As a workaround for the bug/feature of openssl for not failing on a
certificate verification error one might use gnutls_cli (package
gnutls-bin) instead.
,----
| (setq ssl-program-name "gnutls-cli")
| (setq ssl-program-arguments
|       '("--port" service "--x509cafile" "/etc/ssl/certs/ca-certificates.crt" 
host))
`----

Setting the --x509cafile is hereby crucial: unless the --insecure
option is given on the command line gnutls refuses to establish a
connection with an endpoint whose identity cannot checked.

Making gnutls the default seems reasonable to me and as far as my
experience with openssl vs. gnutls goes they are equivalent.[1]

The big problem would be significant change in behaviour: Connections
that worked up to now because ssl.el/openssl silently ignored errors
will not work unless user takes steps to fix the problematic use of
SSL that was facilitated by s_client and therefor should be considered
the normal usage.

Pointing to the system wide --x509cafile may ease this problem with
regards to endpoints whose certificate is digitally signed by a CA
present in /etc/ssl/certs/ca-certificates.crt.  But I fear that a lot
of local setups will break.

Maybe make the wl-beta and wl package additionally suggesting
gnutls-bin as an alternative to openssl as a first step?

 -- David

[1] The only problem I encountered so far was gnutls refusing to
connect to an endpoint that offered a session encryption key that was
considered too small by gnutls.  A problem that was quickly solved by
the admin of the endpoint.


--
OpenPGP... 0x99ADB83B5A4478E6
Jabber.... dmj...@jabber.org
Email..... maus.da...@gmail.com

Attachment: pgp6qAzc8HS9q.pgp
Description: PGP signature

Reply via email to