GNU bug report logs -
#20960
handling /etc/ssl/certs/ca-bundle.crt by default in emacs
Previous Next
Reported by: Petr Hracek <phracek <at> redhat.com>
Date: Thu, 2 Jul 2015 09:58:02 UTC
Severity: wishlist
Fixed in version 29.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 20960 in the body.
You can then email your comments to 20960 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Thu, 02 Jul 2015 09:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Petr Hracek <phracek <at> redhat.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Thu, 02 Jul 2015 09:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
HI folks,
I have a question to upstream whether CA directory
could be handled by upstream by default?
(setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")
Or may be how it could be done by emacs packaging in Fedora?
https://bugzilla.redhat.com/show_bug.cgi?id=1131558
--
Petr Hracek
Software Engineer
Developer Experience
Red Hat, Inc
Mob: +420777056169
email: phracek <at> redhat.com
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Thu, 02 Jul 2015 14:56:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 20960 <at> debbugs.gnu.org (full text, mbox):
> Date: Thu, 02 Jul 2015 11:57:39 +0200
> From: Petr Hracek <phracek <at> redhat.com>
>
> I have a question to upstream whether CA directory
> could be handled by upstream by default?
What do you mean by "upstream"? Upstream Emacs?
> (setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")
That file name is platform-dependent, and even on Unix the bundle can
be found in several different directories.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Thu, 02 Jul 2015 15:39:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii wrote:
>> (setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")
On my RHEL7 system, this isn't a directory.
It is a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem,
a file.
> That file name is platform-dependent, and even on Unix the bundle can
> be found in several different directories.
So let's compile a list of the standard places and default to the first
that exists, similar to what gnutls-trustfiles does. (Does these two
variables duplicate each other?)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Thu, 02 Jul 2015 16:13:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 20960 <at> debbugs.gnu.org (full text, mbox):
> From: Glenn Morris <rgm <at> gnu.org>
> Cc: Petr Hracek <phracek <at> redhat.com>, 20960 <at> debbugs.gnu.org
> Date: Thu, 02 Jul 2015 11:38:25 -0400
>
> So let's compile a list of the standard places and default to the first
> that exists
Is that really TRT? I don't use Gnus, but smime.el seems to want a
place to keep certificates of people/organizations from which you get
MIME messages. How probable it is to find them in the bundles
distributed by the OS?
I thought the user is supposed to collect the certificates for this
purpose, and keep them in this directory. IOW, these are not
system-wide certificates.
> similar to what gnutls-trustfiles does. (Does these two variables
> duplicate each other?)
gnutls-trustfiles should not be needed, except with old versions of
GnuTLS. The library now finds and uses the system-provided bundle
automatically (and on Windows the system certificates are not kept in
a disk file).
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Thu, 02 Jul 2015 16:27:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 20960 <at> debbugs.gnu.org (full text, mbox):
> that exists, similar to what gnutls-trustfiles does. (Do these two
> variables duplicate each other?)
Yes, I believe they are duplicates (with smime-CA-directory predating
the gnutls thingy).
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Thu, 02 Jul 2015 22:19:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii wrote:
>> So let's compile a list of the standard places and default to the first
>> that exists
>
> Is that really TRT? I don't use Gnus, but smime.el seems to want a
> place to keep certificates of people/organizations from which you get
> MIME messages. How probable it is to find them in the bundles
> distributed by the OS?
I don't use it either, and have no idea what it is supposed to be for.
But
https://bugzilla.redhat.com/show_bug.cgi?id=1131558
says it helped. But as I say, the value it's being set to isn't a
directory, so it makes little sense to me.
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#20960; Package
emacs,gnus.
(Sat, 26 Dec 2015 20:58:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> that exists, similar to what gnutls-trustfiles does. (Do these two
>> variables duplicate each other?)
>
> Yes, I believe they are duplicates (with smime-CA-directory predating
> the gnutls thingy).
smime-CA-directory should be rewritten to use gnutls-trustfiles (if
gnutls-trustfiles exists). The minor complication is that the former is
a directory and the latter is a list of files, so it wouldn't be exactly
backwards compatible...
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#20960; Package
emacs,gnus.
(Mon, 28 Dec 2015 22:03:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 20960 <at> debbugs.gnu.org (full text, mbox):
On Sat, 26 Dec 2015 21:57:24 +0100 Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
LI> Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>> that exists, similar to what gnutls-trustfiles does. (Do these two
>>> variables duplicate each other?)
>>
>> Yes, I believe they are duplicates (with smime-CA-directory predating
>> the gnutls thingy).
LI> smime-CA-directory should be rewritten to use gnutls-trustfiles (if
LI> gnutls-trustfiles exists). The minor complication is that the former is
LI> a directory and the latter is a list of files, so it wouldn't be exactly
LI> backwards compatible...
We can make `gnutls-trustfiles' support directories?
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#20960; Package
emacs,gnus.
(Mon, 28 Dec 2015 22:31:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Ted Zlatanov <tzz <at> lifelogs.com> writes:
> We can make `gnutls-trustfiles' support directories?
Sure, that would help.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#20960; Package
emacs,gnus.
(Wed, 30 Dec 2015 14:54:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 20960 <at> debbugs.gnu.org (full text, mbox):
On Mon, 28 Dec 2015 23:30:05 +0100 Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
LI> Ted Zlatanov <tzz <at> lifelogs.com> writes:
>> We can make `gnutls-trustfiles' support directories?
LI> Sure, that would help.
It should be fairly easy to add... just two questions:
Would it be enough to use `directory-files' with the .pem and .crt
extensions, case-insensitively? Should it be recursive?
Thanks
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#20960; Package
emacs,gnus.
(Thu, 31 Dec 2015 17:13:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Ted Zlatanov <tzz <at> lifelogs.com> writes:
> Would it be enough to use `directory-files' with the .pem and .crt
> extensions, case-insensitively? Should it be recursive?
Hm... I don't know whether it should be recursive, but if it should,
that's easy with `directory-files-recursively'. :-)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org:
bug#20960; Package
emacs,gnus.
(Thu, 26 Jan 2017 19:26:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Ted Zlatanov <tzz <at> lifelogs.com> writes:
> On Sat, 26 Dec 2015 21:57:24 +0100 Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
>
> LI> Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>>> that exists, similar to what gnutls-trustfiles does. (Do these two
>>>> variables duplicate each other?)
>>>
>>> Yes, I believe they are duplicates (with smime-CA-directory predating
>>> the gnutls thingy).
>
> LI> smime-CA-directory should be rewritten to use gnutls-trustfiles (if
> LI> gnutls-trustfiles exists). The minor complication is that the former is
> LI> a directory and the latter is a list of files, so it wouldn't be exactly
> LI> backwards compatible...
>
> We can make `gnutls-trustfiles' support directories?
On the other hand, this is the only place smime-CA-directory is used:
(defun smime-verify-region (b e)
"Verify S/MIME message in region between B and E.
Returns non-nil on success.
Any details (stdout and stderr) are left in the buffer specified by
`smime-details-buffer'."
(smime-new-details-buffer)
(let ((CAs (append (if smime-CA-file
(list "-CAfile"
(expand-file-name smime-CA-file)))
(if smime-CA-directory
(list "-CApath"
(expand-file-name smime-CA-directory))))))
And:
-CAfile file
a file containing trusted CA certificates, only used with -verify.
-CApath dir
a directory containing trusted CA certificates, only used with
-verify. This directory must be a standard certificate directory:
that is a hash of each subject name (using x509 -hash) should be
linked to each certificate.
Is a list of CA files, and can be in different directories, so there's,
like, no way to used them interchangeably.
So... I dunno. Somebody could just rewrite that function to use all
the files from (gnutls-trustfiles) and see if one of them are OK. I
never use smime, though, so I'm not that person.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug reassigned from package 'emacs,gnus' to 'emacs'.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Thu, 26 Jan 2017 19:26:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Tue, 31 Jan 2017 14:39:02 GMT)
Full text and
rfc822 format available.
Message #43 received at 20960 <at> debbugs.gnu.org (full text, mbox):
On Thu, 26 Jan 2017 20:24:16 +0100 Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
LI> Is a list of CA files, and can be in different directories, so there's,
LI> like, no way to used them interchangeably.
LI> So... I dunno. Somebody could just rewrite that function to use all
LI> the files from (gnutls-trustfiles) and see if one of them are OK. I
LI> never use smime, though, so I'm not that person.
I'm lost. Should we support directories or not?
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Tue, 31 Jan 2017 16:29:02 GMT)
Full text and
rfc822 format available.
Message #46 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Ted Zlatanov <tzz <at> lifelogs.com> writes:
> On Thu, 26 Jan 2017 20:24:16 +0100 Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
>
> LI> Is a list of CA files, and can be in different directories, so there's,
> LI> like, no way to used them interchangeably.
>
> LI> So... I dunno. Somebody could just rewrite that function to use all
> LI> the files from (gnutls-trustfiles) and see if one of them are OK. I
> LI> never use smime, though, so I'm not that person.
>
> I'm lost. Should we support directories or not?
Because of the way the inputs for the smime commands are structured,
making gnutls-trustfiles support directories doesn't help us. I think.
I may be misreading the man pages or having a brain fart. :-)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Tue, 31 Jan 2017 18:46:02 GMT)
Full text and
rfc822 format available.
Message #49 received at 20960 <at> debbugs.gnu.org (full text, mbox):
On Tue, 31 Jan 2017 17:27:56 +0100 Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
LI> Ted Zlatanov <tzz <at> lifelogs.com> writes:
>> I'm lost. Should we support directories or not?
LI> Because of the way the inputs for the smime commands are structured,
LI> making gnutls-trustfiles support directories doesn't help us. I think.
LI> I may be misreading the man pages or having a brain fart. :-)
Since it's less work, I concur and procrastination wins again.
Ted
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20960; Package
emacs.
(Wed, 13 Apr 2022 00:31:01 GMT)
Full text and
rfc822 format available.
Message #52 received at 20960 <at> debbugs.gnu.org (full text, mbox):
Petr Hracek <phracek <at> redhat.com> writes:
> I have a question to upstream whether CA directory
> could be handled by upstream by default?
>
> (setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")
>
> Or may be how it could be done by emacs packaging in Fedora?
(I'm going through old bug reports that unfortunately weren't resolved
at the time.)
In Emacs 29, I've made smime-CA-file default to the value from
`gnutls-trustfiles', so that this should basically work out of the box
on most systems now.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug marked as fixed in version 29.1, send any further explanations to
20960 <at> debbugs.gnu.org and Petr Hracek <phracek <at> redhat.com>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 13 Apr 2022 00:31:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 11 May 2022 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 350 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.