or other token by surrounding the token with either single or double quotes. diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi index aae583c641..0e2a9764a1 100644 --- a/doc/misc/emacs-gnutls.texi +++ b/doc/misc/emacs-gnutls.texi @@ -179,17 +179,35 @@ Help For Developers You should not have to use the @file{gnutls.el} functions directly. But you can test them with @code{open-gnutls-stream}. -@defun open-gnutls-stream name buffer host service &optional nowait +@defun open-gnutls-stream name buffer host service &optional parameters This function creates a buffer connected to a specific @var{host} and -@var{service} (port number or service name). The parameters and their -syntax are the same as those given to @code{open-network-stream} -(@pxref{Network,, Network Connections, elisp, The Emacs Lisp Reference -Manual}). The connection process is called @var{name} (made unique if -necessary). This function returns the connection process. - -The @var{nowait} parameter means that the socket should be -asynchronous, and the connection process will be returned to the -caller before TLS negotiation has happened. +@var{service} (port number or service name). The mandatory arguments +and their syntax are the same as those given to +@code{open-network-stream} (@pxref{Network,, Network Connections, +elisp, The Emacs Lisp Reference Manual}). The connection process is +called @var{name} (made unique if necessary). This function returns +the connection process. + +The optional @var{parameters} argument is a list of keywords and +values. The only keywords which currently have any effect are +@code{:client-certificate} and @code{:nowait}. + +Passing @code{:client certificate t} triggers looking up of client +certificates matching @var{host} and @var{service} using the +'auth-source' library. Any resulting client certificates are passed +down to the lower TLS layers. The format used by @file{.authinfo} to +specify the per-server keys is described in @xref{Help for +users,,auth-source, auth, Emacs auth-source Library}. + +Passing @code{:nowait t} means that the socket should be asynchronous, +and the connection process will be returned to the caller before TLS +negotiation has happened. + +For historical reasons @var{parameters} can also be a symbol, which is +interpreted the same as passing a list containing @code{:nowait} and +the value of that symbol. + +Example calls: @lisp ;; open a HTTPS connection diff --git a/etc/NEWS b/etc/NEWS index 3670ab5bf4..43997f8418 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -199,6 +199,13 @@ issued), you can either set 'network-security-protocol-checks' to nil, or adjust the elements in that variable to only happen on the 'high' security level (assuming you use the 'medium' level). ++++ +** Native GnuTLS connections can now use client certificates. +Previously, this support was only available when using the external +gnutls-cli command. Call 'open-network-stream' with +':client-certificate t' to trigger looking up of per-server +certificates via 'auth-source'. + +++ ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'. It blocks line breaking after a one-letter word, also in the case when diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 78ac3fe35b..dae208e926 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -38,6 +38,9 @@ (require 'cl-lib) (require 'puny) +(declare-function network-stream-certificate "network-stream" + (host service parameters)) + (defgroup gnutls nil "Emacs interface to the GnuTLS library." :version "24.1" @@ -138,23 +141,25 @@ gnutls-min-prime-bits (integer :tag "Number of bits" 512)) :group 'gnutls) -(defun open-gnutls-stream (name buffer host service &optional nowait) +(defun open-gnutls-stream (name buffer host service &optional parameters) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. Input and output work as for subprocesses; `delete-process' closes it. Args are NAME BUFFER HOST SERVICE. NAME is name for process. It is modified if necessary to make it unique. BUFFER is the buffer (or `buffer-name') to associate with the process. - Process output goes at end of that buffer, unless you specify - a filter function to handle the output. - BUFFER may be also nil, meaning that this process is not associated - with any buffer -Third arg is name of the host to connect to, or its IP address. -Fourth arg SERVICE is name of the service desired, or an integer +Process output goes at end of that buffer, unless you specify a +filter function to handle the output. BUFFER may be also nil, +meaning that this process is not associated with any buffer +Third arg HOST is the name of the host to connect to, or its IP address. +Fourth arg SERVICE is the name of the service desired, or an integer specifying a port number to connect to. -Fifth arg NOWAIT (which is optional) means that the socket should -be opened asynchronously. The connection process will be -returned to the caller before TLS negotiation has happened. +Fifth arg PARAMETERS is an optional list of keyword/value pairs. +Only :client-certificate and :nowait keywords are recognized, and +have the same meaning as for `open-network-stream'. +For historical reasons PARAMETERS can also be a symbol, which is +interpreted the same as passing a list containing :nowait and the +value of that symbol. Usage example: @@ -168,19 +173,33 @@ open-gnutls-stream documentation for the specific parameters you can use to open a GnuTLS connection, including specifying the credential type, trust and key files, and priority string." - (let ((process (open-network-stream - name buffer host service - :nowait nowait - :tls-parameters - (and nowait - (cons 'gnutls-x509pki - (gnutls-boot-parameters - :type 'gnutls-x509pki - :hostname (puny-encode-domain host))))))) + (let* ((parameters + (cond ((symbolp parameters) + (list :nowait parameters)) + ((not (cl-evenp (length parameters))) + (error "Malformed keyword list")) + ((consp parameters) + parameters) + (t + (error "Unknown parameter type")))) + (cert (network-stream-certificate host service parameters)) + (keylist (and cert (list cert))) + (nowait (plist-get parameters :nowait)) + (process (open-network-stream + name buffer host service + :nowait nowait + :tls-parameters + (and nowait + (cons 'gnutls-x509pki + (gnutls-boot-parameters + :type 'gnutls-x509pki + :keylist keylist + :hostname (puny-encode-domain host))))))) (if nowait process (gnutls-negotiate :process process :type 'gnutls-x509pki + :keylist keylist :hostname (puny-encode-domain host))))) (define-error 'gnutls-error "GnuTLS error") diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el index 98b2033790..1723931c67 100644 --- a/lisp/net/network-stream.el +++ b/lisp/net/network-stream.el @@ -196,7 +196,7 @@ open-network-stream (car result)))))) (defun network-stream-certificate (host service parameters) - (let ((spec (plist-get :client-certificate parameters))) + (let ((spec (plist-get parameters :client-certificate))) (cond ((listp spec) ;; Either nil or a list with a key/certificate pair. @@ -389,7 +389,7 @@ network-stream-open-tls (stream (if (gnutls-available-p) (open-gnutls-stream name buffer host service - (plist-get parameters :nowait)) + parameters) (require 'tls) (open-tls-stream name buffer host service))) (eoc (plist-get parameters :end-of-command))) -- 2.19.1.816.gcd69ec8cde.dirty --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 12 06:13:52 2019 Received: (at 33780) by debbugs.gnu.org; 12 Jan 2019 11:13:52 +0000 Received: from localhost ([127.0.0.1]:56561 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1giHEX-0002m2-Uq for submit@debbugs.gnu.org; Sat, 12 Jan 2019 06:13:51 -0500 Received: from eggs.gnu.org ([209.51.188.92]:33346) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1giHEV-0002ln-UV for 33780@debbugs.gnu.org; Sat, 12 Jan 2019 06:13:44 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35959) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1giHEF-0008Nk-It; Sat, 12 Jan 2019 06:13:29 -0500 Received: from [176.228.60.248] (port=4271 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1giHEC-0001hx-3Q; Sat, 12 Jan 2019 06:13:25 -0500 Date: Sat, 12 Jan 2019 13:13:04 +0200 Message-Id: <83o98mf7sv.fsf@gnu.org> From: Eli Zaretskii To: Robert Pluim In-reply-to: (message from Robert Pluim on Wed, 09 Jan 2019 11:48:46 +0100) Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > From: Robert Pluim > Cc: Vinothan Shankar , eliz@gnu.org, Ted Zlatanov > Date: Wed, 09 Jan 2019 11:48:46 +0100 Thanks, a few comments regarding the Texinfo part: > +Passing @code{:client certificate t} triggers looking up of client ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This should be wrapped in @w{..}, otherwise makeinfo might divide it between two lines. > +certificates matching @var{host} and @var{service} using the > +'auth-source' library. Any resulting client certificates are passed auth-source should be in @file, and without the quotes. > +down to the lower TLS layers. The format used by @file{.authinfo} to > +specify the per-server keys is described in @xref{Help for > +users,,auth-source, auth, Emacs auth-source Library}. @xref can only be used at the beginning of a sentence, as it generates a capitalizes "See". Use "see @ref" instead here. From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 14 08:27:25 2019 Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 13:27:25 +0000 Received: from localhost ([127.0.0.1]:58374 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj2Gz-0003v2-0V for submit@debbugs.gnu.org; Mon, 14 Jan 2019 08:27:25 -0500 Received: from mail-wm1-f46.google.com ([209.85.128.46]:35596) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj2Gx-0003un-8i for 33780@debbugs.gnu.org; Mon, 14 Jan 2019 08:27:23 -0500 Received: by mail-wm1-f46.google.com with SMTP id t200so8894369wmt.0 for <33780@debbugs.gnu.org>; Mon, 14 Jan 2019 05:27:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:message-id:mime-version; bh=/Z44VqnbFEdSZ98iggL7J/58ZE/ndTPZwug+rU1u73E=; b=YiAWtG3ZXx6vFxOZ26UVscLdp46xVg+0KJw86uSe3ckRDf+MypBOcqHhB+BYMJC9dO k4H0QRBCuGpr6aUUF2/hhiCOTdPmPqK21S5BVdU8E5mTF+er1//fsaJLRHFCg/2S55PP JzoXEyFWKLPZJxxKfIw4ZYLyB4dMBXp73oahVYzcllhwc8DAufkviSxcDAj0iibpcrbQ FX81SqnshujknWKIpDXsYbE7K2dJX50DvQoEPNceZjq73fl6TCVM7A5curWqznTOwdrP E+pzlbKqGaFJHqyWOL2ga3d80cS+tC9W8BB8tVS3nM8tNhF2fC6KNh85qCdMILt3S6U2 anng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:message-id:mime-version; bh=/Z44VqnbFEdSZ98iggL7J/58ZE/ndTPZwug+rU1u73E=; b=QLun4w4T/n1KjHdUX4A6TbBvaNttUjeka2NEw7KPWcBbotRRPWaNAmvRVGb/DeG1J3 n68fyDx2Vrm54V4AQMNUkxNGMVjOS9CrLFVPpjwCOZuaIYKJ5bPh5OZTjltG0ReCwX0C FFV0P8lkPDIbRMXKLCfDWuSriUNLR6Kdp6vRVkRDhyYMCUxytbEf4Mw8duY/XKfG02J6 aYnpLu4CC7jNaXZSDGdB06+D91QXWlfa+O/Kmm+K5b6qgToz2tY36On54XUOjVjCtEgL a5gSnOsWEbeCKdxiJZhPX/R791JXEkEEPg9XvmCQam5Il/yAACDW+NALnHfW6A2VN6y2 t1Bg== X-Gm-Message-State: AJcUukcQWab+tQhe5j0KV+zdE2wbUsvQHWYVO5Y3p4AsNOdn5FwSI2ES 6dMjFvh+D9/gzbLbe8Kls0nNP1pR X-Google-Smtp-Source: ALg8bN72zkAaLMCV5+fNrwmy/q04YecVPJRR98oq7zn8eGtbRowdB3kUd9fecRmkMx1jLq4SJ3UvZA== X-Received: by 2002:a1c:2382:: with SMTP id j124mr11727903wmj.14.1547472436929; Mon, 14 Jan 2019 05:27:16 -0800 (PST) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id y8sm25682077wmg.13.2019.01.14.05.27.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 Jan 2019 05:27:15 -0800 (PST) From: Robert Pluim To: Eli Zaretskii Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Mon, 14 Jan 2019 14:27:15 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: >> From: Robert Pluim >> Cc: Vinothan Shankar , eliz@gnu.org, Ted Zlatanov >> Date: Wed, 09 Jan 2019 11:48:46 +0100 > > Thanks, a few comments regarding the Texinfo part: > >> +Passing @code{:client certificate t} triggers looking up of client > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > This should be wrapped in @w{..}, otherwise makeinfo might divide it > between two lines. > Fixed, along with another instance later. >> +certificates matching @var{host} and @var{service} using the >> +'auth-source' library. Any resulting client certificates are passed > > auth-source should be in @file, and without the quotes. > >> +down to the lower TLS layers. The format used by @file{.authinfo} to >> +specify the per-server keys is described in @xref{Help for >> +users,,auth-source, auth, Emacs auth-source Library}. > > @xref can only be used at the beginning of a sentence, as it generates > a capitalizes "See". Use "see @ref" instead here. Fixed. I was about to push, then got paranoid, so I wrote a few tests for 'open-network-stream', which gave me a few suprises. I had to add the following in network-stream-tests.el: +(require 'network-stream) +; The require above is needed for 'open-network-stream', but it pulls +; in nsm, which then makes the :nowait tests fail unless we disable +; the nsm. +(setq network-security-level 'low) otherwise both the old and my new ':nowait t' tests failed. Is that expected? Thanks Robert From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 14 11:01:07 2019 Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 16:01:07 +0000 Received: from localhost ([127.0.0.1]:59220 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj4fi-0007kr-UL for submit@debbugs.gnu.org; Mon, 14 Jan 2019 11:01:07 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40757) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj4fh-0007kH-6j for 33780@debbugs.gnu.org; Mon, 14 Jan 2019 11:01:05 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47014) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gj4fY-0006Zy-6N; Mon, 14 Jan 2019 11:00:58 -0500 Received: from [176.228.60.248] (port=1240 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1gj4fX-0002BC-6W; Mon, 14 Jan 2019 11:00:56 -0500 Date: Mon, 14 Jan 2019 18:00:41 +0200 Message-Id: <83imyrdyae.fsf@gnu.org> From: Eli Zaretskii To: Robert Pluim In-reply-to: (message from Robert Pluim on Mon, 14 Jan 2019 14:27:15 +0100) Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > From: Robert Pluim > Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org > Date: Mon, 14 Jan 2019 14:27:15 +0100 > > Fixed. I was about to push, then got paranoid, so I wrote a few tests > for 'open-network-stream', which gave me a few suprises. I had to add > the following in network-stream-tests.el: > > +(require 'network-stream) > +; The require above is needed for 'open-network-stream', but it pulls > +; in nsm, which then makes the :nowait tests fail unless we disable > +; the nsm. > +(setq network-security-level 'low) > > otherwise both the old and my new ':nowait t' tests failed. Is that > expected? Not sure. Did you understand why it failed? IOW, what does nsm have to do with the failures? From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 14 11:26:06 2019 Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 16:26:06 +0000 Received: from localhost ([127.0.0.1]:59243 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj53t-0008Nj-R1 for submit@debbugs.gnu.org; Mon, 14 Jan 2019 11:26:06 -0500 Received: from mail-wr1-f51.google.com ([209.85.221.51]:44530) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj53q-0008N2-VE for 33780@debbugs.gnu.org; Mon, 14 Jan 2019 11:26:04 -0500 Received: by mail-wr1-f51.google.com with SMTP id z5so23569292wrt.11 for <33780@debbugs.gnu.org>; Mon, 14 Jan 2019 08:26:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :mime-version:content-transfer-encoding; bh=EYREG0vxQwFp6YZUoqf/68lNSm9L1DKimfyfPaaroo4=; b=CdFrU2jYgfyICOzwqzcJnIolpPYLqkHvDuaJDtZXxze0RfPtDbBx3dxI+HxyEN4owG WzWPsHo+e87cJtWcOZog4WNUtL4mr1c3SiGV6LLm9suzjWjHdCW0ZPoa+wJyVW7laxSu xZzQ4kp18+NpDuzGCkPn7DrQ5x4+hn1MyCxjxBAdhFaldjt9GNg6c5hjeQucO9CBlk8O kckzf/BffE/xLzE8IV9aOuVH537iN7ra11Qc1pHOXfq5hOee7Y+7dL/NvSVAF/SKlaVw rOYDMkNSREizv1rSpslmFAZwtrEAb9GyqldcUvwWJuvFIQSmfEaOu0wIZkRquX1gEIm2 Z75w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=EYREG0vxQwFp6YZUoqf/68lNSm9L1DKimfyfPaaroo4=; b=q/xYtu+MCplI/yhVa0ofK8lGhWVzEACca3e99yyagKqAFneV93BPeSjcyn7J2SRPvT VSzOVazqjnSpCD0noCuiCc3eOkxZl94G0jMxqA5p82oRhNHusCXLjyXEHxPsCGKxG15u HKPA9FsjrcZlgPrX4dXcAtCUe0+kD1SILBmeOJFHCSaej7mRYXBp0oNKTqNA5sYUS5az LGRORtiRRWPrtPRQ8mPACYLltE5tVyfyqr12pi/iAYDFJBGh3CTVsID+HptxeZrRtdvc pCKmdgDcS5AdXvbDouZL8RrgGSgqc+pjrub8MVhoWlcfXuuETC/06SjmN6dvfXF6dX/R SXIw== X-Gm-Message-State: AJcUukdLUHCyC+ZTKLE2hX4XczFKY0v2iP1S2yOb8C1nY09cx4lZAXoN ObwA/CWjAKQYpQrjdY1XY8ZUqlI8 X-Google-Smtp-Source: ALg8bN6U1Z8Do3885HtdXaPagNMKOX6FIZq6cbpA93XibtB9QhWlQvgvun5WrrAhGIZ9zq01Mzui7A== X-Received: by 2002:adf:f401:: with SMTP id g1mr25782446wro.103.1547483156773; Mon, 14 Jan 2019 08:25:56 -0800 (PST) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id s5sm20244095wmh.37.2019.01.14.08.25.55 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 Jan 2019 08:25:55 -0800 (PST) From: Robert Pluim To: Eli Zaretskii Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> <83imyrdyae.fsf@gnu.org> Date: Mon, 14 Jan 2019 17:25:55 +0100 In-Reply-To: <83imyrdyae.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 14 Jan 2019 18:00:41 +0200") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: >> From: Robert Pluim >> Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org >> Date: Mon, 14 Jan 2019 14:27:15 +0100 >>=20 >> Fixed. I was about to push, then got paranoid, so I wrote a few tests >> for 'open-network-stream', which gave me a few suprises. I had to add >> the following in network-stream-tests.el: >>=20 >> +(require 'network-stream) >> +; The require above is needed for 'open-network-stream', but it pulls >> +; in nsm, which then makes the :nowait tests fail unless we disable >> +; the nsm. >> +(setq network-security-level 'low) >>=20 >> otherwise both the old and my new ':nowait t' tests failed. Is that >> expected? > > Not sure. Did you understand why it failed? IOW, what does nsm have > to do with the failures? When I ran the equivalent 'open-network-stream' code to the tests manually in 'emacs -Q', I get a prompt from nsm asking me whether to accept the certificate of the server I=CA=BCm connecting to. When running the test suite, we=CA=BCre in batch mode, so there=CA=BCs no w= ay to answer that question, as far as I know, so turning off the nsm is the only way to go. This only fails for the existing tests with ':nowait t', since then I suspect nsm gets called automatically, whilst in the ':nowait nil' case nsm never gets called (the existing tests all use 'make-network-process' directly, rather than 'open-network-stream', so they bypass nsm). This could be seen as a bug in nsm, I suppose, since na=C3=AFvely you wouldn't expect loading it to change the behaviour of 'make-network-process'. Robert From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 14 11:45:43 2019 Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 16:45:43 +0000 Received: from localhost ([127.0.0.1]:59265 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj5Ms-0000PS-TC for submit@debbugs.gnu.org; Mon, 14 Jan 2019 11:45:43 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj5Mr-0000PH-MF for 33780@debbugs.gnu.org; Mon, 14 Jan 2019 11:45:42 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47895) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gj5Me-0008Ek-RR; Mon, 14 Jan 2019 11:45:32 -0500 Received: from [176.228.60.248] (port=4203 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1gj5Md-0001qz-DJ; Mon, 14 Jan 2019 11:45:28 -0500 Date: Mon, 14 Jan 2019 18:45:13 +0200 Message-Id: <83bm4jdw86.fsf@gnu.org> From: Eli Zaretskii To: Robert Pluim In-reply-to: (message from Robert Pluim on Mon, 14 Jan 2019 17:25:55 +0100) Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> <83imyrdyae.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > From: Robert Pluim > Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org > Date: Mon, 14 Jan 2019 17:25:55 +0100 > > When running the test suite, weʼre in batch mode, so thereʼs no way to > answer that question, as far as I know, so turning off the nsm is the > only way to go. You could also override the nsm-query-user function, I think. > This only fails for the existing tests with ':nowait t', since then I > suspect nsm gets called automatically, whilst in the ':nowait nil' > case nsm never gets called (the existing tests all use > 'make-network-process' directly, rather than 'open-network-stream', so > they bypass nsm). I don't think I understood why nsm gets called only in the ":nowait t" case. What did I miss? From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 14 12:41:10 2019 Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 17:41:10 +0000 Received: from localhost ([127.0.0.1]:59288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj6EX-0001h0-Q7 for submit@debbugs.gnu.org; Mon, 14 Jan 2019 12:41:10 -0500 Received: from mail-wr1-f46.google.com ([209.85.221.46]:32963) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj6EW-0001gi-CD for 33780@debbugs.gnu.org; Mon, 14 Jan 2019 12:41:08 -0500 Received: by mail-wr1-f46.google.com with SMTP id c14so24007776wrr.0 for <33780@debbugs.gnu.org>; Mon, 14 Jan 2019 09:41:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :mime-version:content-transfer-encoding; bh=JU4fJPi1lWrGC+mm5lRsf7D3HNZa9fERpTdaaSXMgZo=; b=b03xDKKT4AH/1IC4+rPEAKf2wjGW1JRyyJ+1BwmeKt9EDmWs1PR9NUHa8oubSZxfga UBThsuXIf/VqClrB5Y+9akQaKBD+HoxGV0JWH0lWKv/lBqQfXXkfmhHhpHu8Ck/e6BD4 A/KJWz30NFeddPv6owCGF+cM/qqfedVblH3aXG81m6myuRqO3GFexrB+mXS+XGAolCc5 TG068YGSTM9EwKapitYSHrRHngLGDjOlf2blTDSyEuNbrBsOT/77k99usPFGugTmsun8 BasWQUB+wnT6uSedCKU3Iba4vVowIu9hr7L92aFR2XKX++8WPfcK6qsGm4AZLxzigIyX yz5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=JU4fJPi1lWrGC+mm5lRsf7D3HNZa9fERpTdaaSXMgZo=; b=EtN5XRrXz6ZQdk8f5qzs30H68cIx0osAf9Oknp3Y1oU3GWcmt/3029qTvaYWC7GWRT Sk8gI2Riqj1DH6Iac1RyOYc5S2y+Ap/8r3bhqDno7B7OKn3p8Efy6CaJnlnQp3Z+s50j zUSpatVUapsTIputceIHX69hdGtDwtvmksUMctB4FtRgvcMb4WIYhn7gBxbSsZIxzLbV n67Y5tbH6QBjGdY4z3sHcqBA56KgMyqsZs8hVlmdcOeqLLHjftjaQtLw8oSNnkykZWIn Zot+0ZaLptv1G/UrFUgKd8nLQXvgRBNUuapAi0St2DpmBqYmuPJdZV6e/rTWhxO7bWdG EsKQ== X-Gm-Message-State: AJcUukc/l2ADFt3xMyQ5ebHXk5V3Pxwl1HQFx4UTBPRm5FFyHUj5O1SW L5t++DGMYM/sHXp3mJadCEhupyvH X-Google-Smtp-Source: ALg8bN501XK2F4jmtc5VUza/XX/M27aPetuAEivXRmu3W9e4g5Dvd8sHLLmmuISyW2ET0JSoVhlQGg== X-Received: by 2002:a5d:50c5:: with SMTP id f5mr24354432wrt.37.1547487661958; Mon, 14 Jan 2019 09:41:01 -0800 (PST) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id g67sm54064182wmd.38.2019.01.14.09.41.00 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 Jan 2019 09:41:00 -0800 (PST) From: Robert Pluim To: Eli Zaretskii Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> <83imyrdyae.fsf@gnu.org> <83bm4jdw86.fsf@gnu.org> Date: Mon, 14 Jan 2019 18:40:59 +0100 In-Reply-To: <83bm4jdw86.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 14 Jan 2019 18:45:13 +0200") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: >> From: Robert Pluim >> Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org >> Date: Mon, 14 Jan 2019 17:25:55 +0100 >>=20 >> When running the test suite, we=CA=BCre in batch mode, so there=CA=BCs n= o way to >> answer that question, as far as I know, so turning off the nsm is the >> only way to go. > > You could also override the nsm-query-user function, I think. > True. >> This only fails for the existing tests with ':nowait t', since then I >> suspect nsm gets called automatically, whilst in the ':nowait nil' >> case nsm never gets called (the existing tests all use >> 'make-network-process' directly, rather than 'open-network-stream', so >> they bypass nsm). > > I don't think I understood why nsm gets called only in the ":nowait t" > case. What did I miss? process.c has: #ifdef HAVE_GNUTLS static void finish_after_tls_connection (Lisp_Object proc) { struct Lisp_Process *p =3D XPROCESS (proc); Lisp_Object contact =3D p->childp; Lisp_Object result =3D Qt; if (!NILP (Ffboundp (Qnsm_verify_connection))) result =3D call3 (Qnsm_verify_connection, proc, Fplist_get (contact, QChost), Fplist_get (contact, QCservice)); so loading nsm.el causes nsm-verify-connection to get called in the ':nowait t' case. Presumably in the ':nowait nil' case gnutls-boot has already completed the tls connection, and finish_after_tls_connection never gets called (that=CA=BCs speculation on my part). I don=CA=BCt know t= he GnuTLS code well enough to know if this is a bug. Ted? Robert From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 14 13:52:12 2019 Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 18:52:12 +0000 Received: from localhost ([127.0.0.1]:59337 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj7LH-0003XP-Ug for submit@debbugs.gnu.org; Mon, 14 Jan 2019 13:52:12 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56804) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gj7LG-0003X9-S2 for 33780@debbugs.gnu.org; Mon, 14 Jan 2019 13:52:11 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50381) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gj7LB-0007b1-4e; Mon, 14 Jan 2019 13:52:05 -0500 Received: from [176.228.60.248] (port=4294 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1gj7L9-0000om-M2; Mon, 14 Jan 2019 13:52:05 -0500 Date: Mon, 14 Jan 2019 20:51:49 +0200 Message-Id: <837ef7dqd6.fsf@gnu.org> From: Eli Zaretskii To: Robert Pluim In-reply-to: (message from Robert Pluim on Mon, 14 Jan 2019 18:40:59 +0100) Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> <83imyrdyae.fsf@gnu.org> <83bm4jdw86.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > From: Robert Pluim > Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org > Date: Mon, 14 Jan 2019 18:40:59 +0100 > > > I don't think I understood why nsm gets called only in the ":nowait t" > > case. What did I miss? > > process.c has: > > #ifdef HAVE_GNUTLS > static void > finish_after_tls_connection (Lisp_Object proc) > { > struct Lisp_Process *p = XPROCESS (proc); > Lisp_Object contact = p->childp; > Lisp_Object result = Qt; > > if (!NILP (Ffboundp (Qnsm_verify_connection))) > result = call3 (Qnsm_verify_connection, > proc, > Fplist_get (contact, QChost), > Fplist_get (contact, QCservice)); > > so loading nsm.el causes nsm-verify-connection to get called in the > ':nowait t' case. Presumably in the ':nowait nil' case gnutls-boot has > already completed the tls connection, and finish_after_tls_connection > never gets called (thatʼs speculation on my part). I donʼt know the > GnuTLS code well enough to know if this is a bug. Ted? Ah, okay. No, I don't think this is a bug. So use some way to get nsm to approve the connection. From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 15 15:31:48 2019 Received: (at 33780) by debbugs.gnu.org; 15 Jan 2019 20:31:48 +0000 Received: from localhost ([127.0.0.1]:60408 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gjVND-0004yS-QK for submit@debbugs.gnu.org; Tue, 15 Jan 2019 15:31:48 -0500 Received: from mail-wr1-f51.google.com ([209.85.221.51]:44642) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gjVNA-0004yE-Qz for 33780@debbugs.gnu.org; Tue, 15 Jan 2019 15:31:45 -0500 Received: by mail-wr1-f51.google.com with SMTP id z5so4463282wrt.11 for <33780@debbugs.gnu.org>; Tue, 15 Jan 2019 12:31:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:message-id:mime-version:content-transfer-encoding; bh=Wx+FmDLq4v0qNJR5pBJ83uVJXLg1EGdZpCKrVhvvwic=; b=Wtqo8Wt2n1ir3visJkGIGBrs9AZoROcnmPMPqrJcVi0bZiN5fSBh45jT02UhXcnxhd sjCWT3miAhbXblJthNZboZBYQL/cTMxiu7BmZdQ/gktCQCnw3LruvyWU3DLHEBNZR2hC QDq2VKUufdCbWEQq0kzN3xJc6aSKuf5623B4DRTCbu9HXrWy5Y+/rclCpLT/iVk+ZDou 9AJDPaqCDaT/rFvG6FnU7DIZ822lOwob+QB3f/uklZ+dzWcH1+Nnuf3h5Gp6G/FAFgUx M9bRhyvR7sXzLds3eyzFWiRESug1mPfp+Ee/LdcVwZiMjGBjeEc3QiQ3NR9Oz8kV6Fxd /6qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:message-id:mime-version :content-transfer-encoding; bh=Wx+FmDLq4v0qNJR5pBJ83uVJXLg1EGdZpCKrVhvvwic=; b=ANaZM9CPTD+Pdd9sFoQPLrIuFcV8fn8JpToAUvXK5hRrP6iDfv7HMSOw0A71c1Lyjm JGxRk/wdY69YcAjkDzCzcmlG+kFyLapxXxTtHHW7lRAyFro2D+DB4SbPMOi8LioJrbGV n9aVdH9ExiBLmWVYyr0+UDSNTud8xHsWmVKjr48S/MW79ubchd6ftBv2WgMv/MWqgZMd Q06HeLOn6GdZN6jEMZqa63zCR2k8NvKSn0hS25vxknhsHRc5xFceqVJ/Du4IFPLxoVEZ FJROeJ18jGcKrjluZq0aBp+cXSCM9cLBSwtdBej/KHL2SB7Z86upU0H9tuUiPn+cyDWF XaVA== X-Gm-Message-State: AJcUuke61bIBZlJqKncdXqrphOcrBS+csMfyeqc9k1iajUMzcIjFHtVy 2asBDACi2Qntf958gDw/+7JO5QoC X-Google-Smtp-Source: ALg8bN5Gqvr+Xs69+3Pzd8TyE2lLWRwrdVNSu1lEkfdJDjVrk2YqskC9QqC4v6Vl21o21FIAX6l/Bg== X-Received: by 2002:adf:aa9c:: with SMTP id h28mr4528470wrc.216.1547584298392; Tue, 15 Jan 2019 12:31:38 -0800 (PST) Received: from rpluim-mac ([2a01:e34:ecfc:a860:16d:e5ef:295c:be0b]) by smtp.gmail.com with ESMTPSA id x3sm68160199wrd.19.2019.01.15.12.31.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 15 Jan 2019 12:31:37 -0800 (PST) From: Robert Pluim To: Eli Zaretskii Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> <83imyrdyae.fsf@gnu.org> <83bm4jdw86.fsf@gnu.org> <837ef7dqd6.fsf@gnu.org> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Tue, 15 Jan 2019 21:31:35 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: >> so loading nsm.el causes nsm-verify-connection to get called in the >> ':nowait t' case. Presumably in the ':nowait nil' case gnutls-boot has >> already completed the tls connection, and finish_after_tls_connection >> never gets called (that=CA=BCs speculation on my part). I don=CA=BCt kno= w the >> GnuTLS code well enough to know if this is a bug. Ted? > I can confirm this is what happens: finish_after_tls_connection only gets called when ':nowait t'. > Ah, okay. No, I don't think this is a bug. So use some way to get > nsm to approve the connection. I do find it unexpected that the low level GnuTLS code only invokes the nsm for ':nowait t' connections. OTOH 'open-network-stream' works fine, and uses the nsm, so it=CA=BCs not a big deal. Overriding nsm-query appears not to be enough (it=CA=BCs enough when running the tests interactively, but not in batch mode), I had to override 'nsm-verify-connection'. Robert From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 24 05:41:08 2019 Received: (at 33780) by debbugs.gnu.org; 24 Jan 2019 10:41:08 +0000 Received: from localhost ([127.0.0.1]:43291 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gmcRX-0007e9-SG for submit@debbugs.gnu.org; Thu, 24 Jan 2019 05:41:08 -0500 Received: from mail-wm1-f48.google.com ([209.85.128.48]:37326) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gmcRW-0007dQ-4U; Thu, 24 Jan 2019 05:41:06 -0500 Received: by mail-wm1-f48.google.com with SMTP id g67so2453855wmd.2; Thu, 24 Jan 2019 02:41:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:in-reply-to:message-id:mime-version; bh=89vjb6Do0tyZv83BpCZXmh3e89EmnSFSfEyYBkveovA=; b=Bz5q+lakNUL1atRtWK736VqGOvR62bxRt5AEv/UR3lMlBsFRt9odES9zCfbpsPe2UA P9L2+qMx5dPzcvMcLptWbpHiadln5Gpn5sMYvQbjucGlfBb7AKparhCgZc1lthERgw3X j1Ey+/2MpLzWOxZ3KgzsOoV1OXG9YCgkmotyT66md8CiooS1qRKDbK5uXMEaPfhUt/NF V2KVc4sEjKZ2zjBD+EOF916/GK8sIvm41v8CTkbwarA5z4hyUrHuLRSlx4W1mNnHgOpX 9JIlTgogr4FBofDF9VQpbZ03nxi6ljwwGkyJbne5HNbf1+eF3WSmrecvXQLRJsI/OYBr H22g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version; bh=89vjb6Do0tyZv83BpCZXmh3e89EmnSFSfEyYBkveovA=; b=VIyWMa0thpkrFxy+AnF3bz/BNIC/71JAcD+zOWOULQTIrS3SzX0BFNhnAKUc4loWua zG8/xuvpnICM6ff9o5XC/CtlniMt2BFI/qp1sMcu34DaLW8zqurEHoMld+FZF2zE4eUv DX6mGYllhyAgQMEkLxYH/7IHwgWhglSn9NkEXwI6/olHSxAPtu7lOoU4+WkSoYq4m7di t4Zan7xXZaO8pTTOr6YBqNTFdDK6smIgJmwEVJaBqvXbQupruKR+cMLkjp+llGRVYxQN v4UPyWQnCAbxcoBlKO4qFLIcX1wqIzXgd5Bid6I38VoFvhjws+wttwCRAQvkmjnbxxdz 1g7A== X-Gm-Message-State: AJcUukfRkdLnPSVbszPj+eGeG0ZBECSlV3dkpulfZhL36RIz8u3Ig1Fh ObsbDRewVHHdTavE3sgRqs3Muc7uCgE= X-Google-Smtp-Source: ALg8bN5VQpu0hPbl/pFosThX/+CsJZ12dcSEQq3gqqB0r/CJZGfErGh9/UK7Rg8WTeLSn2bskWcYYQ== X-Received: by 2002:a1c:b687:: with SMTP id g129mr2025420wmf.59.1548326459812; Thu, 24 Jan 2019 02:40:59 -0800 (PST) Received: from rpluim-mac ([2a01:e34:ecfc:a860:6c01:fb6e:a9bd:beeb]) by smtp.gmail.com with ESMTPSA id 127sm112575057wmm.45.2019.01.24.02.40.58 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 24 Jan 2019 02:40:58 -0800 (PST) From: Robert Pluim To: Eli Zaretskii Subject: Re: bug#33780: network-stream.el: network-stream-certificate always returns nil References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> <83o98mf7sv.fsf@gnu.org> <83imyrdyae.fsf@gnu.org> <83bm4jdw86.fsf@gnu.org> <837ef7dqd6.fsf@gnu.org> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Thu, 24 Jan 2019 11:40:55 +0100 In-Reply-To: (Robert Pluim's message of "Tue, 15 Jan 2019 21:31:35 +0100") Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 33780 Cc: darael@dracon.is, tzz@lifelogs.com, 33780@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 33780 fixed close 33780 27.1 quit Fix pushed to master as f3f9a3582e along with some tests. From unknown Tue Jun 17 01:47:55 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 21 Feb 2019 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator