recommendations for storage of accepted certificates

Ted Zlatanov tzz at
Thu Oct 7 16:59:00 CEST 2010

On Thu, 07 Oct 2010 09:17:10 +0200 Nikos Mavrogiannopoulos <nmav at> wrote: 

NM> On 10/05/2010 12:54 PM, Ted Zlatanov wrote:

>> Also, rather than setting the
>> verify_flags, it seems cleaner to use these priority string options in
>> Emacs Lisp: 
>> "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in certificate chains.
>> "%VERIFY_ALLOW_X509_V1_CA_CRT" will allow V1 CAs in chains.
>> ...but all the verify_flags are not available this way.  Can this be
>> changed or is that intentional?  If it's intentional I'll provide all
>> those flags as API options since I can imagine we'll need them.

NM> It is intentional. You have to pick the default flags for the subsystem
NM> that you're building, and some flags that related to key strength can
NM> be overriden with a priority string.

NM> The flags are not supposed to be used by an end-user.

See below...

>> 3) emacs_gnutls_verify: verify the host name (this will be optional):

NM> Why optional? This as important as everything else.

In the context of Emacs, I think it makes sense: I'm providing an API
wrapper at the ELisp level and not a complete SSL/TLS interface.  So
there can be some applications or users that find it necessary to
disable the host name check.  I'll make the default to verify, of

Similarly for the verify_flags, the application or user may need a
specific subset.  So I'll provide them as options if they are not
available in the priority string.

If you think either of these is going to cause problems, let me know.  

I tend to err on the side of configurability because of it's a strong
tradition throughout the Emacs editor and the Emacs community.

>> 4) emacs_gnutls_verify: load $CERTSTORE/HOSTNAME.pem for the current
>> hostname.  If it's equivalent to the server's presented certificate (is
>> there a certificate_equals() function or do I just use memcmp?), the
>> verification passes and return approved.

NM> You mean to compare strings? You can compare them as you would compare
NM> two UTF-8 strings, no special function is required.

OK.  I didn't know that was sufficient.


More information about the Gnutls-devel mailing list