As a workaround for the bug/feature of openssl for not failing on a certificate verification error one might use gnutls_cli (package gnutls-bin) instead.
,---- | (setq ssl-program-name "gnutls-cli") | (setq ssl-program-arguments | '("--port" service "--x509cafile" "/etc/ssl/certs/ca-certificates.crt" host)) `---- Setting the --x509cafile is hereby crucial: unless the --insecure option is given on the command line gnutls refuses to establish a connection with an endpoint whose identity cannot checked. Making gnutls the default seems reasonable to me and as far as my experience with openssl vs. gnutls goes they are equivalent.[1] The big problem would be significant change in behaviour: Connections that worked up to now because ssl.el/openssl silently ignored errors will not work unless user takes steps to fix the problematic use of SSL that was facilitated by s_client and therefor should be considered the normal usage. Pointing to the system wide --x509cafile may ease this problem with regards to endpoints whose certificate is digitally signed by a CA present in /etc/ssl/certs/ca-certificates.crt. But I fear that a lot of local setups will break. Maybe make the wl-beta and wl package additionally suggesting gnutls-bin as an alternative to openssl as a first step? -- David [1] The only problem I encountered so far was gnutls refusing to connect to an endpoint that offered a session encryption key that was considered too small by gnutls. A problem that was quickly solved by the admin of the endpoint. -- OpenPGP... 0x99ADB83B5A4478E6 Jabber.... dmj...@jabber.org Email..... maus.da...@gmail.com
pgp6qAzc8HS9q.pgp
Description: PGP signature