From unknown Thu Sep 11 13:39:47 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#35787 <35787@debbugs.gnu.org> To: bug#35787 <35787@debbugs.gnu.org> Subject: Status: 26.2; gnutls: accessing raw server certificate data Reply-To: bug#35787 <35787@debbugs.gnu.org> Date: Thu, 11 Sep 2025 20:39:47 +0000 retitle 35787 26.2; gnutls: accessing raw server certificate data reassign 35787 emacs submitter 35787 Julian Scheid severity 35787 wishlist tag 35787 fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Fri May 17 21:49:14 2019 Received: (at submit) by debbugs.gnu.org; 18 May 2019 01:49:14 +0000 Received: from localhost ([127.0.0.1]:59360 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hRoTJ-0005W2-T4 for submit@debbugs.gnu.org; Fri, 17 May 2019 21:49:14 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54623) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hRoTI-0005Vq-5X for submit@debbugs.gnu.org; Fri, 17 May 2019 21:49:12 -0400 Received: from lists.gnu.org ([209.51.188.17]:45053) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hRoTB-0008Tg-SG for submit@debbugs.gnu.org; Fri, 17 May 2019 21:49:07 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40772) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hRoTA-0003wt-JK for bug-gnu-emacs@gnu.org; Fri, 17 May 2019 21:49:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hRoT9-0008Bs-CJ for bug-gnu-emacs@gnu.org; Fri, 17 May 2019 21:49:04 -0400 Received: from mail-it1-x135.google.com ([2607:f8b0:4864:20::135]:34254) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hRoT9-0007tZ-0t for bug-gnu-emacs@gnu.org; Fri, 17 May 2019 21:49:03 -0400 Received: by mail-it1-x135.google.com with SMTP id p18so12308973itm.1 for ; Fri, 17 May 2019 18:49:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=j/M7k+tPpjcCQgsvADSGLOszWilWniREY9zACILysRc=; b=POf+tNs/CsbxczTP2O5Y6ujpXu8EA2xu5QYHHhUqJw53T9s3YsQ/N5H9hO99I1TrNf bkzOkxVUljt8zZ27WbuNe0FOpF88e4yBRAdddUPfOVww1PG3YZ1RTpcNEvkM2GFRnWnL KwYM7hODGIXk9n2t9Zlim9+eLQhy43dT9hygmaqqo4q79N2yzewosfLa33RRrMewzWjY f3yopXlPnVf+WAkdyiC7C4bULNH9UNvkcGUU4IH5MRIAAL+73JyGd3H7bLdtnfBc16op CPPYa4DdhNIZOvleGEftaUrVqcwoqsD1iZIWWFJmWsJrxkuN3NfRsz1Z4ofuHGuNxps9 AJcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=j/M7k+tPpjcCQgsvADSGLOszWilWniREY9zACILysRc=; b=tbCI75huUUFZ2MbiD8wMbeh68JUaYBHc/41R71ujbH5PKcJbONcTqXpdMlnpqVAqRy bKCdf9XpFkHtNYGXIUuqaShFtilaz4u97QL3YAo3AknHp7PnsQqfzLRc4Uls+XT4VDTo MxDYO2vm/YlRj409jJs5+l6+v/qRXGuKxHM9lPaMdkbfM+KBqAwUKnAQ9oPWsTbr8BUX zs5LxodDS9w/QaQt94dZHdyPsb1d9UN7I1kzElV5qcB8YBvrDPC8dBVnj0eLrOkVsgre 52VegOur2Lav6RTSZ6T8QDjV/ZPaleP+Fe/kztpBt8JpiH0Ot4uECCIsKlqZoI3LEKca rS1w== X-Gm-Message-State: APjAAAWawm3y+lZaUmU71tNkb8GXPx2nl6LKpLQ3Vw6e7Yw+ZtMkDcYJ ktxLCfT8n7bnXUwS3COe7dR5ROBZoWm6ZW8ErFnUYWV1 X-Google-Smtp-Source: APXvYqzUP5tQtwMnbYZYvE8jW/+bqIwebSG9qFl0KyDVJwSEdKBAs8gDTztV5g9MRdXI9fn8nzm4/kseZKrZ2HX/0FY= X-Received: by 2002:a02:ad09:: with SMTP id s9mr428103jan.17.1558144139177; Fri, 17 May 2019 18:48:59 -0700 (PDT) MIME-Version: 1.0 From: Julian Scheid Date: Sat, 18 May 2019 13:48:47 +1200 Message-ID: Subject: 26.2; gnutls: accessing raw server certificate data To: bug-gnu-emacs@gnu.org Content-Type: multipart/alternative; boundary="000000000000ecb3f805891fb396" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::135 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: -1.1 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) --000000000000ecb3f805891fb396 Content-Type: text/plain; charset="UTF-8" Hello, I would like to request a feature: accessing the raw certificate of a server connected to via `gnutls-negotiate' (or such). Currently, `gnutls-peer-status' only allows accessing high-level information extracted from the certificate, such as the issuer, but not the certificate data itself. Access to the raw certificate data would allow implementing the `tls-server-endpoint' channel binding type as per https://tools.ietf.org/html/rfc5929#section-4.1 , which requires > [t]he hash of the TLS server's certificate [RFC5280] as it > appears, octet for octet, in the server's Certificate message. Note > that the Certificate message contains a certificate_list, in which > the first element is the server's certificate. --000000000000ecb3f805891fb396 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
He= llo, I would like to request a feature: accessing the raw certificate
=
of a server connected to via `gnutls-negotiate' (or such).

Currently, `gnutls-peer-status' only allows accessing= high-level
information extracted from the certificate, such as t= he issuer, but not
the certificate data itself.

Access to the raw certificate data would allow implementing the
`tls-server-endpoint' channel binding type as per
> [t]he hash= of the TLS server's certificate [RFC5280] as it
> appears= , octet for octet, in the server's Certificate message.=C2=A0 Note
> that the Certificate message contains a certificate_list, in whi= ch
> the first element is the server's certificate.
<= div>
--000000000000ecb3f805891fb396-- From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 08 22:44:27 2019 Received: (at 35787) by debbugs.gnu.org; 9 Jul 2019 02:44:27 +0000 Received: from localhost ([127.0.0.1]:60156 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hkg7G-0003C4-Px for submit@debbugs.gnu.org; Mon, 08 Jul 2019 22:44:27 -0400 Received: from quimby.gnus.org ([80.91.231.51]:38572) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hkg7D-0003BR-90 for 35787@debbugs.gnu.org; Mon, 08 Jul 2019 22:44:24 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hkg5q-0008Hw-Fi; Tue, 09 Jul 2019 04:43:00 +0200 From: Lars Ingebrigtsen To: Julian Scheid Subject: Re: bug#35787: 26.2; gnutls: accessing raw server certificate data References: Date: Tue, 09 Jul 2019 04:42:58 +0200 In-Reply-To: (Julian Scheid's message of "Sat, 18 May 2019 13:48:47 +1200") Message-ID: <87r270dj2l.fsf@mouse.gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Julian Scheid writes: > Hello, I would like to request a feature: accessing the raw certificate > of a server connected to via `gnutls-negotiate' (or such). > > Currently, `gnutls-peer-status' only allows accessing high-le [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 35787 Cc: 35787@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Julian Scheid writes: > Hello, I would like to request a feature: accessing the raw certificate > of a server connected to via `gnutls-negotiate' (or such). > > Currently, `gnutls-peer-status' only allows accessing high-level > information extracted from the certificate, such as the issuer, but not > the certificate data itself. Other details are returned in the process object, like gnutls_x509_crt_get_fingerprint of the certificate. > Access to the raw certificate data would allow implementing the > `tls-server-endpoint' channel binding type as per > https://tools.ietf.org/html/rfc5929#section-4.1 , which requires >> [t]he hash of the TLS server's certificate [RFC5280] as it >> appears, octet for octet, in the server's Certificate message. Note >> that the Certificate message contains a certificate_list, in which >> the first element is the server's certificate. Does this hash relate in any way to gnutls_x509_crt_get_fingerprint? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 09 00:21:08 2019 Received: (at 35787) by debbugs.gnu.org; 9 Jul 2019 04:21:08 +0000 Received: from localhost ([127.0.0.1]:60182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hkhcq-0005rW-5d for submit@debbugs.gnu.org; Tue, 09 Jul 2019 00:21:08 -0400 Received: from mail-io1-f52.google.com ([209.85.166.52]:33748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hkhcl-0005qg-AA for 35787@debbugs.gnu.org; Tue, 09 Jul 2019 00:21:06 -0400 Received: by mail-io1-f52.google.com with SMTP id z3so25296319iog.0 for <35787@debbugs.gnu.org>; Mon, 08 Jul 2019 21:21:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U2/6/gCHqaSvDL6AMf3VnFmuM8prLsVaK4I1cpE4KwE=; b=ZPGVfsvhKcHChFYX3iP04nD35c8dpr5bCnmt0bg9uv/HY/sYWCU0ORLqTtcwgzUUXy ayp+DSKmZX0bb6GPz+QnZHcc+o7qvTW5ybCPpkbXhOYLKWiiSxNADFKyMgbIT+Oh+4w2 25BHI3CbFNBRiLqNHnb/nAdsfaU/jzHveGXonAiR4QVyolkgK9J4zFBc6Ekjhe7GcJVB xMecmn+p8nK70x7tm9fbSR0pzOjoiWWX7aZo44Ia+BmzsQGW8tFwcWoI0tCS60YLad7g HICVPYw82EOHif2uDT/NIujAZ9NXBLNO8Olxqg37Y0m8FHyzSdPoL2l8bbTMBSEcw1cn FfFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U2/6/gCHqaSvDL6AMf3VnFmuM8prLsVaK4I1cpE4KwE=; b=cltz9qZRts0GocSzaiYgKh9fQjoRVcrOz6b8IRg7DPZaJhdDfFckEBQblmFFlI4XJF tXvfyDuXA5GQbOryn/ZSeB8dlMF7v6tCAhbqDSsipFwj6l9ws/rFKn+0fzkixMcf3Lmb AxFFUaSpzBPYtoK3vXB8VcqoUUXlIK/c8UsuoVeoKuMw8IYwlIu7shlvV+6/+h9p8FJi YvbvCad+dMDJW+EFcVl00NXp2FIJvq6aXR6uuIUbf7dPsGaXFMt4JOnOf6yzRL9PNbeS gaFFHn1Dr1xjbgTK4OqiqPOcAvkNneY6lGdsXrsPg5DKhKdgOHiGGFsFx7uhzWEIhqqb ZJug== X-Gm-Message-State: APjAAAUdBKZMed71aYs2n/4XX/OxiWDTttStBLloyIYbznJpu6v1f+AM BFt2fC1xRz13HzuJXx9P0PnhjPacXLM5zqWNl5M= X-Google-Smtp-Source: APXvYqwZ8ozLGz62ej/fDMdV+ZahSDn81u8VC+Iu8CzHQwGHHFDnuWp9dR5ACTrfEmJijQ5khLDSYLqJnybztwbqqnc= X-Received: by 2002:a5d:87da:: with SMTP id q26mr23227026ios.193.1562646057540; Mon, 08 Jul 2019 21:20:57 -0700 (PDT) MIME-Version: 1.0 References: <87r270dj2l.fsf@mouse.gnus.org> In-Reply-To: <87r270dj2l.fsf@mouse.gnus.org> From: Julian Scheid Date: Mon, 8 Jul 2019 22:20:46 -0600 Message-ID: Subject: Re: bug#35787: 26.2; gnutls: accessing raw server certificate data To: Lars Ingebrigtsen Content-Type: multipart/alternative; boundary="0000000000002b6318058d37e3f6" X-Spam-Score: 1.6 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen wrote: > > Julian Scheid writes: > > Currently, `gnutls-peer-status' only allows accessing high-level > > information extracted from the certificat [...] Content analysis details: (1.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ietf.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (julians37[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (julians37[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.52 listed in list.dnswl.org] 0.0 HTML_MESSAGE BODY: HTML included in message 1.3 PDS_NO_HELO_DNS High profile HELO but no A record X-Debbugs-Envelope-To: 35787 Cc: 35787@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.6 (/) --0000000000002b6318058d37e3f6 Content-Type: text/plain; charset="UTF-8" On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen wrote: > > Julian Scheid writes: > > Currently, `gnutls-peer-status' only allows accessing high-level > > information extracted from the certificate, such as the issuer, but not > > the certificate data itself. > > Other details are returned in the process object, like > gnutls_x509_crt_get_fingerprint of the certificate. Thanks for pointing this out, but it appears to be hardwired to use SHA-1 when RFC 5929 requires the hash to use signatureAlgorithm, or SHA-256 when signatureAlgorithm is MD5 or SHA-1. > Does this hash relate in any way to gnutls_x509_crt_get_fingerprint? I _think_ gnutls_x509_crt_get_fingerprint could be used here, although I haven't verified yet that it satisfies the following requirement from RFC 5929: > The hash of the TLS server's certificate [RFC5280] as it appears, > octet for octet, in the server's Certificate message. I would assume that it does, though. So, to make this work it looks like I'd need either 1) the fingerprint, but using the hash function as required by the RFC, or 2) the certificate as a binary blob. Thanks again, Julian On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen wrote: > Julian Scheid writes: > > > Hello, I would like to request a feature: accessing the raw certificate > > of a server connected to via `gnutls-negotiate' (or such). > > > > Currently, `gnutls-peer-status' only allows accessing high-level > > information extracted from the certificate, such as the issuer, but not > > the certificate data itself. > > Other details are returned in the process object, like > gnutls_x509_crt_get_fingerprint of the certificate. > > > Access to the raw certificate data would allow implementing the > > `tls-server-endpoint' channel binding type as per > > https://tools.ietf.org/html/rfc5929#section-4.1 , which requires > >> [t]he hash of the TLS server's certificate [RFC5280] as it > >> appears, octet for octet, in the server's Certificate message. Note > >> that the Certificate message contains a certificate_list, in which > >> the first element is the server's certificate. > > Does this hash relate in any way to gnutls_x509_crt_get_fingerprint? > > -- > (domestic pets only, the antidote for overdose, milk.) > bloggy blog: http://lars.ingebrigtsen.no > --0000000000002b6318058d37e3f6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:
>
> = Julian Scheid <julians37@gmail.co= m> writes:
> > Currently, `gnutls-peer-status' only all= ows accessing high-level
> > information extracted from the certif= icate, such as the issuer, but not
> > the certificate data itself= .
>
> Other details are returned in the process object, like> gnutls_x509_crt_get_fingerprint of the certificate.

Thanks for= pointing this out, but it appears to be hardwired to use
SHA-1 when RFC= 5929 requires the hash to use signatureAlgorithm,
or=C2=A0SHA-256 when= signatureAlgorithm is MD5 or SHA-1.

> Does this hash relate in = any way to gnutls_x509_crt_get_fingerprint?

I _think_ gnutls_x5= 09_crt_get_fingerprint could be used here, although
I haven't verifi= ed yet that it satisfies the following requirement
from RFC 5929:
> The hash of the TLS server's certificate [RFC5280] as it appears,=
> octet for octet, in the server's Certificate message.

I= would assume that it does, though.

So, = to make this work it looks like I'd need either

1) the fingerpri= nt, but using the hash function as required by the RFC, or
2) the certif= icate as a binary blob.

Thanks again,

Julian


On Mon, Jul 8, 2019 at 8:= 43 PM Lars Ingebrigtsen <larsi@gnus.or= g> wrote:
Julian Scheid <julians37@gmail.com> writes:

> Hello, I would like to request a feature: accessing the raw certificat= e
> of a server connected to via `gnutls-negotiate' (or such).
>
> Currently, `gnutls-peer-status' only allows accessing high-level > information extracted from the certificate, such as the issuer, but no= t
> the certificate data itself.

Other details are returned in the process object, like
gnutls_x509_crt_get_fingerprint of the certificate.

> Access to the raw certificate data would allow implementing the
> `tls-server-endpoint' channel binding type as per
> https://tools.ietf.org/html/rfc5929#section-4.1<= /a> , which requires
>> [t]he hash of the TLS server's certificate [RFC5280] as it
>> appears, octet for octet, in the server's Certificate message.= =C2=A0 Note
>> that the Certificate message contains a certificate_list, in which=
>> the first element is the server's certificate.

Does this hash relate in any way to gnutls_x509_crt_get_fingerprint?

--
(domestic pets only, the antidote for overdose, milk.)
=C2=A0 =C2=A0bloggy blog: http://lars.ingebrigtsen.no
--0000000000002b6318058d37e3f6-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 09 10:35:36 2019 Received: (at 35787) by debbugs.gnu.org; 9 Jul 2019 14:35:36 +0000 Received: from localhost ([127.0.0.1]:33689 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hkrDT-0000qV-V1 for submit@debbugs.gnu.org; Tue, 09 Jul 2019 10:35:36 -0400 Received: from quimby.gnus.org ([80.91.231.51]:46854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hkr02-0006iE-0i for 35787@debbugs.gnu.org; Tue, 09 Jul 2019 10:21:42 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=stories) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hkqQE-0005mw-KA; Tue, 09 Jul 2019 15:44:45 +0200 From: Lars Ingebrigtsen To: Julian Scheid Subject: Re: bug#35787: 26.2; gnutls: accessing raw server certificate data References: <87r270dj2l.fsf@mouse.gnus.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAElBMVEUUDAwoFReFOjcMBgXL a11aJiaNjLxJAAACWUlEQVQ4jW2UTZLjIAyFRdzZQ9I+ACrYkya5gErsByrc/yrzhJ2ezbBwEj7r /ymU5/8Od+rh9xBO8PZ0+BEIXz05d9yc931dE115zk6zw0nPhw+6E23llThFx8zzzZkj7j0stlpf SbTvg7uB0UK4F7pXnBcL9zBymCP3GyzqAejFKr3f3sqD4y06XwgAj2tSiXlX4cSTo+VDd4f8f1S1 z5s2zYgUCU7I6qoPgDiSzozMJNKGnCyz+jJwU0UOcwCgbICwLZAB9r5PWKw64GqriCE5qc4+DFjY FWMDyG/VNnKbSaJ3ZzsRXKZ5w+uDrSWejuBPFRjoxK0Bd4KtPoUBxABOXB1fA3pKhkGbuE3MaOKq I5jFAoeBtjU/PGr9kbFqx7AZL5gj2KC9T02W1LDnB6x5fElS1uMIgIlhgYsMSSdIZvEBP9r1BHIA f7rS+O/+1xXV8mVNZ3PDegBH922BfLN32Vp8Ar8VAMkXSSyT9QSIAVmVi8SLKMc9fYApERZX7ReR HMZpYVn5ZQHABlZibYnbwGOX8IX27XwAt3QF4K7ZfzNDcav0tjbFLzB9GmnaFCHG5lcTIRK69l1t B8xgJIsBUACcfwuPbCESf+owCxeElZseIJ51bIXctwjmkFYTpS9N+WWBzYBurVtJJnRFZY2WnCmk oTzMPs9usl3pYlBhQM8I8G69m9SOAqH2ncPOjWeK+/TwUsyi0EsCFjPnjP3csfFn5Q96NfdnH4iD hZsWoSwQ6IKVQXQs827/CweAN+ixFnwn6wI+EdX2/FFdLXX9sNV+4B5x/wKuJbN8Ljru7QAAAABJ RU5ErkJggg== Date: Tue, 09 Jul 2019 15:44:42 +0200 In-Reply-To: (Julian Scheid's message of "Mon, 8 Jul 2019 22:20:46 -0600") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Julian Scheid writes: > So, to make this work it looks like I'd need either > > 1) the fingerprint, but using the hash function as required by the RFC, or > 2) the certificate as a binary blob. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 35787 Cc: 35787@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Julian Scheid writes: > So, to make this work it looks like I'd need either > > 1) the fingerprint, but using the hash function as required by the RFC, or > 2) the certificate as a binary blob. I think putting the signature itself in the process object (in addition to all the details) makes some sense, but perhaps it's wastes unnecessary memory... There's gnutls-peer-status, and that could also be amended to return the full certificate. But, again, that's also called for virtually any TLS connection. Perhaps a new function to return the actual certificate? And perhaps it should just return the entire certificate chain? Anybody got an opinion here? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 24 01:44:30 2019 Received: (at 35787) by debbugs.gnu.org; 24 Sep 2019 05:44:30 +0000 Received: from localhost ([127.0.0.1]:37446 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iCdcj-0004b1-LZ for submit@debbugs.gnu.org; Tue, 24 Sep 2019 01:44:30 -0400 Received: from quimby.gnus.org ([80.91.231.51]:55854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iCdch-0004ar-Su for 35787@debbugs.gnu.org; Tue, 24 Sep 2019 01:44:28 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iCdcc-0001iv-LY; Tue, 24 Sep 2019 07:44:26 +0200 From: Lars Ingebrigtsen To: Julian Scheid Subject: Re: bug#35787: 26.2; gnutls: accessing raw server certificate data References: <87r270dj2l.fsf@mouse.gnus.org> Date: Tue, 24 Sep 2019 07:44:22 +0200 In-Reply-To: (Lars Ingebrigtsen's message of "Tue, 09 Jul 2019 15:44:42 +0200") Message-ID: <87d0fq45ah.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Lars Ingebrigtsen writes: > There's gnutls-peer-status, and that could also be amended to return the > full certificate. But, again, that's also called for virtually any TLS > connection. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 35787 Cc: 35787@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Lars Ingebrigtsen writes: > There's gnutls-peer-status, and that could also be amended to return the > full certificate. But, again, that's also called for virtually any TLS > connection. This has been added now in conjunction with the more extensive NSM checks. gnutls-peer-status now returns the entire certificate in Emacs 27. (:certificates ((:version 3 :serial-number "01:a7:8a:7f:5e:bb:b7:ba:02:00:00:00:00:42:ff:= ed" :issuer "C=3DUS,O=3DGoogle Trust Services,CN=3DGTS CA 1O1" :valid-from = "2019-09-05" :valid-to "2019-11-28" :subject "C=3DUS,ST=3DCalifornia,L=3DMo= untain View,O=3DGoogle LLC,CN=3Dwww.google.com" :public-key-algorithm "EC/E= CDSA" :certificate-security-level "High" :signature-algorithm "RSA-SHA256" = :public-key-id "sha1:11:9e:12:6c:be:0c:66:5e:8f:94:c4:61:7a:98:ae:e5:ba:7b:= 20:98" :certificate-id "sha1:e3:70:d8:55:59:f9:0b:64:da:d4:52:22:55:ac:c1:2= 3:57:d4:a3:c6" :pem "-----BEGIN CERTIFICATE-----\nMIIEvjCCA6agAwIBAgIQAaeKf= 167t7oCAAAAAEL/7TANBgkqhkiG9w0BAQsFADBC\nMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR2= 9vZ2xlIFRydXN0IFNlcnZpY2VzMRMw\nEQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTE5MDkwNTIwMjE= yNFoXDTE5MTEyODIwMjEy\nNFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx= FjAUBgNVBAcT\nDU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFzAVBgNVBAMTD= nd3\ndy5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFozpcPL0RPFq\nPdxp= YCEudxkn/IWJU5JU81Dqp1psOvVqWHB8TcvLlscPbx04BNsJZsZaSSQF5Ky0\nSeJchxHrL6OCA= lMwggJPMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAMBgNVHRMBAf8EAj= AAMB0GA1UdDgQWBBSvLWUz0DGNZtkyyKkyvQ6rfHKS\nTDAfBgNVHSMEGDAWgBSY0fhuEOvPm+x= gnxiQG6DrfQn9KzBkBggrBgEFBQcBAQRY\nMFYwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnBr= aS5nb29nL2d0czFvMTArBggr\nBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8xL= mNydDAZBgNVHREE\nEjAQgg53d3cuZ29vZ2xlLmNvbTAhBgNVHSAEGjAYMAgGBmeBDAECAjAMBg= orBgEE\nAdZ5AgUDMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9jcmwucGtpLmdvb2cvR1RT\nM= U8xLmNybDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AGPy283oO8wszwtyhCdX\nazOkjWF3j7= 11pjixx2hUS9iNAAABbQNNrJ0AAAQDAEcwRQIgTSJms2pYhhK9fqeT\nFxFez+JhDdItCIQQWgz= aBPkJv/oCIQCLfR4jtnTlM4Q+3DsnJkUpOLyVGe1+szyo\n3iGIVKtrnwB1AHR+2oMxrTMQkSGc= ziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABbQNN\nrLoAAAQDAEYwRAIgTz5ZYxnof80pqG73hkNRX= 8ypL7Zhawts2vNE/rhOHIQCIAfn\nIxrHwf9Jx0DyD7A4cjtgaunpuAy8ICUjysICyQ16MA0GCS= qGSIb3DQEBCwUAA4IB\nAQBEKhT92shr4RdM4Yc26VkNOxR4FjbDJHRltJkrxIu/VwFdyrsRfA3= WtawRl7xM\n27C99PvwS2Z6XzqKM+GuxfS5qBRxV3RTQVFDeJYgXqkXwCT1YnpRo98cDcBcOlac= \nrXz+3KzDWrz323xG8NyYSoqDtDUvUF5B0JttNYh2UuxVh3yqOmYjEQvH0kxp+Elc\nLV7Xq47= alFBvD8nLARX9mqLFXjaiMNLPihX/Oo3AJd+kXuDeJz6igUsf9UeIcbRc\n4ZOLQk5ysB/+k9B8= w3B2DIXMyy+UWt3XNX7pKMDVEhLm2esXAsjgMziu0n3UwLKG\n1KJj8WrPtP2Xvq/dixvp08ui\= n-----END CERTIFICATE-----\n") (:version 3 :serial-number "01:e3:b4:9a:a1:8d:8a:a9:81:25:69:50:b8" :issu= er "OU=3DGlobalSign Root CA - R2,O=3DGlobalSign,CN=3DGlobalSign" :valid-fro= m "2017-06-15" :valid-to "2021-12-15" :subject "C=3DUS,O=3DGoogle Trust Ser= vices,CN=3DGTS CA 1O1" :public-key-algorithm "RSA" :certificate-security-le= vel "Medium" :signature-algorithm "RSA-SHA256" :public-key-id "sha1:02:8d:a= 9:cf:40:24:76:cc:18:27:6a:db:ac:85:c5:a3:e8:9d:66:a2" :certificate-id "sha1= :df:e2:07:0c:79:e7:ff:36:a9:25:ff:a3:27:ff:e3:de:ec:f8:f9:c2" :pem "-----BE= GIN CERTIFICATE-----\nMIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BA= QsFADBMMSAw\nHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYm= Fs\nU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy\nMTUwM= DAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg\nU2VydmljZXMxEz= ARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDQGM9= F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv\nUA0Qk28FgICfKqC9EksC4T2fWBYk/jCf= C3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr\nmBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL= +dEaltN11BmsK+eQmMF++Ac\nxGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP= 0aM3T4I+DsaxmK\nFsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyB= ABk7X\nrJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV\nHQ= 8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud\nEwEB/wQIMAY= BAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G\nA1UdIwQYMBaAFJviB1dn= HB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl\nBggrBgEFBQcwAYYZaHR0cDovL29jc= 3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp\nMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2= dzcjIvZ3NyMi5jcmwwPwYDVR0g\nBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM= 6Ly9wa2kuZ29vZy9y\nZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9= XlQWNa7H\nTgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN\= nFvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz\nmqepBCf5= o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW\nIRdAvKLWZu/axBVbz= Ymqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ\nUSpxu6x6td0V7SvJCCosirSmIa= tj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg=3D=3D\n-----END CERTIFICATE-----\n")) :certificate (:version 3 :serial-number "01:a7:8a:7f:5e:bb:b7:ba:02:00:00:00:00:42:ff:e= d" :issuer "C=3DUS,O=3DGoogle Trust Services,CN=3DGTS CA 1O1" :valid-from "= 2019-09-05" :valid-to "2019-11-28" :subject "C=3DUS,ST=3DCalifornia,L=3DMou= ntain View,O=3DGoogle LLC,CN=3Dwww.google.com" :public-key-algorithm "EC/EC= DSA" :certificate-security-level "High" :signature-algorithm "RSA-SHA256" := public-key-id "sha1:11:9e:12:6c:be:0c:66:5e:8f:94:c4:61:7a:98:ae:e5:ba:7b:2= 0:98" :certificate-id "sha1:e3:70:d8:55:59:f9:0b:64:da:d4:52:22:55:ac:c1:23= :57:d4:a3:c6" :pem "-----BEGIN CERTIFICATE-----\nMIIEvjCCA6agAwIBAgIQAaeKf1= 67t7oCAAAAAEL/7TANBgkqhkiG9w0BAQsFADBC\nMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29= vZ2xlIFRydXN0IFNlcnZpY2VzMRMw\nEQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTE5MDkwNTIwMjEy= NFoXDTE5MTEyODIwMjEy\nNFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExF= jAUBgNVBAcT\nDU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFzAVBgNVBAMTDn= d3\ndy5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFozpcPL0RPFq\nPdxpY= CEudxkn/IWJU5JU81Dqp1psOvVqWHB8TcvLlscPbx04BNsJZsZaSSQF5Ky0\nSeJchxHrL6OCAl= MwggJPMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAMBgNVHRMBAf8EAjA= AMB0GA1UdDgQWBBSvLWUz0DGNZtkyyKkyvQ6rfHKS\nTDAfBgNVHSMEGDAWgBSY0fhuEOvPm+xg= nxiQG6DrfQn9KzBkBggrBgEFBQcBAQRY\nMFYwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnBra= S5nb29nL2d0czFvMTArBggr\nBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8xLm= NydDAZBgNVHREE\nEjAQgg53d3cuZ29vZ2xlLmNvbTAhBgNVHSAEGjAYMAgGBmeBDAECAjAMBgo= rBgEE\nAdZ5AgUDMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9jcmwucGtpLmdvb2cvR1RT\nMU= 8xLmNybDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AGPy283oO8wszwtyhCdX\nazOkjWF3j71= 1pjixx2hUS9iNAAABbQNNrJ0AAAQDAEcwRQIgTSJms2pYhhK9fqeT\nFxFez+JhDdItCIQQWgza= BPkJv/oCIQCLfR4jtnTlM4Q+3DsnJkUpOLyVGe1+szyo\n3iGIVKtrnwB1AHR+2oMxrTMQkSGcz= iVPQnDCv/1eQiAIxjc1eeYQe8xWAAABbQNN\nrLoAAAQDAEYwRAIgTz5ZYxnof80pqG73hkNRX8= ypL7Zhawts2vNE/rhOHIQCIAfn\nIxrHwf9Jx0DyD7A4cjtgaunpuAy8ICUjysICyQ16MA0GCSq= GSIb3DQEBCwUAA4IB\nAQBEKhT92shr4RdM4Yc26VkNOxR4FjbDJHRltJkrxIu/VwFdyrsRfA3W= tawRl7xM\n27C99PvwS2Z6XzqKM+GuxfS5qBRxV3RTQVFDeJYgXqkXwCT1YnpRo98cDcBcOlac\= nrXz+3KzDWrz323xG8NyYSoqDtDUvUF5B0JttNYh2UuxVh3yqOmYjEQvH0kxp+Elc\nLV7Xq47a= lFBvD8nLARX9mqLFXjaiMNLPihX/Oo3AJd+kXuDeJz6igUsf9UeIcbRc\n4ZOLQk5ysB/+k9B8w= 3B2DIXMyy+UWt3XNX7pKMDVEhLm2esXAsjgMziu0n3UwLKG\n1KJj8WrPtP2Xvq/dixvp08ui\n= -----END CERTIFICATE-----\n") :key-exchange "ECDHE-RSA" :protocol "TLS1.3" :cipher "AES-256-GCM" :mac "A= EAD" :encrypt-then-mac nil) --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 24 01:44:34 2019 Received: (at control) by debbugs.gnu.org; 24 Sep 2019 05:44:34 +0000 Received: from localhost ([127.0.0.1]:37449 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iCdco-0004bJ-4d for submit@debbugs.gnu.org; Tue, 24 Sep 2019 01:44:34 -0400 Received: from quimby.gnus.org ([80.91.231.51]:55868) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iCdcl-0004b9-TP for control@debbugs.gnu.org; Tue, 24 Sep 2019 01:44:32 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iCdcj-0001j5-3s for control@debbugs.gnu.org; Tue, 24 Sep 2019 07:44:31 +0200 Date: Tue, 24 Sep 2019 07:44:28 +0200 Message-Id: <87blva45ab.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #35787 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 35787 fixed close 35787 27.1 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 35787 fixed close 35787 27.1 quit From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 24 03:37:07 2019 Received: (at 35787) by debbugs.gnu.org; 24 Sep 2019 07:37:07 +0000 Received: from localhost ([127.0.0.1]:37555 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iCfNe-0007LK-MX for submit@debbugs.gnu.org; Tue, 24 Sep 2019 03:37:06 -0400 Received: from mail-io1-f48.google.com ([209.85.166.48]:34094) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iCfNY-0007Km-QT for 35787@debbugs.gnu.org; Tue, 24 Sep 2019 03:37:00 -0400 Received: by mail-io1-f48.google.com with SMTP id q1so2102614ion.1 for <35787@debbugs.gnu.org>; Tue, 24 Sep 2019 00:36:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yV2AOGRTaXleDT69qkwxhhtk5QIBGzHRRaMRbBX52Tc=; b=s5I0lv5YA0va7JHWSqS6fjkqZ46TaTskN0SQzDO3sHFYdTyDGQh46TbNInxPd99ytQ 1fmImrMcoFRj1zzmAgTbAyDtmGZNNayBXRE/Rbyxj9XI77geCxfDVeMxNRYlxrPcBEs6 HFMn5jHobPAWqicdir/1hK0injkC7V6cliyykezIXTGWz0jNS7+fhCqmwRyUk66sUpo/ l/Qdvf+689ExgI+8OZaRiqvazsNpvlaRxfTnvzx1AnL+Al+Ahfzj4tcxbkXRMs6FStYM R/nS06B97YgRTLzYhkB1Gbhf5pAjLOgzBqZcE03TNEd5g6YEsN5rRWrgDcJva3M/lay3 znrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yV2AOGRTaXleDT69qkwxhhtk5QIBGzHRRaMRbBX52Tc=; b=CCID/OlYZhSKBR4jS4lmFeUb+1AKbETqVLy/aYR2KYOVdA/2UBiZPU1qLGAEpJQ9en hMl8PTW5nsCAOJrfMawXkaBkz6Fgo7DtPpjsXrdsCmHubbNKh1lhuwIqLpWS2M306onu DFGvk+1s2qbHQAzF78g5QYfYcFs31EeKGrfhwDiBkoHYrkeBM97tokY/A26T5cNoP/AZ WWWZj5yYgBYIP6cDf7qNPjOt9eez3pnCIgSMoatWxlF3OOP8ugKs5C0sbDvRffRuG2Li MUUONz/YQnUGhM9oih3syPBg8I8SRk8R3e5Wbr8M9CXSs8BEaTkfj/7Cf3OSKxW8I6JR D+cg== X-Gm-Message-State: APjAAAXofbCSC5Hz5k0OATqsfSSr1ZntUUm4DtvKeCCMNyd+61qVS3sI 88gGKCsGFqo+j8AXSd0hzlRucKOUXRIYyINso9k= X-Google-Smtp-Source: APXvYqwtreqylIHBLfz1nf/Nit7pxzA7sT/lLQeH7708R8JTxq3iFgnJMEkOkZsEXfe5UkJcXwTkYY/yfFxhdcJaIrI= X-Received: by 2002:a6b:7509:: with SMTP id l9mr1947907ioh.34.1569310611075; Tue, 24 Sep 2019 00:36:51 -0700 (PDT) MIME-Version: 1.0 References: <87r270dj2l.fsf@mouse.gnus.org> <87d0fq45ah.fsf@gnus.org> In-Reply-To: <87d0fq45ah.fsf@gnus.org> From: Julian Scheid Date: Tue, 24 Sep 2019 19:36:38 +1200 Message-ID: Subject: Re: bug#35787: 26.2; gnutls: accessing raw server certificate data To: Lars Ingebrigtsen Content-Type: multipart/alternative; boundary="00000000000083fcec059347996f" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 35787 Cc: 35787@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --00000000000083fcec059347996f Content-Type: text/plain; charset="UTF-8" On Tue, Sep 24, 2019 at 5:44 PM Lars Ingebrigtsen wrote: > Lars Ingebrigtsen writes: > > > There's gnutls-peer-status, and that could also be amended to return the > > full certificate. But, again, that's also called for virtually any TLS > > connection. > > This has been added now in conjunction with the more extensive NSM > checks. gnutls-peer-status now returns the entire certificate in Emacs > 27. > Amazing, thank you! --00000000000083fcec059347996f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Sep 24, 2019 at 5:44 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:
Lars Ing= ebrigtsen <larsi@gnu= s.org> writes:

> There's gnutls-peer-status, and that could also be amended to retu= rn the
> full certificate.=C2=A0 But, again, that's also called for virtual= ly any TLS
> connection.

This has been added now in conjunction with the more extensive NSM
checks.=C2=A0 gnutls-peer-status now returns the entire certificate in Emac= s
27.

Amazing, thank you!

<= /div>
--00000000000083fcec059347996f-- From unknown Thu Sep 11 13:39:47 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 22 Oct 2019 11:24:11 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator