Closed hendursaga closed 2 years ago
hendursaga
commented
2 years ago On a related note, what would be a good workaround, assuming you cannot immediately change over the certs? Could you, say, pin the SSL fingerprints? Or even ignore SSL validation errors entirely?
wasamasa
commented
2 years ago The main difficulty with TLS issues is reproducing them. If you have a recipe how to set up or connect to an existing IRC server with an expired cert, that would help.
Regarding errors, on Emacs 26.1 and newer, make-network-process is used in combination with gnutls-boot-parameters to launch a process using the GnuTLS library. There are intentionally no parameters set to let GnuTLS perform the verification, instead this is done by NSM if available, precisely to display warnings about expired certificates and allow the user to ignore them. What you've described should therefore not happen in the first place and workarounds shouldn't be necessary either.
hendursaga
commented
2 years ago If you have a recipe how to set up or connect to an existing IRC server with an expired cert
Sadly no, not yet, at any rate. My ZNC provider is getting better at catching certificate expirations before they occur, so I'm not sure when's the next time I'd be unintentionally hung from said error..
hendursaga
commented
2 years ago this is done by NSM if available, precisely to display warnings about expired certificates and allow the user to ignore them.
Turns out, Doom sets gnutls-verify-error to t - setting it to nil brings up a prompt and then I can pin my expired cert. You may close this if you want.
wasamasa
commented
2 years ago Interesting, I didn't expect this at all. Yet another example of your Emacs configuration being an unexpected culprit. I see three consequences arising from this:
gnutls-verify-error interacting with nsm.elgnutls-verify-error when using it with nsm.el to guard against thisTherefore I'll keep this open for now.
A few days into using Circe, all of a sudden I couldn't connect to ZNC, more specifically, over TLS. After a frustrating amount of time, apparently my ZNC provider's SSL certificate expired and nobody noticed. After hanging indefinitely, I set
irc-debug-logtotand restarted, which did not show any logs whatsoever, as nothing was connected to at that stage. It would be helpful to alert the user when an SSL certificate is expired or invalid.