GNU bug report logs - #33780
network-stream.el: network-stream-certificate always returns nil

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Vinothan Shankar <darael@HIDDEN>; Keywords: fixed; Done: Robert Pluim <rpluim@HIDDEN>; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
bug marked as fixed in version 27.1, send any further explanations to 33780 <at> debbugs.gnu.org and Vinothan Shankar <darael@HIDDEN> Request was from Robert Pluim <rpluim@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Added tag(s) fixed. Request was from Robert Pluim <rpluim@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 24 Jan 2019 10:41:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 24 05:41:08 2019
Received: from localhost ([127.0.0.1]:43291 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gmcRX-0007e9-SG
	for submit <at> debbugs.gnu.org; Thu, 24 Jan 2019 05:41:08 -0500
Received: from mail-wm1-f48.google.com ([209.85.128.48]:37326)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>)
 id 1gmcRW-0007dQ-4U; Thu, 24 Jan 2019 05:41:06 -0500
Received: by mail-wm1-f48.google.com with SMTP id g67so2453855wmd.2;
 Thu, 24 Jan 2019 02:41:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:in-reply-to:message-id:mime-version;
 bh=89vjb6Do0tyZv83BpCZXmh3e89EmnSFSfEyYBkveovA=;
 b=Bz5q+lakNUL1atRtWK736VqGOvR62bxRt5AEv/UR3lMlBsFRt9odES9zCfbpsPe2UA
 P9L2+qMx5dPzcvMcLptWbpHiadln5Gpn5sMYvQbjucGlfBb7AKparhCgZc1lthERgw3X
 j1Ey+/2MpLzWOxZ3KgzsOoV1OXG9YCgkmotyT66md8CiooS1qRKDbK5uXMEaPfhUt/NF
 V2KVc4sEjKZ2zjBD+EOF916/GK8sIvm41v8CTkbwarA5z4hyUrHuLRSlx4W1mNnHgOpX
 9JIlTgogr4FBofDF9VQpbZ03nxi6ljwwGkyJbne5HNbf1+eF3WSmrecvXQLRJsI/OYBr
 H22g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:mime-version;
 bh=89vjb6Do0tyZv83BpCZXmh3e89EmnSFSfEyYBkveovA=;
 b=VIyWMa0thpkrFxy+AnF3bz/BNIC/71JAcD+zOWOULQTIrS3SzX0BFNhnAKUc4loWua
 zG8/xuvpnICM6ff9o5XC/CtlniMt2BFI/qp1sMcu34DaLW8zqurEHoMld+FZF2zE4eUv
 DX6mGYllhyAgQMEkLxYH/7IHwgWhglSn9NkEXwI6/olHSxAPtu7lOoU4+WkSoYq4m7di
 t4Zan7xXZaO8pTTOr6YBqNTFdDK6smIgJmwEVJaBqvXbQupruKR+cMLkjp+llGRVYxQN
 v4UPyWQnCAbxcoBlKO4qFLIcX1wqIzXgd5Bid6I38VoFvhjws+wttwCRAQvkmjnbxxdz
 1g7A==
X-Gm-Message-State: AJcUukfRkdLnPSVbszPj+eGeG0ZBECSlV3dkpulfZhL36RIz8u3Ig1Fh
 ObsbDRewVHHdTavE3sgRqs3Muc7uCgE=
X-Google-Smtp-Source: ALg8bN5VQpu0hPbl/pFosThX/+CsJZ12dcSEQq3gqqB0r/CJZGfErGh9/UK7Rg8WTeLSn2bskWcYYQ==
X-Received: by 2002:a1c:b687:: with SMTP id g129mr2025420wmf.59.1548326459812; 
 Thu, 24 Jan 2019 02:40:59 -0800 (PST)
Received: from rpluim-mac ([2a01:e34:ecfc:a860:6c01:fb6e:a9bd:beeb])
 by smtp.gmail.com with ESMTPSA id 127sm112575057wmm.45.2019.01.24.02.40.58
 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
 Thu, 24 Jan 2019 02:40:58 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
 <m2pnsz1ia4.fsf@HIDDEN> <83imyrdyae.fsf@HIDDEN>
 <m2ef9f1a0c.fsf@HIDDEN> <83bm4jdw86.fsf@HIDDEN>
 <m25zur16j8.fsf@HIDDEN> <837ef7dqd6.fsf@HIDDEN>
 <m2d0oxzmqg.fsf@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Thu, 24 Jan 2019 11:40:55 +0100
In-Reply-To: <m2d0oxzmqg.fsf@HIDDEN> (Robert Pluim's message of "Tue, 15
 Jan 2019 21:31:35 +0100")
Message-ID: <m2h8dyuymg.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

tags 33780 fixed
close 33780 27.1
quit

Fix pushed to master as f3f9a3582e along with some tests.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 15 Jan 2019 20:31:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 15 15:31:48 2019
Received: from localhost ([127.0.0.1]:60408 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gjVND-0004yS-QK
	for submit <at> debbugs.gnu.org; Tue, 15 Jan 2019 15:31:48 -0500
Received: from mail-wr1-f51.google.com ([209.85.221.51]:44642)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1gjVNA-0004yE-Qz
 for 33780 <at> debbugs.gnu.org; Tue, 15 Jan 2019 15:31:45 -0500
Received: by mail-wr1-f51.google.com with SMTP id z5so4463282wrt.11
 for <33780 <at> debbugs.gnu.org>; Tue, 15 Jan 2019 12:31:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:message-id:mime-version:content-transfer-encoding;
 bh=Wx+FmDLq4v0qNJR5pBJ83uVJXLg1EGdZpCKrVhvvwic=;
 b=Wtqo8Wt2n1ir3visJkGIGBrs9AZoROcnmPMPqrJcVi0bZiN5fSBh45jT02UhXcnxhd
 sjCWT3miAhbXblJthNZboZBYQL/cTMxiu7BmZdQ/gktCQCnw3LruvyWU3DLHEBNZR2hC
 QDq2VKUufdCbWEQq0kzN3xJc6aSKuf5623B4DRTCbu9HXrWy5Y+/rclCpLT/iVk+ZDou
 9AJDPaqCDaT/rFvG6FnU7DIZ822lOwob+QB3f/uklZ+dzWcH1+Nnuf3h5Gp6G/FAFgUx
 M9bRhyvR7sXzLds3eyzFWiRESug1mPfp+Ee/LdcVwZiMjGBjeEc3QiQ3NR9Oz8kV6Fxd
 /6qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:message-id:mime-version
 :content-transfer-encoding;
 bh=Wx+FmDLq4v0qNJR5pBJ83uVJXLg1EGdZpCKrVhvvwic=;
 b=ANaZM9CPTD+Pdd9sFoQPLrIuFcV8fn8JpToAUvXK5hRrP6iDfv7HMSOw0A71c1Lyjm
 JGxRk/wdY69YcAjkDzCzcmlG+kFyLapxXxTtHHW7lRAyFro2D+DB4SbPMOi8LioJrbGV
 n9aVdH9ExiBLmWVYyr0+UDSNTud8xHsWmVKjr48S/MW79ubchd6ftBv2WgMv/MWqgZMd
 Q06HeLOn6GdZN6jEMZqa63zCR2k8NvKSn0hS25vxknhsHRc5xFceqVJ/Du4IFPLxoVEZ
 FJROeJ18jGcKrjluZq0aBp+cXSCM9cLBSwtdBej/KHL2SB7Z86upU0H9tuUiPn+cyDWF
 XaVA==
X-Gm-Message-State: AJcUuke61bIBZlJqKncdXqrphOcrBS+csMfyeqc9k1iajUMzcIjFHtVy
 2asBDACi2Qntf958gDw/+7JO5QoC
X-Google-Smtp-Source: ALg8bN5Gqvr+Xs69+3Pzd8TyE2lLWRwrdVNSu1lEkfdJDjVrk2YqskC9QqC4v6Vl21o21FIAX6l/Bg==
X-Received: by 2002:adf:aa9c:: with SMTP id h28mr4528470wrc.216.1547584298392; 
 Tue, 15 Jan 2019 12:31:38 -0800 (PST)
Received: from rpluim-mac ([2a01:e34:ecfc:a860:16d:e5ef:295c:be0b])
 by smtp.gmail.com with ESMTPSA id x3sm68160199wrd.19.2019.01.15.12.31.36
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 15 Jan 2019 12:31:37 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
 <m2pnsz1ia4.fsf@HIDDEN> <83imyrdyae.fsf@HIDDEN>
 <m2ef9f1a0c.fsf@HIDDEN> <83bm4jdw86.fsf@HIDDEN>
 <m25zur16j8.fsf@HIDDEN> <837ef7dqd6.fsf@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Tue, 15 Jan 2019 21:31:35 +0100
Message-ID: <m2d0oxzmqg.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> so loading nsm.el causes nsm-verify-connection to get called in the
>> ':nowait t' case. Presumably in the ':nowait nil' case gnutls-boot has
>> already completed the tls connection, and finish_after_tls_connection
>> never gets called (that=CA=BCs speculation on my part). I don=CA=BCt kno=
w the
>> GnuTLS code well enough to know if this is a bug. Ted?
>

I can confirm this is what happens: finish_after_tls_connection only
gets called when ':nowait t'.

> Ah, okay.  No, I don't think this is a bug.  So use some way to get
> nsm to approve the connection.

I do find it unexpected that the low level GnuTLS code only invokes
the nsm for ':nowait t' connections.  OTOH 'open-network-stream' works
fine, and uses the nsm, so it=CA=BCs not a big deal.

Overriding nsm-query appears not to be enough (it=CA=BCs enough when
running the tests interactively, but not in batch mode), I had to
override 'nsm-verify-connection'.

Robert




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 18:52:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 14 13:52:12 2019
Received: from localhost ([127.0.0.1]:59337 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gj7LH-0003XP-Ug
	for submit <at> debbugs.gnu.org; Mon, 14 Jan 2019 13:52:12 -0500
Received: from eggs.gnu.org ([209.51.188.92]:56804)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1gj7LG-0003X9-S2
 for 33780 <at> debbugs.gnu.org; Mon, 14 Jan 2019 13:52:11 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:50381)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1gj7LB-0007b1-4e; Mon, 14 Jan 2019 13:52:05 -0500
Received: from [176.228.60.248] (port=4294 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1gj7L9-0000om-M2; Mon, 14 Jan 2019 13:52:05 -0500
Date: Mon, 14 Jan 2019 20:51:49 +0200
Message-Id: <837ef7dqd6.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Robert Pluim <rpluim@HIDDEN>
In-reply-to: <m25zur16j8.fsf@HIDDEN> (message from Robert Pluim on Mon, 14
 Jan 2019 18:40:59 +0100)
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
 <m2pnsz1ia4.fsf@HIDDEN> <83imyrdyae.fsf@HIDDEN>
 <m2ef9f1a0c.fsf@HIDDEN> <83bm4jdw86.fsf@HIDDEN> <m25zur16j8.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> From: Robert Pluim <rpluim@HIDDEN>
> Cc: darael@HIDDEN,  tzz@HIDDEN,  33780 <at> debbugs.gnu.org
> Date: Mon, 14 Jan 2019 18:40:59 +0100
> 
> > I don't think I understood why nsm gets called only in the ":nowait t"
> > case.  What did I miss?
> 
> process.c has:
> 
> #ifdef HAVE_GNUTLS
> static void
> finish_after_tls_connection (Lisp_Object proc)
> {
>   struct Lisp_Process *p = XPROCESS (proc);
>   Lisp_Object contact = p->childp;
>   Lisp_Object result = Qt;
> 
>   if (!NILP (Ffboundp (Qnsm_verify_connection)))
>     result = call3 (Qnsm_verify_connection,
> 		    proc,
> 		    Fplist_get (contact, QChost),
> 		    Fplist_get (contact, QCservice));
> 
> so loading nsm.el causes nsm-verify-connection to get called in the
> ':nowait t' case. Presumably in the ':nowait nil' case gnutls-boot has
> already completed the tls connection, and finish_after_tls_connection
> never gets called (thatʼs speculation on my part). I donʼt know the
> GnuTLS code well enough to know if this is a bug. Ted?

Ah, okay.  No, I don't think this is a bug.  So use some way to get
nsm to approve the connection.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 17:41:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 14 12:41:10 2019
Received: from localhost ([127.0.0.1]:59288 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gj6EX-0001h0-Q7
	for submit <at> debbugs.gnu.org; Mon, 14 Jan 2019 12:41:10 -0500
Received: from mail-wr1-f46.google.com ([209.85.221.46]:32963)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1gj6EW-0001gi-CD
 for 33780 <at> debbugs.gnu.org; Mon, 14 Jan 2019 12:41:08 -0500
Received: by mail-wr1-f46.google.com with SMTP id c14so24007776wrr.0
 for <33780 <at> debbugs.gnu.org>; Mon, 14 Jan 2019 09:41:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :mime-version:content-transfer-encoding;
 bh=JU4fJPi1lWrGC+mm5lRsf7D3HNZa9fERpTdaaSXMgZo=;
 b=b03xDKKT4AH/1IC4+rPEAKf2wjGW1JRyyJ+1BwmeKt9EDmWs1PR9NUHa8oubSZxfga
 UBThsuXIf/VqClrB5Y+9akQaKBD+HoxGV0JWH0lWKv/lBqQfXXkfmhHhpHu8Ck/e6BD4
 A/KJWz30NFeddPv6owCGF+cM/qqfedVblH3aXG81m6myuRqO3GFexrB+mXS+XGAolCc5
 TG068YGSTM9EwKapitYSHrRHngLGDjOlf2blTDSyEuNbrBsOT/77k99usPFGugTmsun8
 BasWQUB+wnT6uSedCKU3Iba4vVowIu9hr7L92aFR2XKX++8WPfcK6qsGm4AZLxzigIyX
 yz5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:mime-version:content-transfer-encoding;
 bh=JU4fJPi1lWrGC+mm5lRsf7D3HNZa9fERpTdaaSXMgZo=;
 b=EtN5XRrXz6ZQdk8f5qzs30H68cIx0osAf9Oknp3Y1oU3GWcmt/3029qTvaYWC7GWRT
 Sk8gI2Riqj1DH6Iac1RyOYc5S2y+Ap/8r3bhqDno7B7OKn3p8Efy6CaJnlnQp3Z+s50j
 zUSpatVUapsTIputceIHX69hdGtDwtvmksUMctB4FtRgvcMb4WIYhn7gBxbSsZIxzLbV
 n67Y5tbH6QBjGdY4z3sHcqBA56KgMyqsZs8hVlmdcOeqLLHjftjaQtLw8oSNnkykZWIn
 Zot+0ZaLptv1G/UrFUgKd8nLQXvgRBNUuapAi0St2DpmBqYmuPJdZV6e/rTWhxO7bWdG
 EsKQ==
X-Gm-Message-State: AJcUukc/l2ADFt3xMyQ5ebHXk5V3Pxwl1HQFx4UTBPRm5FFyHUj5O1SW
 L5t++DGMYM/sHXp3mJadCEhupyvH
X-Google-Smtp-Source: ALg8bN501XK2F4jmtc5VUza/XX/M27aPetuAEivXRmu3W9e4g5Dvd8sHLLmmuISyW2ET0JSoVhlQGg==
X-Received: by 2002:a5d:50c5:: with SMTP id f5mr24354432wrt.37.1547487661958; 
 Mon, 14 Jan 2019 09:41:01 -0800 (PST)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id g67sm54064182wmd.38.2019.01.14.09.41.00
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 14 Jan 2019 09:41:00 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
 <m2pnsz1ia4.fsf@HIDDEN> <83imyrdyae.fsf@HIDDEN>
 <m2ef9f1a0c.fsf@HIDDEN> <83bm4jdw86.fsf@HIDDEN>
Date: Mon, 14 Jan 2019 18:40:59 +0100
In-Reply-To: <83bm4jdw86.fsf@HIDDEN> (Eli Zaretskii's message of "Mon, 14 Jan
 2019 18:45:13 +0200")
Message-ID: <m25zur16j8.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: Robert Pluim <rpluim@HIDDEN>
>> Cc: darael@HIDDEN,  tzz@HIDDEN,  33780 <at> debbugs.gnu.org
>> Date: Mon, 14 Jan 2019 17:25:55 +0100
>>=20
>> When running the test suite, we=CA=BCre in batch mode, so there=CA=BCs n=
o way to
>> answer that question, as far as I know, so turning off the nsm is the
>> only way to go.
>
> You could also override the nsm-query-user function, I think.
>

True.

>> This only fails for the existing tests with ':nowait t', since then I
>> suspect nsm gets called automatically, whilst in the ':nowait nil'
>> case nsm never gets called (the existing tests all use
>> 'make-network-process' directly, rather than 'open-network-stream', so
>> they bypass nsm).
>
> I don't think I understood why nsm gets called only in the ":nowait t"
> case.  What did I miss?

process.c has:

#ifdef HAVE_GNUTLS
static void
finish_after_tls_connection (Lisp_Object proc)
{
  struct Lisp_Process *p =3D XPROCESS (proc);
  Lisp_Object contact =3D p->childp;
  Lisp_Object result =3D Qt;

  if (!NILP (Ffboundp (Qnsm_verify_connection)))
    result =3D call3 (Qnsm_verify_connection,
		    proc,
		    Fplist_get (contact, QChost),
		    Fplist_get (contact, QCservice));

so loading nsm.el causes nsm-verify-connection to get called in the
':nowait t' case. Presumably in the ':nowait nil' case gnutls-boot has
already completed the tls connection, and finish_after_tls_connection
never gets called (that=CA=BCs speculation on my part). I don=CA=BCt know t=
he
GnuTLS code well enough to know if this is a bug. Ted?

Robert




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 16:45:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 14 11:45:43 2019
Received: from localhost ([127.0.0.1]:59265 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gj5Ms-0000PS-TC
	for submit <at> debbugs.gnu.org; Mon, 14 Jan 2019 11:45:43 -0500
Received: from eggs.gnu.org ([209.51.188.92]:54360)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1gj5Mr-0000PH-MF
 for 33780 <at> debbugs.gnu.org; Mon, 14 Jan 2019 11:45:42 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47895)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1gj5Me-0008Ek-RR; Mon, 14 Jan 2019 11:45:32 -0500
Received: from [176.228.60.248] (port=4203 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1gj5Md-0001qz-DJ; Mon, 14 Jan 2019 11:45:28 -0500
Date: Mon, 14 Jan 2019 18:45:13 +0200
Message-Id: <83bm4jdw86.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Robert Pluim <rpluim@HIDDEN>
In-reply-to: <m2ef9f1a0c.fsf@HIDDEN> (message from Robert Pluim on Mon, 14
 Jan 2019 17:25:55 +0100)
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
 <m2pnsz1ia4.fsf@HIDDEN> <83imyrdyae.fsf@HIDDEN>
 <m2ef9f1a0c.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> From: Robert Pluim <rpluim@HIDDEN>
> Cc: darael@HIDDEN,  tzz@HIDDEN,  33780 <at> debbugs.gnu.org
> Date: Mon, 14 Jan 2019 17:25:55 +0100
> 
> When running the test suite, weʼre in batch mode, so thereʼs no way to
> answer that question, as far as I know, so turning off the nsm is the
> only way to go.

You could also override the nsm-query-user function, I think.

> This only fails for the existing tests with ':nowait t', since then I
> suspect nsm gets called automatically, whilst in the ':nowait nil'
> case nsm never gets called (the existing tests all use
> 'make-network-process' directly, rather than 'open-network-stream', so
> they bypass nsm).

I don't think I understood why nsm gets called only in the ":nowait t"
case.  What did I miss?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 16:26:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 14 11:26:06 2019
Received: from localhost ([127.0.0.1]:59243 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gj53t-0008Nj-R1
	for submit <at> debbugs.gnu.org; Mon, 14 Jan 2019 11:26:06 -0500
Received: from mail-wr1-f51.google.com ([209.85.221.51]:44530)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1gj53q-0008N2-VE
 for 33780 <at> debbugs.gnu.org; Mon, 14 Jan 2019 11:26:04 -0500
Received: by mail-wr1-f51.google.com with SMTP id z5so23569292wrt.11
 for <33780 <at> debbugs.gnu.org>; Mon, 14 Jan 2019 08:26:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :mime-version:content-transfer-encoding;
 bh=EYREG0vxQwFp6YZUoqf/68lNSm9L1DKimfyfPaaroo4=;
 b=CdFrU2jYgfyICOzwqzcJnIolpPYLqkHvDuaJDtZXxze0RfPtDbBx3dxI+HxyEN4owG
 WzWPsHo+e87cJtWcOZog4WNUtL4mr1c3SiGV6LLm9suzjWjHdCW0ZPoa+wJyVW7laxSu
 xZzQ4kp18+NpDuzGCkPn7DrQ5x4+hn1MyCxjxBAdhFaldjt9GNg6c5hjeQucO9CBlk8O
 kckzf/BffE/xLzE8IV9aOuVH537iN7ra11Qc1pHOXfq5hOee7Y+7dL/NvSVAF/SKlaVw
 rOYDMkNSREizv1rSpslmFAZwtrEAb9GyqldcUvwWJuvFIQSmfEaOu0wIZkRquX1gEIm2
 Z75w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:mime-version:content-transfer-encoding;
 bh=EYREG0vxQwFp6YZUoqf/68lNSm9L1DKimfyfPaaroo4=;
 b=q/xYtu+MCplI/yhVa0ofK8lGhWVzEACca3e99yyagKqAFneV93BPeSjcyn7J2SRPvT
 VSzOVazqjnSpCD0noCuiCc3eOkxZl94G0jMxqA5p82oRhNHusCXLjyXEHxPsCGKxG15u
 HKPA9FsjrcZlgPrX4dXcAtCUe0+kD1SILBmeOJFHCSaej7mRYXBp0oNKTqNA5sYUS5az
 LGRORtiRRWPrtPRQ8mPACYLltE5tVyfyqr12pi/iAYDFJBGh3CTVsID+HptxeZrRtdvc
 pCKmdgDcS5AdXvbDouZL8RrgGSgqc+pjrub8MVhoWlcfXuuETC/06SjmN6dvfXF6dX/R
 SXIw==
X-Gm-Message-State: AJcUukdLUHCyC+ZTKLE2hX4XczFKY0v2iP1S2yOb8C1nY09cx4lZAXoN
 ObwA/CWjAKQYpQrjdY1XY8ZUqlI8
X-Google-Smtp-Source: ALg8bN6U1Z8Do3885HtdXaPagNMKOX6FIZq6cbpA93XibtB9QhWlQvgvun5WrrAhGIZ9zq01Mzui7A==
X-Received: by 2002:adf:f401:: with SMTP id g1mr25782446wro.103.1547483156773; 
 Mon, 14 Jan 2019 08:25:56 -0800 (PST)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id s5sm20244095wmh.37.2019.01.14.08.25.55
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 14 Jan 2019 08:25:55 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
 <m2pnsz1ia4.fsf@HIDDEN> <83imyrdyae.fsf@HIDDEN>
Date: Mon, 14 Jan 2019 17:25:55 +0100
In-Reply-To: <83imyrdyae.fsf@HIDDEN> (Eli Zaretskii's message of "Mon, 14 Jan
 2019 18:00:41 +0200")
Message-ID: <m2ef9f1a0c.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: Robert Pluim <rpluim@HIDDEN>
>> Cc: darael@HIDDEN,  tzz@HIDDEN,  33780 <at> debbugs.gnu.org
>> Date: Mon, 14 Jan 2019 14:27:15 +0100
>>=20
>> Fixed. I was about to push, then got paranoid, so I wrote a few tests
>> for 'open-network-stream', which gave me a few suprises. I had to add
>> the following in network-stream-tests.el:
>>=20
>> +(require 'network-stream)
>> +; The require above is needed for 'open-network-stream', but it pulls
>> +; in nsm, which then makes the :nowait tests fail unless we disable
>> +; the nsm.
>> +(setq network-security-level 'low)
>>=20
>> otherwise both the old and my new ':nowait t' tests failed. Is that
>> expected?
>
> Not sure.  Did you understand why it failed?  IOW, what does nsm have
> to do with the failures?

When I ran the equivalent 'open-network-stream' code to the tests
manually in 'emacs -Q', I get a prompt from nsm asking me whether to
accept the certificate of the server I=CA=BCm connecting to.

When running the test suite, we=CA=BCre in batch mode, so there=CA=BCs no w=
ay to
answer that question, as far as I know, so turning off the nsm is the
only way to go.

This only fails for the existing tests with ':nowait t', since then I
suspect nsm gets called automatically, whilst in the ':nowait nil'
case nsm never gets called (the existing tests all use
'make-network-process' directly, rather than 'open-network-stream', so
they bypass nsm).

This could be seen as a bug in nsm, I suppose, since na=C3=AFvely you
wouldn't expect loading it to change the behaviour of
'make-network-process'.

Robert




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 16:01:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 14 11:01:07 2019
Received: from localhost ([127.0.0.1]:59220 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gj4fi-0007kr-UL
	for submit <at> debbugs.gnu.org; Mon, 14 Jan 2019 11:01:07 -0500
Received: from eggs.gnu.org ([209.51.188.92]:40757)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1gj4fh-0007kH-6j
 for 33780 <at> debbugs.gnu.org; Mon, 14 Jan 2019 11:01:05 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47014)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1gj4fY-0006Zy-6N; Mon, 14 Jan 2019 11:00:58 -0500
Received: from [176.228.60.248] (port=1240 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1gj4fX-0002BC-6W; Mon, 14 Jan 2019 11:00:56 -0500
Date: Mon, 14 Jan 2019 18:00:41 +0200
Message-Id: <83imyrdyae.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Robert Pluim <rpluim@HIDDEN>
In-reply-to: <m2pnsz1ia4.fsf@HIDDEN> (message from Robert Pluim on Mon, 14
 Jan 2019 14:27:15 +0100)
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN> <m2pnsz1ia4.fsf@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> From: Robert Pluim <rpluim@HIDDEN>
> Cc: darael@HIDDEN,  tzz@HIDDEN,  33780 <at> debbugs.gnu.org
> Date: Mon, 14 Jan 2019 14:27:15 +0100
> 
> Fixed. I was about to push, then got paranoid, so I wrote a few tests
> for 'open-network-stream', which gave me a few suprises. I had to add
> the following in network-stream-tests.el:
> 
> +(require 'network-stream)
> +; The require above is needed for 'open-network-stream', but it pulls
> +; in nsm, which then makes the :nowait tests fail unless we disable
> +; the nsm.
> +(setq network-security-level 'low)
> 
> otherwise both the old and my new ':nowait t' tests failed. Is that
> expected?

Not sure.  Did you understand why it failed?  IOW, what does nsm have
to do with the failures?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 14 Jan 2019 13:27:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 14 08:27:25 2019
Received: from localhost ([127.0.0.1]:58374 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gj2Gz-0003v2-0V
	for submit <at> debbugs.gnu.org; Mon, 14 Jan 2019 08:27:25 -0500
Received: from mail-wm1-f46.google.com ([209.85.128.46]:35596)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1gj2Gx-0003un-8i
 for 33780 <at> debbugs.gnu.org; Mon, 14 Jan 2019 08:27:23 -0500
Received: by mail-wm1-f46.google.com with SMTP id t200so8894369wmt.0
 for <33780 <at> debbugs.gnu.org>; Mon, 14 Jan 2019 05:27:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:message-id:mime-version;
 bh=/Z44VqnbFEdSZ98iggL7J/58ZE/ndTPZwug+rU1u73E=;
 b=YiAWtG3ZXx6vFxOZ26UVscLdp46xVg+0KJw86uSe3ckRDf+MypBOcqHhB+BYMJC9dO
 k4H0QRBCuGpr6aUUF2/hhiCOTdPmPqK21S5BVdU8E5mTF+er1//fsaJLRHFCg/2S55PP
 JzoXEyFWKLPZJxxKfIw4ZYLyB4dMBXp73oahVYzcllhwc8DAufkviSxcDAj0iibpcrbQ
 FX81SqnshujknWKIpDXsYbE7K2dJX50DvQoEPNceZjq73fl6TCVM7A5curWqznTOwdrP
 E+pzlbKqGaFJHqyWOL2ga3d80cS+tC9W8BB8tVS3nM8tNhF2fC6KNh85qCdMILt3S6U2
 anng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:message-id:mime-version;
 bh=/Z44VqnbFEdSZ98iggL7J/58ZE/ndTPZwug+rU1u73E=;
 b=QLun4w4T/n1KjHdUX4A6TbBvaNttUjeka2NEw7KPWcBbotRRPWaNAmvRVGb/DeG1J3
 n68fyDx2Vrm54V4AQMNUkxNGMVjOS9CrLFVPpjwCOZuaIYKJ5bPh5OZTjltG0ReCwX0C
 FFV0P8lkPDIbRMXKLCfDWuSriUNLR6Kdp6vRVkRDhyYMCUxytbEf4Mw8duY/XKfG02J6
 aYnpLu4CC7jNaXZSDGdB06+D91QXWlfa+O/Kmm+K5b6qgToz2tY36On54XUOjVjCtEgL
 a5gSnOsWEbeCKdxiJZhPX/R791JXEkEEPg9XvmCQam5Il/yAACDW+NALnHfW6A2VN6y2
 t1Bg==
X-Gm-Message-State: AJcUukcQWab+tQhe5j0KV+zdE2wbUsvQHWYVO5Y3p4AsNOdn5FwSI2ES
 6dMjFvh+D9/gzbLbe8Kls0nNP1pR
X-Google-Smtp-Source: ALg8bN72zkAaLMCV5+fNrwmy/q04YecVPJRR98oq7zn8eGtbRowdB3kUd9fecRmkMx1jLq4SJ3UvZA==
X-Received: by 2002:a1c:2382:: with SMTP id j124mr11727903wmj.14.1547472436929; 
 Mon, 14 Jan 2019 05:27:16 -0800 (PST)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id y8sm25682077wmg.13.2019.01.14.05.27.15
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 14 Jan 2019 05:27:15 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN> <83o98mf7sv.fsf@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Mon, 14 Jan 2019 14:27:15 +0100
Message-ID: <m2pnsz1ia4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: Robert Pluim <rpluim@HIDDEN>
>> Cc: Vinothan Shankar <darael@HIDDEN>, eliz@HIDDEN, Ted Zlatanov <tzz@HIDDEN>
>> Date: Wed, 09 Jan 2019 11:48:46 +0100
>
> Thanks, a few comments regarding the Texinfo part:
>
>> +Passing @code{:client certificate t} triggers looking up of client
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This should be wrapped in @w{..}, otherwise makeinfo might divide it
> between two lines.
>

Fixed, along with another instance later.

>> +certificates matching @var{host} and @var{service} using the
>> +'auth-source' library.  Any resulting client certificates are passed
>
> auth-source should be in @file, and without the quotes.
>
>> +down to the lower TLS layers.  The format used by @file{.authinfo} to
>> +specify the per-server keys is described in @xref{Help for
>> +users,,auth-source, auth, Emacs auth-source Library}.
>
> @xref can only be used at the beginning of a sentence, as it generates
> a capitalizes "See".  Use "see @ref" instead here.

Fixed. I was about to push, then got paranoid, so I wrote a few tests
for 'open-network-stream', which gave me a few suprises. I had to add
the following in network-stream-tests.el:

+(require 'network-stream)
+; The require above is needed for 'open-network-stream', but it pulls
+; in nsm, which then makes the :nowait tests fail unless we disable
+; the nsm.
+(setq network-security-level 'low)

otherwise both the old and my new ':nowait t' tests failed. Is that
expected?

Thanks

Robert




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 12 Jan 2019 11:13:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 12 06:13:52 2019
Received: from localhost ([127.0.0.1]:56561 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1giHEX-0002m2-Uq
	for submit <at> debbugs.gnu.org; Sat, 12 Jan 2019 06:13:51 -0500
Received: from eggs.gnu.org ([209.51.188.92]:33346)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1giHEV-0002ln-UV
 for 33780 <at> debbugs.gnu.org; Sat, 12 Jan 2019 06:13:44 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:35959)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1giHEF-0008Nk-It; Sat, 12 Jan 2019 06:13:29 -0500
Received: from [176.228.60.248] (port=4271 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1giHEC-0001hx-3Q; Sat, 12 Jan 2019 06:13:25 -0500
Date: Sat, 12 Jan 2019 13:13:04 +0200
Message-Id: <83o98mf7sv.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Robert Pluim <rpluim@HIDDEN>
In-reply-to: <m2a7ka5coh.fsf@HIDDEN> (message from Robert Pluim on Wed, 09
 Jan 2019 11:48:46 +0100)
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
 <m2a7ka5coh.fsf@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: darael@HIDDEN, tzz@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> From: Robert Pluim <rpluim@HIDDEN>
> Cc: Vinothan Shankar <darael@HIDDEN>, eliz@HIDDEN, Ted Zlatanov <tzz@HIDDEN>
> Date: Wed, 09 Jan 2019 11:48:46 +0100

Thanks, a few comments regarding the Texinfo part:

> +Passing @code{:client certificate t} triggers looking up of client
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This should be wrapped in @w{..}, otherwise makeinfo might divide it
between two lines.

> +certificates matching @var{host} and @var{service} using the
> +'auth-source' library.  Any resulting client certificates are passed

auth-source should be in @file, and without the quotes.

> +down to the lower TLS layers.  The format used by @file{.authinfo} to
> +specify the per-server keys is described in @xref{Help for
> +users,,auth-source, auth, Emacs auth-source Library}.

@xref can only be used at the beginning of a sentence, as it generates
a capitalizes "See".  Use "see @ref" instead here.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 9 Jan 2019 10:48:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 09 05:48:58 2019
Received: from localhost ([127.0.0.1]:50834 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ghBPt-0007sa-LK
	for submit <at> debbugs.gnu.org; Wed, 09 Jan 2019 05:48:58 -0500
Received: from mail-ed1-f46.google.com ([209.85.208.46]:44160)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1ghBPq-0007sL-Nb
 for 33780 <at> debbugs.gnu.org; Wed, 09 Jan 2019 05:48:55 -0500
Received: by mail-ed1-f46.google.com with SMTP id y56so6887923edd.11
 for <33780 <at> debbugs.gnu.org>; Wed, 09 Jan 2019 02:48:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:in-reply-to:message-id:mime-version;
 bh=5blIFjyz6y+hNLP5vEreum+vTiiKtsqCEyORLha1vAU=;
 b=HiT8iY41HEziK6DGXwAoxgbMEmjiT9gw+qLOTHc8bMub4G6UyXEFFeL+Ptt6P0HkU0
 D1ScAkcVZ2X8eohCyVgNTLwc+0/tvSjt4uNtrsu4TziDp0SNInf4THreSCwrv/jtBndd
 YEXQD8Q6kE/Xss1kA6B55FFi3a3XS76RitfK662e6yYB5UhmDL8s/vmkTJxUfkQYy5ol
 cOtVNCHOakA/uLtsi1lXc8IdCjGoiiggrj5K8TBCioCOJRFarY5bxhRodbYaOhGUCUzp
 ZJp2+dPAeFmUSErCAKssk2yqdmjP2nqaWlY132YsOEHP0abOxNrryL9/SHhlVZf+dRZ7
 e6CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:mime-version;
 bh=5blIFjyz6y+hNLP5vEreum+vTiiKtsqCEyORLha1vAU=;
 b=mCIiavScCCckQz/9RV0z0feHKyxyYE64+KXm5vTheeLljHwgY6Hju2NBnaJ9QonBac
 E6HKNKfElhCcnOjwgPrEwkFBesC7/YHhhMrj/TPJ7mVAAYj1trUizMPhKKTGMqLYSayX
 ZM5pH0EQaZBdy/jZwR17jvFeN3+mO0sIIzjRq6EOfYg+auYNkgyJAzCRNkJcVTYVXe1y
 jKkK/ghUDfjBUmZHG161lBrF0F95et2wyD8PfFy5ZwinYJmBqhFIeS67ZC4p3BJ3kspS
 gxqsCnXZnn63dtjyp/yvTQWBLBNHzMkEt92cAYeRsG5/xtKsaguhU5y6RcWVIh0Biuv0
 siHQ==
X-Gm-Message-State: AJcUukdfCvvg7HBM3xaJ6Y6oRB17JpQ2MUzEp2rR3qi8AGRjHLCM8Pqj
 ZzZSqqZT/y8axEboE3V/EmY=
X-Google-Smtp-Source: ALg8bN6XtLYiqBSP23C7KxSI/wmzUymCtniruru5GN6G2tqt2RfAjLBe62H4d4yEoGIFjfDo+2YG0Q==
X-Received: by 2002:a50:999b:: with SMTP id m27mr5601183edb.10.1547030928490; 
 Wed, 09 Jan 2019 02:48:48 -0800 (PST)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id m44sm1340314edm.54.2019.01.09.02.48.46
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 09 Jan 2019 02:48:47 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: 33780 <at> debbugs.gnu.org
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN> <m2muoz9fzq.fsf@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Wed, 09 Jan 2019 11:48:46 +0100
In-Reply-To: <m2muoz9fzq.fsf@HIDDEN> (Robert Pluim's message of "Fri, 21
 Dec 2018 14:16:57 +0100")
Message-ID: <m2a7ka5coh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: Vinothan Shankar <darael@HIDDEN>, eliz@HIDDEN,
 Ted Zlatanov <tzz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain

Following discussion on emacs-devel on how to do this, latest version
of patch attached. This maintains backwards compatibility for
open-gnutls-stream (assuming I haven't screwed up the checks), and
updates the relevant documentation.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-Check-for-client-certificates-when-using-GnuTLS.patch

From 6bdf3d94dc83e79394d109486f68810ef9f4b373 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim@HIDDEN>
Date: Fri, 21 Dec 2018 11:58:00 +0100
Subject: [PATCH] Check for client certificates when using GnuTLS
To: emacs-devel@HIDDEN

This fixes Bug#33780, and extends the documentation to describe how to
enable use of client certificates.

* lisp/net/network-stream.el (network-stream-certificate): Correct
order of parameters to plist-get.
(network-stream-open-tls): Pass all received parameters to
open-gnutls-stream as plist, not just :nowait.

* lisp/net/gnutls.el (open-gnutls-stream): Change optional nowait arg
to be plist.  Derive nowait and client certificate(s) and keys(s) from
plist (maybe via auth-source) and pass to gnutls-boot-parameters and
gnutls-negotiate.
(network-stream-certificate): Add declare-function form for it.

* doc/misc/auth.texi (Help for users): Describe format to use for
client key/cert specification.

* doc/misc/emacs-gnutls.texi (Help For Developers): Describe usage of
optional plist argument.  Add crossreference to description of
.authinfo format for client key/cert specification.

* etc/NEWS: Describe new client certificate functionality for
  'open-network-stream'.
---
 doc/misc/auth.texi         |  9 ++++++
 doc/misc/emacs-gnutls.texi | 38 ++++++++++++++++++-------
 etc/NEWS                   |  7 +++++
 lisp/net/gnutls.el         | 57 +++++++++++++++++++++++++-------------
 lisp/net/network-stream.el |  4 +--
 5 files changed, 84 insertions(+), 31 deletions(-)

diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi
index 495d9f53e1..ddfeabcba7 100644
--- a/doc/misc/auth.texi
+++ b/doc/misc/auth.texi
@@ -109,6 +109,15 @@ Help for users
 @code{auth-source-search} queries.  You can also use @code{login} and
 @code{account}.
 
+You can also use this file to specify client certificates to use when
+setting up TLS connections.  The format is:
+@example
+machine @var{mymachine} port @var{myport} key @var{key} cert @var{cert}
+@end example
+
+@var{key} and @var{cert} are filenames containing the key and
+certificate to use respectively.
+
 You can use spaces inside a password or other token by surrounding the
 token with either single or double quotes.
 
diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi
index aae583c641..0e2a9764a1 100644
--- a/doc/misc/emacs-gnutls.texi
+++ b/doc/misc/emacs-gnutls.texi
@@ -179,17 +179,35 @@ Help For Developers
 You should not have to use the @file{gnutls.el} functions directly.
 But you can test them with @code{open-gnutls-stream}.
 
-@defun open-gnutls-stream name buffer host service &optional nowait
+@defun open-gnutls-stream name buffer host service &optional parameters
 This function creates a buffer connected to a specific @var{host} and
-@var{service} (port number or service name).  The parameters and their
-syntax are the same as those given to @code{open-network-stream}
-(@pxref{Network,, Network Connections, elisp, The Emacs Lisp Reference
-Manual}).  The connection process is called @var{name} (made unique if
-necessary).  This function returns the connection process.
-
-The @var{nowait} parameter means that the socket should be
-asynchronous, and the connection process will be returned to the
-caller before TLS negotiation has happened.
+@var{service} (port number or service name).  The mandatory arguments
+and their syntax are the same as those given to
+@code{open-network-stream} (@pxref{Network,, Network Connections,
+elisp, The Emacs Lisp Reference Manual}).  The connection process is
+called @var{name} (made unique if necessary).  This function returns
+the connection process.
+
+The optional @var{parameters} argument is a list of keywords and
+values.  The only keywords which currently have any effect are
+@code{:client-certificate} and @code{:nowait}.
+
+Passing @code{:client certificate t} triggers looking up of client
+certificates matching @var{host} and @var{service} using the
+'auth-source' library.  Any resulting client certificates are passed
+down to the lower TLS layers.  The format used by @file{.authinfo} to
+specify the per-server keys is described in @xref{Help for
+users,,auth-source, auth, Emacs auth-source Library}.
+
+Passing @code{:nowait t} means that the socket should be asynchronous,
+and the connection process will be returned to the caller before TLS
+negotiation has happened.
+
+For historical reasons @var{parameters} can also be a symbol, which is
+interpreted the same as passing a list containing @code{:nowait} and
+the value of that symbol.
+
+Example calls:
 
 @lisp
 ;; open a HTTPS connection
diff --git a/etc/NEWS b/etc/NEWS
index 3670ab5bf4..43997f8418 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -199,6 +199,13 @@ issued), you can either set 'network-security-protocol-checks' to nil,
 or adjust the elements in that variable to only happen on the 'high'
 security level (assuming you use the 'medium' level).
 
++++
+** Native GnuTLS connections can now use client certificates.
+Previously, this support was only available when using the external
+gnutls-cli command.  Call 'open-network-stream' with
+':client-certificate t' to trigger looking up of per-server
+certificates via 'auth-source'.
+
 +++
 ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.
 It blocks line breaking after a one-letter word, also in the case when
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 78ac3fe35b..dae208e926 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -38,6 +38,9 @@
 (require 'cl-lib)
 (require 'puny)
 
+(declare-function network-stream-certificate "network-stream"
+                  (host service parameters))
+
 (defgroup gnutls nil
   "Emacs interface to the GnuTLS library."
   :version "24.1"
@@ -138,23 +141,25 @@ gnutls-min-prime-bits
                  (integer :tag "Number of bits" 512))
   :group 'gnutls)
 
-(defun open-gnutls-stream (name buffer host service &optional nowait)
+(defun open-gnutls-stream (name buffer host service &optional parameters)
   "Open a SSL/TLS connection for a service to a host.
 Returns a subprocess-object to represent the connection.
 Input and output work as for subprocesses; `delete-process' closes it.
 Args are NAME BUFFER HOST SERVICE.
 NAME is name for process.  It is modified if necessary to make it unique.
 BUFFER is the buffer (or `buffer-name') to associate with the process.
- Process output goes at end of that buffer, unless you specify
- a filter function to handle the output.
- BUFFER may be also nil, meaning that this process is not associated
- with any buffer
-Third arg is name of the host to connect to, or its IP address.
-Fourth arg SERVICE is name of the service desired, or an integer
+Process output goes at end of that buffer, unless you specify a
+filter function to handle the output.  BUFFER may be also nil,
+meaning that this process is not associated with any buffer
+Third arg HOST is the name of the host to connect to, or its IP address.
+Fourth arg SERVICE is the name of the service desired, or an integer
 specifying a port number to connect to.
-Fifth arg NOWAIT (which is optional) means that the socket should
-be opened asynchronously.  The connection process will be
-returned to the caller before TLS negotiation has happened.
+Fifth arg PARAMETERS is an optional list of keyword/value pairs.
+Only :client-certificate and :nowait keywords are recognized, and
+have the same meaning as for `open-network-stream'.
+For historical reasons PARAMETERS can also be a symbol, which is
+interpreted the same as passing a list containing :nowait and the
+value of that symbol.
 
 Usage example:
 
@@ -168,19 +173,33 @@ open-gnutls-stream
 documentation for the specific parameters you can use to open a
 GnuTLS connection, including specifying the credential type,
 trust and key files, and priority string."
-  (let ((process (open-network-stream
-                  name buffer host service
-                  :nowait nowait
-                  :tls-parameters
-                  (and nowait
-                       (cons 'gnutls-x509pki
-                             (gnutls-boot-parameters
-                              :type 'gnutls-x509pki
-                              :hostname (puny-encode-domain host)))))))
+  (let* ((parameters
+          (cond ((symbolp parameters)
+                 (list :nowait parameters))
+                ((not (cl-evenp (length parameters)))
+                 (error "Malformed keyword list"))
+                ((consp parameters)
+                 parameters)
+                (t
+                 (error "Unknown parameter type"))))
+         (cert (network-stream-certificate host service parameters))
+         (keylist (and cert (list cert)))
+         (nowait (plist-get parameters :nowait))
+         (process (open-network-stream
+                   name buffer host service
+                   :nowait nowait
+                   :tls-parameters
+                   (and nowait
+                        (cons 'gnutls-x509pki
+                              (gnutls-boot-parameters
+                               :type 'gnutls-x509pki
+                               :keylist keylist
+                               :hostname (puny-encode-domain host)))))))
     (if nowait
         process
       (gnutls-negotiate :process process
                         :type 'gnutls-x509pki
+                        :keylist keylist
                         :hostname (puny-encode-domain host)))))
 
 (define-error 'gnutls-error "GnuTLS error")
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el
index 98b2033790..1723931c67 100644
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@@ -196,7 +196,7 @@ open-network-stream
 	  (car result))))))
 
 (defun network-stream-certificate (host service parameters)
-  (let ((spec (plist-get :client-certificate parameters)))
+  (let ((spec (plist-get parameters :client-certificate)))
     (cond
      ((listp spec)
       ;; Either nil or a list with a key/certificate pair.
@@ -389,7 +389,7 @@ network-stream-open-tls
 	   (stream
             (if (gnutls-available-p)
                 (open-gnutls-stream name buffer host service
-                                    (plist-get parameters :nowait))
+                                    parameters)
               (require 'tls)
               (open-tls-stream name buffer host service)))
 	   (eoc (plist-get parameters :end-of-command)))
-- 
2.19.1.816.gcd69ec8cde.dirty


--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 21 Dec 2018 13:17:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Dec 21 08:17:09 2018
Received: from localhost ([127.0.0.1]:57220 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gaKft-0002NQ-0R
	for submit <at> debbugs.gnu.org; Fri, 21 Dec 2018 08:17:09 -0500
Received: from mail-wm1-f45.google.com ([209.85.128.45]:51753)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1gaKfq-0002Ms-R5
 for 33780 <at> debbugs.gnu.org; Fri, 21 Dec 2018 08:17:07 -0500
Received: by mail-wm1-f45.google.com with SMTP id b11so5299155wmj.1
 for <33780 <at> debbugs.gnu.org>; Fri, 21 Dec 2018 05:17:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:in-reply-to:message-id:mime-version;
 bh=2LV/XIGbBjuU7ryNxhEnmQdr9vHjIeAOG9X0koUbf4g=;
 b=crNWnx52L2dfbUekc3txHmZR2CvYM5hfvsaKz9kqf7t/MOCrZdN5cpK3oHLpdsWXnG
 v713zBY8cpqQ7+SukfRGSRDUKu8YbDO3q6sByWFG0navsdxbfmDPALpKhet5Zhm0pI9o
 w3m24y/AdnZgWtRvbr2bonQkCMXgtSgcIahiGhhkx3CoWuwSx8YztbBp0Hz2d/UlZlGD
 NHCiSvozXO7OgetGokr1LMraT8zb2DNbL+LngFCjIAtOLtdaYZ3TYnUc7cQbVaCDFJjE
 De4zPY9Ujp7VEKsQvfVEBRx0T0/9gXYDYOnzMNHVbTcAcJP+SQl6umm1lOy4EvDKDs0x
 Tp5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:mime-version;
 bh=2LV/XIGbBjuU7ryNxhEnmQdr9vHjIeAOG9X0koUbf4g=;
 b=XBrXkRg2SJLXVcgr9n567dDXZag0oKbC3MD6dQvW2ryoAYts0JA5U3V8fPtqyXANnf
 Lqp5Re2gEw7NWgkXea3CuJygq5kbEP5TGoIBa+QI0xxf8ttO9KyqtgeCpZABPuVo9Foy
 lWY9S8Ji8aSXp0K8yp6ulFfdw+zWCUzZ8Dh93Kye+SnI2ExUJmhDDw3oQ0kp/ycPjmWB
 nBcoTsZaZKRAVzb34qt0snwc0JpuqlekCpdrU1eVPIgZf+22aLdC1r21mCny4Nc7o8TN
 V1W7IzirGBjaubTx2bDxWhd6GxtGm7yiDMRYoX9pqCk49ZHRkQ+NPsrMYzG6HOIVULif
 dmOg==
X-Gm-Message-State: AA+aEWZ7nKhjyRjB9dX6pHYaSlf2k7BHVHdSFwcgqyOAncycUz9vc5Pn
 kTGtHh5YKRQQ+yUUhNguiU6pHqt+
X-Google-Smtp-Source: ALg8bN7ZGVGxSew8nvAyk4aEtnGBaafZCAZDXPnc1tmXLhas8zF6PLNabyQA6hB6c0lgr5AjS7+5Yw==
X-Received: by 2002:a1c:6e06:: with SMTP id j6mr2930205wmc.3.1545398220725;
 Fri, 21 Dec 2018 05:17:00 -0800 (PST)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id b13sm15055440wrn.28.2018.12.21.05.16.59
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Fri, 21 Dec 2018 05:16:59 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Vinothan Shankar <darael@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 <m2r2ec9gvu.fsf@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Fri, 21 Dec 2018 14:16:57 +0100
In-Reply-To: <m2r2ec9gvu.fsf@HIDDEN> (Robert Pluim's message of "Thu, 20
 Dec 2018 19:45:25 +0100")
Message-ID: <m2muoz9fzq.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Robert Pluim <rpluim@HIDDEN> writes:

> Vinothan Shankar <darael@HIDDEN> writes:
>
>> OK, so a few minutes into the process of trying to do this, I came
>> across a snag: the syntax for using certificates in authinfo files
>> doesn't appear to be documented anywhere; I had to extract it from a
>> stackexchange question.  Docs bug, or lack of search-fu?  Moving on...
>
> It=CA=BCs in the smptmail info manual, node 'Encryption'. It is linked fr=
om
> the main Emacs manual, from the 'Mail Sending' node, but there appears
> to be no description of the syntax in the auth-source manual. Patches
> welcome :-)
>

I was looking there anyway, so I updated the manual.

Proposed patch attached. At this time it just enables taking into
account ':client-certificate t' in calls to 'open-network-stream' and
applying any client certificates found, it doesn=CA=BCt change the default
behaviour. I=CA=BCll follow up on emacs-devel afterwards about that.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-Check-for-client-certificates-when-using-GnuTLS.patch

From 2f13e12882a32246d9b1d57e111ad17e0773ff54 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim@HIDDEN>
Date: Fri, 21 Dec 2018 11:58:00 +0100
Subject: [PATCH] Check for client certificates when using GnuTLS
To: emacs-devel@HIDDEN

This fixes Bug#33780, and extends the documentation to describe how to
enable use of client certificates.

* lisp/net/network-stream.el (network-stream-certificate): Correct
order of parameters to plist-get.
(network-stream-open-tls): Pass all received parameters to
open-gnutls-stream, not just :nowait.

* lisp/net/gnutls.el (open-gnutls-stream): Add optional plist to
arglist.  Derive client certificate(s) and keys(s) from plist (maybe
via auth-source) and pass to gnutls-boot-parameters and
gnutls-negotiate.
(network-stream-certificate): Add declare-function form for it.

* doc/misc/auth.texi (Help for users): Describe format to use for
client key/cert specification.

* doc/misc/emacs-gnutls.texi (Help For Developers): Describe usage
of new optional plist argument.  Add crossref to description of
.authinfo format for client key/cert specification.

* etc/NEWS: Describe new client certificate functionality for
  'open-network-stream'
---
 doc/misc/auth.texi         |  9 +++++++++
 doc/misc/emacs-gnutls.texi | 12 +++++++++++-
 etc/NEWS                   |  7 +++++++
 lisp/net/gnutls.el         | 31 +++++++++++++++++++++----------
 lisp/net/network-stream.el |  5 +++--
 5 files changed, 51 insertions(+), 13 deletions(-)

diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi
index fcbc83ead5..68b8553d58 100644
--- a/doc/misc/auth.texi
+++ b/doc/misc/auth.texi
@@ -109,6 +109,15 @@ Help for users
 @code{auth-source-search} queries.  You can also use @code{login} and
 @code{account}.
 
+You can also use this file to specify client certificates to use when
+setting up TLS connections.  The format is:
+@example
+machine @var{mymachine} port @var{myport} key "@var{key}" cert "@var{cert}"
+@end example
+
+@var{key} and @var{cert} are filenames containing the key and
+certificate to use respectively.
+
 You can use spaces inside a password or other token by surrounding the
 token with either single or double quotes.
 
diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi
index a690ccfcce..90c2d217e2 100644
--- a/doc/misc/emacs-gnutls.texi
+++ b/doc/misc/emacs-gnutls.texi
@@ -179,7 +179,7 @@ Help For Developers
 You should not have to use the @file{gnutls.el} functions directly.
 But you can test them with @code{open-gnutls-stream}.
 
-@defun open-gnutls-stream name buffer host service &optional nowait
+@defun open-gnutls-stream name buffer host service &optional nowait parameters
 This function creates a buffer connected to a specific @var{host} and
 @var{service} (port number or service name).  The parameters and their
 syntax are the same as those given to @code{open-network-stream}
@@ -191,6 +191,16 @@ Help For Developers
 asynchronous, and the connection process will be returned to the
 caller before TLS negotiation has happened.
 
+@var{parameters} is a plist which is currently checked only for
+@code{:client-certificate}.  Any resulting client certificates are
+passed down to the lower TLS layers.  Set @code{:client certificate t}
+to trigger looking up of the certificates using the auth-source
+library.  The format used by @file{.authinfo} to specify the
+per-server keys is described in @xref{Help for users,,auth-source,
+auth, Emacs auth-source Library}.
+
+Example calls:
+
 @lisp
 ;; open a HTTPS connection
 (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https")
diff --git a/etc/NEWS b/etc/NEWS
index 0624c5690b..74943fb2ff 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -199,6 +199,13 @@ issued), you can either set 'network-security-protocol-checks' to nil,
 or adjust the elements in that variable to only happen on the 'high'
 security level (assuming you use the 'medium' level).
 
++++
+** Native GnuTLS connections can now use client certificates.
+Previously, this support was only available when using the external
+gnutls-cli command.  Call 'open-network-stream' with
+':client-certificate t' to trigger looking up of per-server
+certificates via 'auth-source'.
+
 +++
 ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.
 It blocks line breaking after a one-letter word, also in the case when
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 315932b7e6..30f933fa48 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -38,6 +38,9 @@
 (require 'cl-lib)
 (require 'puny)
 
+(declare-function network-stream-certificate "network-stream"
+                  (host service parameters))
+
 (defgroup gnutls nil
   "Emacs interface to the GnuTLS library."
   :version "24.1"
@@ -138,7 +141,7 @@ gnutls-min-prime-bits
                  (integer :tag "Number of bits" 512))
   :group 'gnutls)
 
-(defun open-gnutls-stream (name buffer host service &optional nowait)
+(defun open-gnutls-stream (name buffer host service &optional nowait parameters)
   "Open a SSL/TLS connection for a service to a host.
 Returns a subprocess-object to represent the connection.
 Input and output work as for subprocesses; `delete-process' closes it.
@@ -155,6 +158,10 @@ open-gnutls-stream
 Fifth arg NOWAIT (which is optional) means that the socket should
 be opened asynchronously.  The connection process will be
 returned to the caller before TLS negotiation has happened.
+Sixth arg PARAMETERS is an optional property list.  It is currently
+checked for :client-certificate only. This allows specifying the
+client certificates and keys used to set up the connection.
+See `open-network-stream' for a complete description.
 
 Usage example:
 
@@ -168,19 +175,23 @@ open-gnutls-stream
 documentation for the specific parameters you can use to open a
 GnuTLS connection, including specifying the credential type,
 trust and key files, and priority string."
-  (let ((process (open-network-stream
-                  name buffer host service
-                  :nowait nowait
-                  :tls-parameters
-                  (and nowait
-                       (cons 'gnutls-x509pki
-                             (gnutls-boot-parameters
-                              :type 'gnutls-x509pki
-                              :hostname (puny-encode-domain host)))))))
+  (let* ((cert (network-stream-certificate host service parameters))
+         (keylist (and cert (list cert)))
+         (process (open-network-stream
+                   name buffer host service
+                   :nowait nowait
+                   :tls-parameters
+                   (and nowait
+                        (cons 'gnutls-x509pki
+                              (gnutls-boot-parameters
+                               :type 'gnutls-x509pki
+                               :keylist keylist
+                               :hostname (puny-encode-domain host)))))))
     (if nowait
         process
       (gnutls-negotiate :process process
                         :type 'gnutls-x509pki
+                        :keylist keylist
                         :hostname (puny-encode-domain host)))))
 
 (define-error 'gnutls-error "GnuTLS error")
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el
index a0589e25a4..26f92d5aa8 100644
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@@ -196,7 +196,7 @@ open-network-stream
 	  (car result))))))
 
 (defun network-stream-certificate (host service parameters)
-  (let ((spec (plist-get :client-certificate parameters)))
+  (let ((spec (plist-get parameters :client-certificate)))
     (cond
      ((listp spec)
       ;; Either nil or a list with a key/certificate pair.
@@ -389,7 +389,8 @@ network-stream-open-tls
 	   (stream
             (if (gnutls-available-p)
                 (open-gnutls-stream name buffer host service
-                                    (plist-get parameters :nowait))
+                                    (plist-get parameters :nowait)
+                                    parameters)
               (require 'tls)
               (open-tls-stream name buffer host service)))
 	   (eoc (plist-get parameters :end-of-command)))
-- 
2.19.1.816.gcd69ec8cde.dirty


--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 20 Dec 2018 18:45:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 20 13:45:35 2018
Received: from localhost ([127.0.0.1]:56729 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ga3KB-0003U9-On
	for submit <at> debbugs.gnu.org; Thu, 20 Dec 2018 13:45:35 -0500
Received: from mail-wm1-f52.google.com ([209.85.128.52]:54481)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1ga3KA-0003Tx-5s
 for 33780 <at> debbugs.gnu.org; Thu, 20 Dec 2018 13:45:34 -0500
Received: by mail-wm1-f52.google.com with SMTP id a62so3092833wmh.4
 for <33780 <at> debbugs.gnu.org>; Thu, 20 Dec 2018 10:45:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :mime-version:content-transfer-encoding;
 bh=3y0aU+MoUB3+oEugtHeB2EuGzMhSumPqJn0Q85yRI2w=;
 b=hsrXzOitYGIENRcRzUsawbSvOFu4QXkr3Y6JxPEiXWIEU8cvI8d8Fqpr+uQpuHy6Un
 PzsxrGHcTohUyai8x5V70OPIFXq7v/SRIVzVV0bWgkxZQ2alym0UtkQJbHAoPsJ4wDXS
 R+YRa31Gfk9sm5a/PlUwUcttSfGs1RVTaVphUva9tuS7UlyZGvngJvk4LLSXvXXbHbbX
 kjj5R+o8J5mIFT+fF+3IINxhW+eoGjkx1zxIoPypFJHymROSJ8+lQeeXK+4oQaf2Guzn
 oHmW0VYxvj5j4DnRa7DxwobJlhiTD2do9j4oCKAcWsonLp2Ndm5jiYOmvjEyplYk+okl
 JAyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:mime-version:content-transfer-encoding;
 bh=3y0aU+MoUB3+oEugtHeB2EuGzMhSumPqJn0Q85yRI2w=;
 b=JJfQxpX+vWNkFI0VJuCFvaw884DcP8xqfjTw7yGa+4bueNSeMoaXCx4x/6x7HhhwGl
 bFUyNjcQwyRStuJ5D5MKo4bek9ez0LZ+5dy9b1jIEQ4P5byddgTor+m8KxIHb1hxnwMf
 9dT9ckSu4qqPEx4gzpx93vnW4rWXlHzlHHFnxifddGqqcFMKriSJ7Mw3bVQxvO1NhjmU
 /ndfBRGc+gsc67pW1rYx/pXv+evgZZNoTlEeXOh12r6lqxntMMCe9eyW9LgfQBe/XV+o
 5R1yHJpRMocYbO2PZmKaF7eQZX1Ujcd/2HgHcVOAonyYr5EgViUQs0FYhIi6nQ6jb52M
 Dr5A==
X-Gm-Message-State: AA+aEWY76Ye/OV7uhOFMzPxfTkv3zqAhFto2jy7d9fM+aNDGw9oujoKS
 KVsp5MzFytpXjAWWN9czHXPIZbFg
X-Google-Smtp-Source: AFSGD/VxXa4HkFaFJ+GGY+zP0S58DAQX6fED1W3Ozsq+EDfZA/3Wn501j1Ok499VRpsTQOmCiky+Xw==
X-Received: by 2002:a1c:7fca:: with SMTP id a193mr12656008wmd.36.1545331527859; 
 Thu, 20 Dec 2018 10:45:27 -0800 (PST)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id u10sm8344662wrr.33.2018.12.20.10.45.26
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 20 Dec 2018 10:45:26 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Vinothan Shankar <darael@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
 <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
Date: Thu, 20 Dec 2018 19:45:25 +0100
In-Reply-To: <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
 (Vinothan Shankar's message of "Thu, 20 Dec 2018 11:24:12 +0000")
Message-ID: <m2r2ec9gvu.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Vinothan Shankar <darael@HIDDEN> writes:

> OK, so a few minutes into the process of trying to do this, I came
> across a snag: the syntax for using certificates in authinfo files
> doesn't appear to be documented anywhere; I had to extract it from a
> stackexchange question.  Docs bug, or lack of search-fu?  Moving on...

It=CA=BCs in the smptmail info manual, node 'Encryption'. It is linked from
the main Emacs manual, from the 'Mail Sending' node, but there appears
to be no description of the syntax in the auth-source manual. Patches
welcome :-)

> Results:
>
> Initial failure, but this is because I've been testing with ERC, which
> calls open-network-stream with ":nowait t".  If I add the ":keylist
> (and cert (list cert))" stanza to the other branch of open-gnutls-
> stream as well, in the gnutls-boot-parameters call, it works perfectly:
> Freenode picks up my identity even when I supply a blank password.

Thanks for testing. I=CA=BCll update my patch (and write a ChangeLog, and a
NEWS entry)

By my count there are at least 11 calls to open-network-stream in
Emacs' sources which would need updating with ':client-certificate t'
in order to trigger transparent use of user-specified certificates.

By analogy to e.g. smtpmail looking up usernames and passwords by
default using auth-source, I think Emacs should do the same for
client-certificates by default. People without entries specifying
certificates would be unaffected, and third-party packages would not
need to be updated to take advantage of this new feature. Comments
welcome.

Robert




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 20 Dec 2018 11:25:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 20 06:25:56 2018
Received: from localhost ([127.0.0.1]:55546 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gZwSh-0004ta-Q2
	for submit <at> debbugs.gnu.org; Thu, 20 Dec 2018 06:25:56 -0500
Received: from e2i510.smtp2go.com ([103.2.141.254]:34073)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <darael@HIDDEN>) id 1gZwSf-0004tS-Iz
 for 33780 <at> debbugs.gnu.org; Thu, 20 Dec 2018 06:25:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=smtpservice.net; s=m3dcb0.a1-4.dyn; x=1545306053; h=Feedback-ID:
 X-Smtpcorp-Track:Date:To:From:Subject:Message-ID:Reply-To:Sender:
 List-Unsubscribe; bh=kYm0LJUFt9u4LIg+x+CHabbpW/FVg9dCsnD18SkjIp0=; b=l6bnFG2j
 KHdbrsK+/VDYeDoTBl9NgNS+zKGiiFd+dbCTjV4yIsW4TMKrS/Z4m9JS5qgktGuU9dBIwyv4ptWRc
 rDszN5YEFOrdFk7wFWhdJDsz5RC4NiDtQOqrsbRnavfv6mFWr3p75maUlaCuLiQJTIzCCWGGdnsq4
 tH5sn9hXBnb5HcpFF984SfDIIB11zOmVbP/JkcW8x80kUd7meolbU4v9zhxU3AEjSzpOl95sx24jI
 4weSDumCTSKhCGbgkA6c+0D9bt45VEhJuq6oMyVI2qctce/kcV0S9jXtsphjwgF609hJzsEy9VrSP
 KKJHKaaaxSPoVV5v5WPQBoGfnQ==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dracon.is; i=@dracon.is;
 q=dns/txt; s=s157259; t=1545305153; h=from : subject : to : message-id 
 : date; bh=kYm0LJUFt9u4LIg+x+CHabbpW/FVg9dCsnD18SkjIp0=; 
 b=D2edV/LEeODN2Ko/W+v6NITljOS8FhJ2f2TmZKoHVyfwuKrcqtjCvCtMynCVd+7T1xSrae
 il4fDYDaMpkc6thbi4X5hLecB7rTGIUpgcjgxb8DjymdT2P9sLgtA7oyGlTpxsp6GwVSYXPA
 GSe3dmw0fvZqGcDGaYv6WlHH5bWLmzzAu9UJKdqqed/eIaIstH3SJb+/CrXkR3khj3kbWNxj
 Bp0T/ZfQXSAEZksIOBR2IQ/TSSCETH4kiT6JHkktlOqzDHWYAi9a7JZIDL/dP3bEpe8mftdI
 Dy6FBAvYYn13dy+/UeydUqbKNk2H7vsl6ZiUyy5S3QqB2GEAZRwq6kyQ==
Received: from [10.45.33.53] (helo=SmtpCorp)
 by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.91) (envelope-from <darael@HIDDEN>)
 id 1gZwSd-TRk1Lb-SU; Thu, 20 Dec 2018 11:25:51 +0000
Received: from [94.173.179.81] (helo=sandhya.dracon.is)
 by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.91) (envelope-from <darael@HIDDEN>)
 id 1gZwSc-rlZA0m-9m; Thu, 20 Dec 2018 11:25:50 +0000
Received: from 169.145.143.150.dyn.plus.net ([150.143.145.169] helo=ratna)
 by sandhya.dracon.is with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.91) (envelope-from <darael@HIDDEN>)
 id 1gZwRu-0002N0-Nu; Thu, 20 Dec 2018 11:25:24 +0000
Message-ID: <97b430dc5524473a7ed3af1b903644880db057ff.camel@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
From: Vinothan Shankar <darael@HIDDEN>
To: Robert Pluim <rpluim@HIDDEN>
Date: Thu, 20 Dec 2018 11:24:12 +0000
In-Reply-To: <m2va3pa0xy.fsf@HIDDEN>
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
 <m2va3pa0xy.fsf@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.1-1 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.9
X-Spam-Level: --
X-Spam-Report: Spam detection software,
 running on the system "sandhya.dracon.is", 
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On Wed, 2018-12-19 at 18:19 +0100,
 Robert Pluim wrote: > Could
 you apply the following patch, and test something like > > (open-network-stream
 > "*tls*" (current-buffer) "server.example.com" > "443" > [...] 
 Content analysis details:   (-2.9 points, 7.5 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
 0.0 TVD_RCVD_IP            Message was received from an IP address
X-Smtpcorp-Track: 1gZwScr_Zj0X9X.G8w8LvkdT
Feedback-ID: 157259m:157259aorYhhm:157259s0-wfMPwks
X-Report-Abuse: Please forward a copy of this message, including all headers, 
 to <abuse-report@HIDDEN>
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On Wed, 2018-12-19 at 18:19 +0100, Robert Pluim wrote:
> Could you apply the following patch, and test something like
> 
> (open-network-stream
>  "*tls*" (current-buffer) "server.example.com"
>  "443"
>  :type 'tls
>  :warn-unless-encrypted t
>  :return-list t
>  :client-certificate t)
> 
> with the appropriate entries in your .authinfo (replace the
> servername
> and port number as needed)? It works in my limited testing, and
> doesnʼt appear to have broken Gnus (but none of my TLS connections
> require client certificates).

OK, so a few minutes into the process of trying to do this, I came
across a snag: the syntax for using certificates in authinfo files
doesn't appear to be documented anywhere; I had to extract it from a
stackexchange question.  Docs bug, or lack of search-fu?  Moving on...

Results:

Initial failure, but this is because I've been testing with ERC, which
calls open-network-stream with ":nowait t".  If I add the ":keylist
(and cert (list cert))" stanza to the other branch of open-gnutls-
stream as well, in the gnutls-boot-parameters call, it works perfectly:
Freenode picks up my identity even when I supply a blank password.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at 33780 <at> debbugs.gnu.org:


Received: (at 33780) by debbugs.gnu.org; 19 Dec 2018 17:20:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Dec 19 12:20:05 2018
Received: from localhost ([127.0.0.1]:55042 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gZfVt-0006Cq-9Y
	for submit <at> debbugs.gnu.org; Wed, 19 Dec 2018 12:20:05 -0500
Received: from mail-wr1-f44.google.com ([209.85.221.44]:35080)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1gZfVr-0006CC-DC
 for 33780 <at> debbugs.gnu.org; Wed, 19 Dec 2018 12:20:04 -0500
Received: by mail-wr1-f44.google.com with SMTP id 96so20352293wrb.2
 for <33780 <at> debbugs.gnu.org>; Wed, 19 Dec 2018 09:20:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:message-id:mime-version:content-transfer-encoding;
 bh=bAXUsHCEIAVJ58udfC3RMvRm39UHg+WN3JLHnFLSEAw=;
 b=ZXKhwAEDpqY7SDw+FLBf+MfZKlT0vCxHfbWlaUmllRXlse8YQI+YZDO8Z/xCUdNQlZ
 6A31nYB+gltUD/HVekA6ZgFwLW8tM6sAeyCcpYgC11pMqPUenltt6aHxGSrT3S2ppAEK
 JDD8XxzMJTYBA/Y/xnnWYMKKLBSeXNNPpxF05SHf98t9z4Ne3swsHZinBg8gBs4M6hkj
 4S4c5zGzjhVzV03LTyU4XaL3LJU7isC7EvzT1JPWwJxpPxJHkYGZWehrEHEsv1LOlSUf
 cA4LFCgoCQuZs1uGBIUS+yvCgC6N2dgwgrV4OTDfwL6qPWIpNEOijLSxeSx7WDAgzkUh
 hvzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:message-id:mime-version
 :content-transfer-encoding;
 bh=bAXUsHCEIAVJ58udfC3RMvRm39UHg+WN3JLHnFLSEAw=;
 b=jj4Og/fgL6qdqTglTU2sgchzZyGAubDmBQ6rVolukCnbtX2RJEI3nmQvvJVa/Z6HRD
 KdDSTBwla+oq7C9L3p6twnibfrzV4c0++CzrrxDYmZNVYRiijNLv64xygu5BC6oYIDDc
 VE4xv+IBOcfYD+to3DujR1QaH08JYC22uJ8kG1RhhKznjlv8KgCoagauL3wW5Q6Nc1uy
 Mu007lQHN6m0WvXfPI6qq5Mzig5FxvNWHT14gT23g0i4uvS5ZOgI2cMEh+bFS49RH4RM
 WSdTGSVHYWX4KUzu7WOFwvgqF5af2ShRMWjjtgvo3eJGcHsh3whnbJ3pH8Mor5eL8UYA
 72+A==
X-Gm-Message-State: AA+aEWbtJhBHVlKD3c+zvU6hW25CE18YgeIjoCDQpthF/m/lNGpWpxyp
 o1fHGSZmiPgFk9V9oFS75owgPx8X
X-Google-Smtp-Source: AFSGD/X/tg6kWm/15IAP8A9ZsplHS8I76MZEez3TrqS9CSzYy3KlrUFG2+bjyy2syvw9slaWlJNsyg==
X-Received: by 2002:adf:e247:: with SMTP id n7mr18544782wri.205.1545239997457; 
 Wed, 19 Dec 2018 09:19:57 -0800 (PST)
Received: from rpluim-mac (vav06-1-78-207-202-134.fbx.proxad.net.
 [78.207.202.134])
 by smtp.gmail.com with ESMTPSA id k15sm6242786wru.8.2018.12.19.09.19.55
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 19 Dec 2018 09:19:56 -0800 (PST)
From: Robert Pluim <rpluim@HIDDEN>
To: Vinothan Shankar <darael@HIDDEN>
Subject: Re: bug#33780: network-stream.el: network-stream-certificate always
 returns nil
References: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Wed, 19 Dec 2018 18:19:53 +0100
Message-ID: <m2va3pa0xy.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 33780
Cc: larsi@HIDDEN, 33780 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Vinothan Shankar <darael@HIDDEN> writes:

> network-stream-certificate will *always* return nil, regardless of
> whether there actually is a client-certificate value-pair specified,
> because (plist-get :client-certificate parameters) is always nil.  This
> is because plist-get takes the plist as the first argument, and the key
> as the second; trying to find a list in a token is always going to be
> nil.
>
> This makes it impossible to use client certificates with Emacs's built-
> in network-stream support, at least without overriding functions.
>
> The error is in net/network-stream.el.  It has been there since the
> function was first written in 2011, according to git blame.

Yes. Lars?

> I surmise that this, in combination with there being no support for
> client certificates in network-stream-tls (though it's available in
> network-stream-starttls) is part of the reason there are so many
> conflicting guides on, for example, using client-certificate SASL with=20
> ERC.

Could you apply the following patch, and test something like

(open-network-stream
 "*tls*" (current-buffer) "server.example.com"
 "443"
 :type 'tls
 :warn-unless-encrypted t
 :return-list t
 :client-certificate t)

with the appropriate entries in your .authinfo (replace the servername
and port number as needed)? It works in my limited testing, and
doesn=CA=BCt appear to have broken Gnus (but none of my TLS connections
require client certificates).

It could be argued that this should all be transparent, i.e. we should
assume ":client-certificate t" unless it=CA=BCs explicitly nil, which would
avoid having to fix all the packages that just call
`open-network-stream', but that we can revisit once things actually
work.

diff --git i/lisp/gnus/nnimap.el w/lisp/gnus/nnimap.el
index 1a3b05ddb3..956c7144cb 100644
--- i/lisp/gnus/nnimap.el
+++ w/lisp/gnus/nnimap.el
@@ -456,6 +456,7 @@ nnimap-open-connection-1
                :always-query-capabilities t
 	       :end-of-command "\r\n"
 	       :success " OK "
+               :client-certificate t
 	       :starttls-function
 	       (lambda (capabilities)
 		 (when (string-match-p "STARTTLS" capabilities)
diff --git i/lisp/gnus/nntp.el w/lisp/gnus/nntp.el
index be9e495510..efb4912a8f 100644
--- i/lisp/gnus/nntp.el
+++ w/lisp/gnus/nntp.el
@@ -1266,6 +1266,7 @@ nntp-open-connection
 		     :end-of-command "^\\([2345]\\|[.]\\).*\n"
 		     :capability-command "HELP\r\n"
 		     :success "^3"
+                     :client-certificate t
 		     :starttls-function
 		     (lambda (capabilities)
 		       (if (not (string-match "STARTTLS" capabilities))
diff --git i/lisp/net/gnutls.el w/lisp/net/gnutls.el
index 315932b7e6..625f11caa5 100644
--- i/lisp/net/gnutls.el
+++ w/lisp/net/gnutls.el
@@ -38,6 +38,9 @@
 (require 'cl-lib)
 (require 'puny)
=20
+(declare-function network-stream-certificate "network-stream"
+                  (host service parameters))
+
 (defgroup gnutls nil
   "Emacs interface to the GnuTLS library."
   :version "24.1"
@@ -138,7 +141,7 @@ gnutls-min-prime-bits
                  (integer :tag "Number of bits" 512))
   :group 'gnutls)
=20
-(defun open-gnutls-stream (name buffer host service &optional nowait)
+(defun open-gnutls-stream (name buffer host service &optional parameters)
   "Open a SSL/TLS connection for a service to a host.
 Returns a subprocess-object to represent the connection.
 Input and output work as for subprocesses; `delete-process' closes it.
@@ -152,9 +155,14 @@ open-gnutls-stream
 Third arg is name of the host to connect to, or its IP address.
 Fourth arg SERVICE is name of the service desired, or an integer
 specifying a port number to connect to.
-Fifth arg NOWAIT (which is optional) means that the socket should
-be opened asynchronously.  The connection process will be
-returned to the caller before TLS negotiation has happened.
+Fifth arg PARAMETERS is a property list.  It is currently checked for:
+
+    :nowait which means that the socket should be opened
+    asynchronously.  The connection process will be returned to
+    the caller before TLS negotiation has happened.
+
+    :client-certificate which allows the specification of
+    client certificates and keys to use to set up the connection.
=20
 Usage example:
=20
@@ -168,19 +176,22 @@ open-gnutls-stream
 documentation for the specific parameters you can use to open a
 GnuTLS connection, including specifying the credential type,
 trust and key files, and priority string."
-  (let ((process (open-network-stream
-                  name buffer host service
-                  :nowait nowait
-                  :tls-parameters
-                  (and nowait
-                       (cons 'gnutls-x509pki
-                             (gnutls-boot-parameters
-                              :type 'gnutls-x509pki
-                              :hostname (puny-encode-domain host)))))))
+  (let* ((cert (network-stream-certificate host service parameters))
+         (nowait (plist-get parameters :nowait))
+         (process (open-network-stream
+                   name buffer host service
+                   :nowait nowait
+                   :tls-parameters
+                   (and nowait
+                        (cons 'gnutls-x509pki
+                              (gnutls-boot-parameters
+                               :type 'gnutls-x509pki
+                               :hostname (puny-encode-domain host)))))))
     (if nowait
         process
       (gnutls-negotiate :process process
                         :type 'gnutls-x509pki
+                        :keylist (and cert (list cert))
                         :hostname (puny-encode-domain host)))))
=20
 (define-error 'gnutls-error "GnuTLS error")
diff --git i/lisp/net/network-stream.el w/lisp/net/network-stream.el
index a0589e25a4..8b813eef2c 100644
--- i/lisp/net/network-stream.el
+++ w/lisp/net/network-stream.el
@@ -196,7 +196,7 @@ open-network-stream
 	  (car result))))))
=20
 (defun network-stream-certificate (host service parameters)
-  (let ((spec (plist-get :client-certificate parameters)))
+  (let ((spec (plist-get parameters :client-certificate)))
     (cond
      ((listp spec)
       ;; Either nil or a list with a key/certificate pair.
@@ -389,7 +389,7 @@ network-stream-open-tls
 	   (stream
             (if (gnutls-available-p)
                 (open-gnutls-stream name buffer host service
-                                    (plist-get parameters :nowait))
+                                    parameters)
               (require 'tls)
               (open-tls-stream name buffer host service)))
 	   (eoc (plist-get parameters :end-of-command)))




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 17 Dec 2018 19:16:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 17 14:16:30 2018
Received: from localhost ([127.0.0.1]:52146 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gYyNR-00081Y-WF
	for submit <at> debbugs.gnu.org; Mon, 17 Dec 2018 14:16:30 -0500
Received: from eggs.gnu.org ([208.118.235.92]:58036)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <darael@HIDDEN>) id 1gYyAD-0007fd-RL
 for submit <at> debbugs.gnu.org; Mon, 17 Dec 2018 14:02:50 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <darael@HIDDEN>) id 1gYyA7-0007gZ-Mf
 for submit <at> debbugs.gnu.org; Mon, 17 Dec 2018 14:02:44 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:46493)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <darael@HIDDEN>) id 1gYyA7-0007g2-HH
 for submit <at> debbugs.gnu.org; Mon, 17 Dec 2018 14:02:43 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39393)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <darael@HIDDEN>) id 1gYyA6-00029h-KP
 for bug-gnu-emacs@HIDDEN; Mon, 17 Dec 2018 14:02:43 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <darael@HIDDEN>) id 1gYyA3-0007Tw-US
 for bug-gnu-emacs@HIDDEN; Mon, 17 Dec 2018 14:02:42 -0500
Received: from e2i510.smtp2go.com ([103.2.141.254]:58529)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <darael@HIDDEN>) id 1gYyA3-0007L4-4f
 for bug-gnu-emacs@HIDDEN; Mon, 17 Dec 2018 14:02:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=smtpservice.net; s=m3dcb0.a1-4.dyn; x=1545074259; h=Feedback-ID:
 X-Smtpcorp-Track:Date:To:From:Subject:Message-ID:Reply-To:Sender:
 List-Unsubscribe; bh=Pro8Ao0gpaI0Rs/qiByyU5zvKudPqoT3C9FIUEDIRog=; b=pae6DiJQ
 duYWhGHS3RRp2MflKuJAjW1zwCNK51elEW+sQdsxWJLwsz9SQ1frBh11+fyS6yYH5ogxmpmUaGAuK
 ElrAulqWIxGRcVwmIzFoHb+zSjlCMki6lKzwpYsAUQe2LAMGH5tQigIzABU64ZWr8/FgZ7tqcwOit
 txklYdjO5ZXKyLnfoyLOi3XBtY+4LF0y5Dunzxnboyx/5NHMraDQ0prCIJijlQBDoc/J70THxmauU
 vgCrIrX2DzsEJ0Ux+LqEZ3BHDu9ElzVWdWvEjAfmQuWDOXmUS2385+WXlfChZOZACasB06LRfnZSv
 ZAmSgE+py85/bgB57gcvSnhHew==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dracon.is; i=@dracon.is;
 q=dns/txt; s=s157259; t=1545073359; h=from : subject : to : message-id 
 : date; bh=Pro8Ao0gpaI0Rs/qiByyU5zvKudPqoT3C9FIUEDIRog=; 
 b=cUPnO0+19IiUmvw1v1d91evg3Xv4vt4X/Frsv2vllrEgZf16Wj1kOUEqnIxqeNctpU2cRI
 O7w8dE8WGq+Pf+ybUHr+TBP6YEbjDQV9Ya0qC4fzCU62Qg0BmLuxsLH3jfRglLizm4sbFRcv
 YfcHNlTGF9mM/w2/EfgGraZ+5RAtwQy01meadTaBdtdMNYUvtzGkKvOcNQBQ2GyOUISCiPjW
 Y2n3HXVSEaFUadfNvwPGyEWn4/kGOeMvBk5m3JngLu3OEh4XGeof4TDdbRbp8MpDMjhtW7Z0
 6EkGrhY76WkMfhY8AK0u+q/h/MH04awKKocMDrHORRGjbbQnH+ZoIXfA==
Received: from [10.45.33.53] (helo=SmtpCorp)
 by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.91) (envelope-from <darael@HIDDEN>) id 1gYy9t-TRk2vg-3G
 for bug-gnu-emacs@HIDDEN; Mon, 17 Dec 2018 19:02:29 +0000
Received: from [94.173.179.81] (helo=sandhya.dracon.is)
 by smtpcorp.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.91) (envelope-from <darael@HIDDEN>) id 1gYy9r-rlZ9go-Au
 for bug-gnu-emacs@HIDDEN; Mon, 17 Dec 2018 19:02:27 +0000
Received: from 233.123.93.209.dyn.plus.net ([209.93.123.233] helo=ratna)
 by sandhya.dracon.is with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.91) (envelope-from <darael@HIDDEN>) id 1gYy9a-0001Ke-A2
 for bug-gnu-emacs@HIDDEN; Mon, 17 Dec 2018 19:02:17 +0000
Message-ID: <36f7918ec93135504092dc856a4490c846f6e947.camel@HIDDEN>
Subject: network-stream.el: network-stream-certificate always returns nil
From: Vinothan Shankar <darael@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Date: Mon, 17 Dec 2018 19:02:08 +0000
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.1-1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Smtpcorp-Track: 1gYy9rr_Z9gojI.F0LCntxeL
Feedback-ID: 157259m:157259aorYhhm:157259s-MRXoImQK
X-Report-Abuse: Please forward a copy of this message, including all headers, 
 to <abuse-report@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 17 Dec 2018 14:16:27 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.1 (-----)


network-stream-certificate will *always* return nil, regardless of
whether there actually is a client-certificate value-pair specified,
because (plist-get :client-certificate parameters) is always nil.  This
is because plist-get takes the plist as the first argument, and the key
as the second; trying to find a list in a token is always going to be
nil.

This makes it impossible to use client certificates with Emacs's built-
in network-stream support, at least without overriding functions.

The error is in net/network-stream.el.  It has been there since the
function was first written in 2011, according to git blame.

I surmise that this, in combination with there being no support for
client certificates in network-stream-tls (though it's available in
network-stream-starttls) is part of the reason there are so many
conflicting guides on, for example, using client-certificate SASL with 
ERC.





Acknowledgement sent to Vinothan Shankar <darael@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#33780; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 24 Jan 2019 10:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.