From: Ted Zlatanov Date: Mon, 13 Feb 2012 21:48:14 +0000 (-0500) Subject: Introduce and use CA bundle locator `gnutls-trustfiles'. X-Git-Tag: emacs-pretest-24.0.94~147 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=7ee99f32e16e182f94aacd01f5bfee61f672c908;p=emacs.git Introduce and use CA bundle locator `gnutls-trustfiles'. * net/gnutls.el (gnutls-trustfiles): New variable. (gnutls-negotiate): Use it. --- diff --git a/lisp/ChangeLog b/lisp/ChangeLog index 026d81bc0b4..bbbfb8dd000 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -1,3 +1,8 @@ +2012-02-13 Teodor Zlatanov + + * net/gnutls.el (gnutls-trustfiles): New variable. + (gnutls-negotiate): Use it. + 2012-02-13 Lars Ingebrigtsen * simple.el (mail-user-agent): Mention that `gnus-user-agent' only diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 5f1cb65782e..9b734637103 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -49,7 +49,20 @@ For instance, if you want to skip the \"dhe-rsa\" algorithm, set this variable to \"normal:-dhe-rsa\"." :group 'gnutls :type '(choice (const nil) - string)) + string)) + +(defcustom gnutls-trustfiles + '( + "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch Linux + "/etc/pki/tls/certs/ca-bundle.crt" ; Fedora and RHEL + "/etc/ssl/ca-bundle.pem" ; Suse + ) + "List of CA bundle location filenames or a function returning said list. +The files may be in PEM or DER format, as per the GnuTLS documentation. +The files may not exist, in which case they will be ignored." + :group 'gnutls + :type '(choice (function :tag "Function to produce list of bundle filenames") + (repeat (file :tag "Bundle filename")))) ;;;###autoload (defcustom gnutls-min-prime-bits nil @@ -118,7 +131,7 @@ TYPE is `gnutls-x509pki' (default) or `gnutls-anon'. Use nil for the default. PROCESS is a process returned by `open-network-stream'. HOSTNAME is the remote hostname. It must be a valid string. PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\". -TRUSTFILES is a list of CA bundles. +TRUSTFILES is a list of CA bundles. It defaults to `gnutls-trustfiles'. CRLFILES is a list of CRL files. KEYLIST is an alist of (client key file, client cert file) pairs. MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys @@ -156,18 +169,20 @@ here's a recent version of the list. It must be omitted, a number, or nil; if omitted or nil it defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." (let* ((type (or type 'gnutls-x509pki)) - (default-trustfile "/etc/ssl/certs/ca-certificates.crt") (trustfiles (or trustfiles - (when (file-exists-p default-trustfile) - (list default-trustfile)))) + (delq nil + (mapcar (lambda (f) (and f (file-exists-p f) f)) + (if (functionp gnutls-trustfiles) + (funcall gnutls-trustfiles) + gnutls-trustfiles))))) (priority-string (or priority-string (cond ((eq type 'gnutls-anon) "NORMAL:+ANON-DH:!ARCFOUR-128") ((eq type 'gnutls-x509pki) - (if gnutls-algorithm-priority - (upcase gnutls-algorithm-priority) - "NORMAL"))))) + (if gnutls-algorithm-priority + (upcase gnutls-algorithm-priority) + "NORMAL"))))) (min-prime-bits (or min-prime-bits gnutls-min-prime-bits)) (params `(:priority ,priority-string :hostname ,hostname