GNU bug report logs - #76278
29.4; ERC 5.5.0.29.1: ERC Manual does not mention usage of .pem client certificates

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 76278 in the body.
You can then email your comments to 76278 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Archie Halliwell <archie <at> halliwell.com.au>
To: bug-gnu-emacs <at> gnu.org
Subject: 29.4; ERC 5.5.0.29.1: ERC Manual does not mention usage of .pem
 client certificates
Date: Fri, 14 Feb 2025 14:43:32 +1100

Hello,

The ERC Manual does not explain how to use .pem client certificates,
only how to use the combination of a .crt certificate and .key private
key. This is confusing as Libera.Chat's CertFP instructions only mention
the use of a .pem file, instructing users on how to create an
appropriate one.

The manual should really mention that a .pem file can be used as both
files in the client-certificate list.

When I was trying to set up CertFP I ended up trying to create a .crt
and .key from the .pem I had previously created, and could not connect
using them (presumably I had not created them properly). I imagine that
other users have run into this issue in the past, and have either given
up or had to ask for help on #erc as I did.


In GNU Emacs 29.4 (build 1, x86_64-pc-linux-gnu, Motif Version 2.3.8,
cairo version 1.18.0) of 2024-10-03 built on localhost
Windowing system distributor 'The X.Org Foundation', version 11.0.12401004
System Description: Gentoo Linux

Configured using:
'configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir=/var/lib --datarootdir=/usr/share
--disable-silent-rules --docdir=/usr/share/doc/emacs-29.4
--htmldir=/usr/share/doc/emacs-29.4/html --libdir=/usr/lib64
--program-suffix=-emacs-29 --includedir=/usr/include/emacs-29
--infodir=/usr/share/info/emacs-29 --localstatedir=/var
--enable-locallisppath=/etc/emacs:/usr/share/emacs/site-lisp
--without-compress-install --without-hesiod --without-pop
--with-file-notification=inotify --with-pdumper --enable-acl
--with-dbus --without-modules --without-gameuser --with-libgmp
--with-gpm --without-native-compilation --without-json --with-kerberos
--with-kerberos5 --with-lcms2 --without-xml2 --without-mailutils
--without-selinux --without-sqlite3 --with-gnutls --without-libsystemd
--with-threads --without-tree-sitter --without-wide-int
--with-sound=alsa --with-zlib --with-x --without-pgtk --without-ns
--without-gconf --without-gsettings --without-toolkit-scroll-bars
--with-xpm --with-xft --with-cairo --without-harfbuzz --without-libotf
--without-m17n-flt --with-x-toolkit=motif --with-gif --with-jpeg
--with-png --with-rsvg --with-tiff --without-webp --without-imagemagick
--with-dumping=pdumper 'CFLAGS=-O2 -pipe -march=native -fno-fast-math
-ffp-contract=off' CPPFLAGS= 'LDFLAGS=-Wl,-O1 -Wl,--as-needed
-Wl,-z,pack-relative-relocs''

Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM JPEG LCMS2 NOTIFY
INOTIFY PDUMPER PNG RSVG SECCOMP SOUND THREADS TIFF X11 XDBE XIM XINPUT2
XPM MOTIF ZLIB

Important settings:
value of $LC_MONETARY: en_AU.UTF-8
value of $LANG: en_AU.utf8
locale-coding-system: utf-8-unix

Major mode: ERC

Minor modes in effect:
erc-list-mode: t
erc-menu-mode: t
erc-autojoin-mode: t
erc-ring-mode: t
erc-pcomplete-mode: t
erc-track-mode: t
erc-track-minor-mode: t
erc-match-mode: t
erc-button-mode: t
erc-fill-mode: t
erc-stamp-mode: t
erc-netsplit-mode: t
erc-irccontrols-mode: t
erc-noncommands-mode: t
erc-move-to-prompt-mode: t
erc-readonly-mode: t
erc-networks-mode: t
tooltip-mode: t
global-eldoc-mode: t
show-paren-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
line-number-mode: t
indent-tabs-mode: t
transient-mark-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message yank-media dired dired-loaddefs
rfc822 mml mml-sec epa derived epg rfc6068 epg-config gnus-util
mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils
mailheader sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr
mail-utils shortdoc text-property-search erc-ibuffer ibuf-ext ibuffer
ibuffer-loaddefs erc-log erc-notify erc-page erc-services erc-sound
erc-speedbar speedbar ezimage dframe erc-xdcc erc-dcc help-fns
radix-tree help-mode gnutls network-stream puny nsm erc-list erc-menu
erc-join erc-ring erc-pcomplete pcomplete comint ansi-osc ansi-color
ring erc-track erc-match erc-button browse-url url url-proxy url-privacy
url-expand url-methods url-history url-cookie generate-lisp-file
url-domsuf url-util url-parse url-vars mailcap wid-edit erc-fill
erc-stamp erc-netsplit erc-goodies erc iso8601 time-date auth-source
cl-seq eieio eieio-core cl-macs password-cache json subr-x map thingatpt
pp format-spec cl-loaddefs cl-lib erc-backend erc-networks byte-opt gv
bytecomp byte-compile erc-common erc-compat erc-loaddefs rmc iso-transl
tooltip cconv eldoc paren electric uniquify ediff-hook vc-hooks
lisp-float-type elisp-mode mwheel term/x-win x-win term/common-win x-dnd
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode lisp-mode prog-mode register page tab-bar menu-bar
rfn-eshadow isearch easymenu timer select scroll-bar mouse jit-lock
font-lock syntax font-core term/tty-colors frame minibuffer nadvice seq
simple cl-generic indonesian philippine cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite emoji-zwj charscript charprop case-table
epa-hook jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button
loaddefs theme-loaddefs faces cus-face macroexp files window
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget keymap hashtable-print-readable backquote threads dbusbind
inotify lcms2 dynamic-setting font-render-setting cairo motif x-toolkit
xinput2 x multi-tty make-network-process emacs)

Memory information:
((conses 16 110605 7861)
(symbols 48 11818 0)
(strings 32 37138 2697)
(string-bytes 1 1036615)
(vectors 16 21308)
(vector-slots 8 266009 7336)
(floats 8 106 22)
(intervals 56 630 236)
(buffers 976 16))

Message #8 received at 76278 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Archie Halliwell <archie <at> halliwell.com.au>,
 "J.P." <jp <at> neverwas.me>
Cc: 76278 <at> debbugs.gnu.org
Subject: Re: bug#76278: 29.4;
 ERC 5.5.0.29.1: ERC Manual does not mention usage of .pem client
 certificates
Date: Fri, 14 Feb 2025 10:34:01 +0200

> Date: Fri, 14 Feb 2025 14:43:32 +1100
> From: Archie Halliwell <archie <at> halliwell.com.au>
> 
> The ERC Manual does not explain how to use .pem client certificates,
> only how to use the combination of a .crt certificate and .key private
> key. This is confusing as Libera.Chat's CertFP instructions only mention
> the use of a .pem file, instructing users on how to create an
> appropriate one.
> 
> The manual should really mention that a .pem file can be used as both
> files in the client-certificate list.

Does ERC use the .pem file directly, or does it use it indirectly,
though some GnuTLS interface?  If the latter, then the source might
not be from a .pem file, but instead from some equivalent OS service
(this happens on MS-Windows, for example).  So the manual should not
cause users of such systems go look for a .pem file that might not
even exist, or be irrelevant.

Apologies if the above makes no sense: I don't use ERC and know very
little about it.

Thanks.

Message #11 received at 76278 <at> debbugs.gnu.org (full text, mbox):

From: Archie Halliwell <archie <at> halliwell.com.au>
To: Eli Zaretskii <eliz <at> gnu.org>, "J.P." <jp <at> neverwas.me>
Cc: 76278 <at> debbugs.gnu.org
Subject: Re: bug#76278: 29.4; ERC 5.5.0.29.1: ERC Manual does not mention
 usage of .pem client certificates
Date: Sat, 15 Feb 2025 11:07:20 +1100

On 14/2/25 19:34, Eli Zaretskii wrote:
>> Date: Fri, 14 Feb 2025 14:43:32 +1100
>> From: Archie Halliwell <archie <at> halliwell.com.au>
>>
>> The ERC Manual does not explain how to use .pem client certificates,
>> only how to use the combination of a .crt certificate and .key private
>> key. This is confusing as Libera.Chat's CertFP instructions only mention
>> the use of a .pem file, instructing users on how to create an
>> appropriate one.
>>
>> The manual should really mention that a .pem file can be used as both
>> files in the client-certificate list.
> Does ERC use the .pem file directly, or does it use it indirectly,
> though some GnuTLS interface?  If the latter, then the source might
> not be from a .pem file, but instead from some equivalent OS service
> (this happens on MS-Windows, for example).  So the manual should not
> cause users of such systems go look for a .pem file that might not
> even exist, or be irrelevant.
>
> Apologies if the above makes no sense: I don't use ERC and know very
> little about it.
>
> Thanks.
I believe that ERC uses GnuTLS, however the filenames are either 
specified in the client-certificate argument to ,,erc-tls,, or found in 
.authinfo.gpg. The manual gives examples using .key and .crt files, but 
not using .pem files. There is mention of using other services to 
provide certificates using auth-service, however auth-service seems to 
have disappeared and all links to it are broken. Libera.Chat's 
instructions mention the creation of .pem files on Windows as well, so I 
expect that specifing a .pem file through the client-certificate keyword 
argument is the "correct" way on all platforms.

Message #14 received at 76278 <at> debbugs.gnu.org (full text, mbox):

From: "J.P." <jp <at> neverwas.me>
To: Archie Halliwell <archie <at> halliwell.com.au>
Cc: Eli Zaretskii <eliz <at> gnu.org>, emacs-erc <at> gnu.org, 76278 <at> debbugs.gnu.org
Subject: Re: bug#76278: 29.4; ERC 5.5.0.29.1: ERC Manual does not mention
 usage of .pem client certificates
Date: Fri, 14 Feb 2025 19:47:08 -0800

[Message part 1 (text/plain, inline)]

Hi Archie,

Archie Halliwell <archie <at> halliwell.com.au> writes:

> On 14/2/25 19:34, Eli Zaretskii wrote:
>>> Date: Fri, 14 Feb 2025 14:43:32 +1100
>>> From: Archie Halliwell <archie <at> halliwell.com.au>
>>>
>>> The ERC Manual does not explain how to use .pem client certificates,
>>> only how to use the combination of a .crt certificate and .key private
>>> key. This is confusing as Libera.Chat's CertFP instructions only mention
>>> the use of a .pem file, instructing users on how to create an
>>> appropriate one.
>>>
>>> The manual should really mention that a .pem file can be used as both
>>> files in the client-certificate list.
>> Does ERC use the .pem file directly, or does it use it indirectly,
>> though some GnuTLS interface?  If the latter, then the source might
>> not be from a .pem file, but instead from some equivalent OS service
>> (this happens on MS-Windows, for example).  So the manual should not
>> cause users of such systems go look for a .pem file that might not
>> even exist, or be irrelevant.
>>
>> Apologies if the above makes no sense: I don't use ERC and know very
>> little about it.
>>
>> Thanks.
> I believe that ERC uses GnuTLS, however the filenames are either specified in
> the client-certificate argument to ,,erc-tls,, or found in .authinfo.gpg. The
> manual gives examples using .key and .crt files, but not using .pem files.
> There is mention of using other services to provide certificates using
> auth-service, however auth-service seems to have disappeared and all links to
> it are broken. Libera.Chat's instructions mention the creation of .pem files
> on Windows as well, so I expect that specifing a .pem file through the
> client-certificate keyword argument is the "correct" way on all platforms.

ERC supposedly relies on a generalized underlying transport to provide a
network process for exchanging IRC protocol messages with a server. In
practice, it's only equipped to handle TCP streams and defers to an
`open-network-stream'-compatible "opener" to create the necessary goods.

The opener for TLS encrypted streams is `erc-open-tls-stream', a thin
wrapper around `open-network-stream'. In this case, ERC passes the
:client-certificate from `erc-tls' directly to `open-network-stream',
which ultimately relies on `network-stream-certificate' to transform it
into something suitable for the :keylist parameter of `gnutls-boot'.
FWIW, the doc string of `gnutls-boot' does mention that

  :keylist is an alist of PEM-encoded key files and PEM-encoded
  certificates for ‘gnutls-x509pki’

which comports with its calling gnutls_certificate_set_x509_key_file2
and friends with a hard-coded GNUTLS_X509_FMT_PEM, although there's a
friendly note saying

  /* TODO: GNUTLS_X509_FMT_DER is also an option.  */

In any case, this info is likely one too many clicks removed from ERC's
docs. So, I think it makes sense for us to mention the format must be
PEM and that the key and the cert can be the same concatenated file.

In terms of file-name extensions, it's true that the examples on
Libera's site (and OFTC's) all appear to be .pem. OpenSSL's man pages
use .pem when contrasting it with .der, although the format is typically
declared explicitly with options like -outform. The .key and .crt
extensions in ERC's manual may originate from the docs of other IRC
clients or from the world of domain-name validation. Either way, I agree
we should probably change them all to .pem.

As for the broken auth-source hyperlinks, I'm not sure they're fixable
on ERC's side (ditto for all other non-ERC links). FWIW, they should
only be broken on https://elpa.gnu.org/packages/doc/erc.html. The ones
on https://www.gnu.org/software/emacs/manual/html_mono/erc.html and in
the Info manual (info "(erc) client-certificate") should work fine.

Anyway, the attached patch includes the mentioned changes, which are
mostly mechanical in nature. Please give feedback if you can.

Thanks,
J.P.

[0001-5.6.1-Use-.pem-extension-for-client-certs-in-ERC-doc.patch (text/x-patch, attachment)]

Message #21 received at 76278-done <at> debbugs.gnu.org (full text, mbox):

From: "J.P." <jp <at> neverwas.me>
To: Archie Halliwell <archie <at> halliwell.com.au>
Cc: Eli Zaretskii <eliz <at> gnu.org>, emacs-erc <at> gnu.org, 76278-done <at> debbugs.gnu.org
Subject: Re: bug#76278: 29.4; ERC 5.5.0.29.1: ERC Manual does not mention
 usage of .pem client certificates
Date: Sat, 01 Mar 2025 10:15:16 -0800

"J.P." <jp <at> neverwas.me> writes:

> Anyway, the attached patch includes the mentioned changes, which are
> mostly mechanical in nature. Please give feedback if you can.

I installed something similar as

  https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1f60f86a

Thanks and closing

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.