[bpt/emacs.git] / lisp / net / tls.el

;;; tls.el --- TLS/SSL support via wrapper around GnuTLS

;; Copyright (C) 1996, 1997, 1998, 1999, 2002, 2003, 2004,
;;   2005, 2006, 2007, 2008 Free Software Foundation, Inc.

;; Author: Simon Josefsson <simon@josefsson.org>
;; Keywords: comm, tls, gnutls, ssl

;; This file is part of GNU Emacs.

;; GNU Emacs is free software: you can redistribute it and/or modify
;; it under the terms of the GNU General Public License as published by
;; the Free Software Foundation, either version 3 of the License, or
;; (at your option) any later version.

;; GNU Emacs is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;; GNU General Public License for more details.

;; You should have received a copy of the GNU General Public License
;; along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.

;;; Commentary:

;; This package implements a simple wrapper around "gnutls-cli" to
;; make Emacs support TLS/SSL.
;;
;; Usage is the same as `open-network-stream', i.e.:
;;
;; (setq tmp (open-tls-stream "test" (current-buffer) "news.mozilla.org" 563))
;; ...
;; #<process test>
;; (process-send-string tmp "mode reader\n")
;; 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready ...
;; nil
;; (process-send-string tmp "quit\n")
;; 205
;; nil

;; To use this package as a replacement for ssl.el by William M. Perry
;; <wmperry@cs.indiana.edu>, you need to evaluate the following:
;;
;; (defalias 'open-ssl-stream 'open-tls-stream)

;;; Code:

(eval-and-compile
  (autoload 'format-spec "format-spec")
  (autoload 'format-spec-make "format-spec"))

(defgroup tls nil
  "Transport Layer Security (TLS) parameters."
  :group 'comm)

(defcustom tls-end-of-info
  (concat
   "\\("
   ;; `openssl s_client' regexp.  See ssl/ssl_txt.c lines 219-220.
   ;; According to apps/s_client.c line 1515 `---' is always the last
   ;; line that is printed by s_client before the real data.
   "^    Verify return code: .+\n---\n\\|"
   ;; `gnutls' regexp. See src/cli.c lines 721-.
   "^- Simple Client Mode:\n"
   "\\(\n\\|"                           ; ignore blank lines
   ;; According to GnuTLS v2.1.5 src/cli.c lines 640-650 and 705-715
   ;; in `main' the handshake will start after this message.  If the
   ;; handshake fails, the programs will abort.
   "^\\*\\*\\* Starting TLS handshake\n\\)*"
   "\\)")
  "Regexp matching end of TLS client informational messages.
Client data stream begins after the last character matched by
this.  The default matches `openssl s_client' (version 0.9.8c)
and `gnutls-cli' (version 2.0.1) output."
  :version "22.2"
  :type 'regexp
  :group 'tls)

(defcustom tls-program '("gnutls-cli -p %p %h"
			 "gnutls-cli -p %p %h --protocols ssl3"
			 "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
  "List of strings containing commands to start TLS stream to a host.
Each entry in the list is tried until a connection is successful.
%h is replaced with server hostname, %p with port to connect to.
The program should read input on stdin and write output to
stdout.

See `tls-checktrust' on how to check trusted root certs.

Also see `tls-success' for what the program should output after
successful negotiation."
  :type
  '(choice
    (list :tag "Choose commands"
	  :value
	  ("gnutls-cli -p %p %h"
	   "gnutls-cli -p %p %h --protocols ssl3"
	   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
	  (set :inline t
	       ;; FIXME: add brief `:tag "..."' descriptions.
	       ;; (repeat :inline t :tag "Other" (string))
	       ;; See `tls-checktrust':
	       (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")
	       (const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
	       (const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
	       ;; No trust check:
	       (const "gnutls-cli -p %p %h")
	       (const "gnutls-cli -p %p %h --protocols ssl3")
	       (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
	  (repeat :inline t :tag "Other" (string)))
    (const :tag "Default list of commands"
	   ("gnutls-cli -p %p %h"
	    "gnutls-cli -p %p %h --protocols ssl3"
	    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
    (list :tag "List of commands"
	  (repeat :tag "Command" (string))))
  :version "22.1"
  :group 'tls)

(defcustom tls-process-connection-type nil
  "Value for `process-connection-type' to use when starting TLS process."
  :version "22.1"
  :type 'boolean
  :group 'tls)

(defcustom tls-success "- Handshake was completed\\|SSL handshake has read "
  "Regular expression indicating completed TLS handshakes.
The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
\"openssl s_client\" outputs."
  :version "22.1"
  :type 'regexp
  :group 'tls)

(defcustom tls-checktrust nil
  "Indicate if certificates should be checked against trusted root certs.
If this is `ask', the user can decide whether to accept an
untrusted certificate.  You may have to adapt `tls-program' in
order to make this feature work properly, i.e., to ensure that
the external program knows about the root certificates you
consider trustworthy, e.g.:

\(setq tls-program
      '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
	\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
	\"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
  :type '(choice (const :tag "Always" t)
		 (const :tag "Never" nil)
		 (const :tag "Ask" ask))
  :version "23.1" ;; No Gnus
  :group 'tls)

(defcustom tls-untrusted
  "- Peer's certificate is NOT trusted\\|Verify return code: \\([^0] \\|.[^ ]\\)"
  "Regular expression indicating failure of TLS certificate verification.
The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
\"openssl s_client\" return in the event of unsuccessful
verification."
  :type 'regexp
  :version "23.1" ;; No Gnus
  :group 'tls)

(defcustom tls-hostmismatch
  "# The hostname in the certificate does NOT match"
  "Regular expression indicating a host name mismatch in certificate.
When the host name specified in the certificate doesn't match the
name of the host you are connecting to, gnutls-cli issues a
warning to this effect.  There is no such feature in openssl.  Set
this to nil if you want to ignore host name mismatches."
  :type 'regexp
  :version "23.1" ;; No Gnus
  :group 'tls)

(defcustom tls-certtool-program (executable-find "certtool")
  "Name of  GnuTLS certtool.
Used by `tls-certificate-information'."
  :version "22.1"
  :type 'string
  :group 'tls)

(defun tls-certificate-information (der)
  "Parse X.509 certificate in DER format into an assoc list."
  (let ((certificate (concat "-----BEGIN CERTIFICATE-----\n"
			     (base64-encode-string der)
			     "\n-----END CERTIFICATE-----\n"))
	(exit-code 0))
    (with-current-buffer (get-buffer-create " *certtool*")
      (erase-buffer)
      (insert certificate)
      (setq exit-code (condition-case ()
			  (call-process-region (point-min) (point-max)
					       tls-certtool-program
					       t (list (current-buffer) nil) t
					       "--certificate-info")
			(error -1)))
      (if (/= exit-code 0)
	  nil
	(let ((vals nil))
	  (goto-char (point-min))
	  (while (re-search-forward "^\\([^:]+\\): \\(.*\\)" nil t)
	    (push (cons (match-string 1) (match-string 2)) vals))
	  (nreverse vals))))))

(defun open-tls-stream (name buffer host port)
  "Open a TLS connection for a port to a host.
Returns a subprocess-object to represent the connection.
Input and output work as for subprocesses; `delete-process' closes it.
Args are NAME BUFFER HOST PORT.
NAME is name for process.  It is modified if necessary to make it unique.
BUFFER is the buffer (or buffer name) to associate with the process.
 Process output goes at end of that buffer, unless you specify
 an output stream or filter function to handle the output.
 BUFFER may be also nil, meaning that this process is not associated
 with any buffer
Third arg is name of the host to connect to, or its IP address.
Fourth arg PORT is an integer specifying a port to connect to."
  (let ((cmds tls-program)
	(use-temp-buffer (null buffer))
	process	cmd done)
    (if use-temp-buffer
	(setq buffer (generate-new-buffer " TLS")))
    (with-current-buffer buffer
      (message "Opening TLS connection to `%s'..." host)
      (while (and (not done) (setq cmd (pop cmds)))
	(message "Opening TLS connection with `%s'..." cmd)
	(let ((process-connection-type tls-process-connection-type)
	      response)
	  (setq process (start-process
			 name buffer shell-file-name shell-command-switch
			 (format-spec
			  cmd
			  (format-spec-make
			   ?h host
			   ?p (if (integerp port)
				  (int-to-string port)
				port)))))
	  (while (and process
		      (memq (process-status process) '(open run))
		      (progn
			(goto-char (point-min))
			(not (setq done (re-search-forward
					 tls-success nil t)))))
	    (unless (accept-process-output process 1)
	      (sit-for 1)))
	  (message "Opening TLS connection with `%s'...%s" cmd
		   (if done "done" "failed"))
	  (if (not done)
	      (delete-process process)
	    ;; advance point to after all informational messages that
	    ;; `openssl s_client' and `gnutls' print
	    (let ((start-of-data nil))
	      (while
		  (not (setq start-of-data
			     ;; the string matching `tls-end-of-info'
			     ;; might come in separate chunks from
			     ;; `accept-process-output', so start the
			     ;; search where `tls-success' ended
			     (save-excursion
			       (if (re-search-forward tls-end-of-info nil t)
				   (match-end 0)))))
		(accept-process-output process 1))
	      (if start-of-data
		  ;; move point to start of client data
		  (goto-char start-of-data)))
	    (setq done process))))
      (when (and done
		 (or
		  (and tls-checktrust
		       (save-excursion
			 (goto-char (point-min))
			 (re-search-forward tls-untrusted nil t))
		       (or
			(and (not (eq tls-checktrust 'ask))
			     (message "The certificate presented by `%s' is \
NOT trusted." host))
			(not (yes-or-no-p
			      (format "The certificate presented by `%s' is \
NOT trusted. Accept anyway? " host)))))
		  (and tls-hostmismatch
		       (save-excursion
			 (goto-char (point-min))
			 (re-search-forward tls-hostmismatch nil t))
		       (not (yes-or-no-p
			     (format "Host name in certificate doesn't \
match `%s'. Connect anyway? " host))))))
	(setq done nil)
	(delete-process process)))
    (message "Opening TLS connection to `%s'...%s"
	     host (if done "done" "failed"))
    (when use-temp-buffer
      (if done (set-process-buffer process nil))
      (kill-buffer buffer))
    done))

(provide 'tls)

;; arch-tag: 5596d1c4-facc-4bc4-94a9-9863b928d7ac
;;; tls.el ends here
Commit	Line	Data
01b2d1dd SJ	1	;;; tls.el --- TLS/SSL support via wrapper around GnuTLS
01b2d1dd SJ	2
5fd6d89f	3	;; Copyright (C) 1996, 1997, 1998, 1999, 2002, 2003, 2004,
2f043267	4	;; 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
01b2d1dd SJ	5
	6	;; Author: Simon Josefsson <simon@josefsson.org>
	7	;; Keywords: comm, tls, gnutls, ssl
	8
	9	;; This file is part of GNU Emacs.
	10
874a927a	11	;; GNU Emacs is free software: you can redistribute it and/or modify
01b2d1dd	12	;; it under the terms of the GNU General Public License as published by
874a927a GM	13	;; the Free Software Foundation, either version 3 of the License, or
874a927a GM	14	;; (at your option) any later version.
01b2d1dd SJ	15
	16	;; GNU Emacs is distributed in the hope that it will be useful,
	17	;; but WITHOUT ANY WARRANTY; without even the implied warranty of
874a927a	18	;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
01b2d1dd SJ	19	;; GNU General Public License for more details.
	20
	21	;; You should have received a copy of the GNU General Public License
874a927a	22	;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
01b2d1dd SJ	23
	24	;;; Commentary:
	25
	26	;; This package implements a simple wrapper around "gnutls-cli" to
	27	;; make Emacs support TLS/SSL.
	28	;;
	29	;; Usage is the same as `open-network-stream', i.e.:
	30	;;
	31	;; (setq tmp (open-tls-stream "test" (current-buffer) "news.mozilla.org" 563))
	32	;; ...
	33	;; #<process test>
	34	;; (process-send-string tmp "mode reader\n")
	35	;; 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready ...
	36	;; nil
	37	;; (process-send-string tmp "quit\n")
	38	;; 205
	39	;; nil
	40
	41	;; To use this package as a replacement for ssl.el by William M. Perry
	42	;; <wmperry@cs.indiana.edu>, you need to evaluate the following:
	43	;;
	44	;; (defalias 'open-ssl-stream 'open-tls-stream)
	45
	46	;;; Code:
	47
	48	(eval-and-compile
	49	(autoload 'format-spec "format-spec")
	50	(autoload 'format-spec-make "format-spec"))
	51
	52	(defgroup tls nil
	53	"Transport Layer Security (TLS) parameters."
	54	:group 'comm)
	55
59c95dc2	56	(defcustom tls-end-of-info
cd6db47c GM	57	(concat
	58	"\\("
	59	;; `openssl s_client' regexp. See ssl/ssl_txt.c lines 219-220.
	60	;; According to apps/s_client.c line 1515 `---' is always the last
	61	;; line that is printed by s_client before the real data.
	62	"^ Verify return code: .+\n---\n\\\|"
	63	;; `gnutls' regexp. See src/cli.c lines 721-.
	64	"^- Simple Client Mode:\n"
	65	"\\(\n\\\|" ; ignore blank lines
2cddada0	66	;; According to GnuTLS v2.1.5 src/cli.c lines 640-650 and 705-715
7b63c073	67	;; in `main' the handshake will start after this message. If the
2cddada0	68	;; handshake fails, the programs will abort.
cd6db47c GM	69	"^\\\\\\* Starting TLS handshake\n\\)*"
cd6db47c GM	70	"\\)")
59c95dc2 GM	71	"Regexp matching end of TLS client informational messages.
	72	Client data stream begins after the last character matched by
	73	this. The default matches `openssl s_client' (version 0.9.8c)
	74	and `gnutls-cli' (version 2.0.1) output."
	75	:version "22.2"
	76	:type 'regexp
	77	:group 'tls)
	78
01b2d1dd	79	(defcustom tls-program '("gnutls-cli -p %p %h"
3031d8b0	80	"gnutls-cli -p %p %h --protocols ssl3"
d55fe5bb	81	"openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
01b2d1dd SJ	82	"List of strings containing commands to start TLS stream to a host.
01b2d1dd SJ	83	Each entry in the list is tried until a connection is successful.
4a3c7686	84	%h is replaced with server hostname, %p with port to connect to.
01b2d1dd	85	The program should read input on stdin and write output to
b890d447 MB	86	stdout.
	87
	88	See `tls-checktrust' on how to check trusted root certs.
	89
	90	Also see `tls-success' for what the program should output after
	91	successful negotiation."
	92	:type
	93	'(choice
	94	(list :tag "Choose commands"
	95	:value
	96	("gnutls-cli -p %p %h"
	97	"gnutls-cli -p %p %h --protocols ssl3"
d55fe5bb	98	"openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
b890d447 MB	99	(set :inline t
	100	;; FIXME: add brief `:tag "..."' descriptions.
	101	;; (repeat :inline t :tag "Other" (string))
	102	;; See `tls-checktrust':
	103	(const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")
	104	(const "gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3")
d55fe5bb	105	(const "openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof")
b890d447 MB	106	;; No trust check:
	107	(const "gnutls-cli -p %p %h")
	108	(const "gnutls-cli -p %p %h --protocols ssl3")
d55fe5bb	109	(const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
b890d447 MB	110	(repeat :inline t :tag "Other" (string)))
	111	(const :tag "Default list of commands"
	112	("gnutls-cli -p %p %h"
	113	"gnutls-cli -p %p %h --protocols ssl3"
d55fe5bb	114	"openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
b890d447 MB	115	(list :tag "List of commands"
b890d447 MB	116	(repeat :tag "Command" (string))))
3031d8b0	117	:version "22.1"
01b2d1dd SJ	118	:group 'tls)
	119
	120	(defcustom tls-process-connection-type nil
b890d447	121	"Value for `process-connection-type' to use when starting TLS process."
bf247b6e	122	:version "22.1"
01b2d1dd SJ	123	:type 'boolean
	124	:group 'tls)
	125
3031d8b0	126	(defcustom tls-success "- Handshake was completed\\\|SSL handshake has read "
b890d447	127	"Regular expression indicating completed TLS handshakes.
3031d8b0 MB	128	The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
3031d8b0 MB	129	\"openssl s_client\" outputs."
bf247b6e	130	:version "22.1"
01b2d1dd SJ	131	:type 'regexp
	132	:group 'tls)
	133
b890d447 MB	134	(defcustom tls-checktrust nil
	135	"Indicate if certificates should be checked against trusted root certs.
	136	If this is `ask', the user can decide whether to accept an
	137	untrusted certificate. You may have to adapt `tls-program' in
	138	order to make this feature work properly, i.e., to ensure that
	139	the external program knows about the root certificates you
	140	consider trustworthy, e.g.:
	141
	142	\(setq tls-program
	143	'(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
	144	\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
d55fe5bb	145	\"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
b890d447 MB	146	:type '(choice (const :tag "Always" t)
	147	(const :tag "Never" nil)
	148	(const :tag "Ask" ask))
dd22fbf6	149	:version "23.1" ;; No Gnus
b890d447 MB	150	:group 'tls)
	151
	152	(defcustom tls-untrusted
	153	"- Peer's certificate is NOT trusted\\\|Verify return code: \\([^0] \\\|.[^ ]\\)"
	154	"Regular expression indicating failure of TLS certificate verification.
	155	The default is what GNUTLS's \"gnutls-cli\" or OpenSSL's
	156	\"openssl s_client\" return in the event of unsuccessful
	157	verification."
	158	:type 'regexp
dd22fbf6	159	:version "23.1" ;; No Gnus
b890d447 MB	160	:group 'tls)
	161
	162	(defcustom tls-hostmismatch
	163	"# The hostname in the certificate does NOT match"
	164	"Regular expression indicating a host name mismatch in certificate.
	165	When the host name specified in the certificate doesn't match the
	166	name of the host you are connecting to, gnutls-cli issues a
	167	warning to this effect. There is no such feature in openssl. Set
	168	this to nil if you want to ignore host name mismatches."
	169	:type 'regexp
dd22fbf6	170	:version "23.1" ;; No Gnus
b890d447 MB	171	:group 'tls)
b890d447 MB	172
18965008 SJ	173	(defcustom tls-certtool-program (executable-find "certtool")
	174	"Name of GnuTLS certtool.
	175	Used by `tls-certificate-information'."
bf247b6e	176	:version "22.1"
9bdd0e16	177	:type 'string
18965008 SJ	178	:group 'tls)
	179
	180	(defun tls-certificate-information (der)
	181	"Parse X.509 certificate in DER format into an assoc list."
	182	(let ((certificate (concat "-----BEGIN CERTIFICATE-----\n"
	183	(base64-encode-string der)
	184	"\n-----END CERTIFICATE-----\n"))
	185	(exit-code 0))
	186	(with-current-buffer (get-buffer-create " certtool")
	187	(erase-buffer)
	188	(insert certificate)
	189	(setq exit-code (condition-case ()
	190	(call-process-region (point-min) (point-max)
	191	tls-certtool-program
	192	t (list (current-buffer) nil) t
	193	"--certificate-info")
	194	(error -1)))
	195	(if (/= exit-code 0)
	196	nil
	197	(let ((vals nil))
	198	(goto-char (point-min))
	199	(while (re-search-forward "^\\([^:]+\\): \\(.*\\)" nil t)
	200	(push (cons (match-string 1) (match-string 2)) vals))
	201	(nreverse vals))))))
	202
3031d8b0 MB	203	(defun open-tls-stream (name buffer host port)
3031d8b0 MB	204	"Open a TLS connection for a port to a host.
01b2d1dd SJ	205	Returns a subprocess-object to represent the connection.
01b2d1dd SJ	206	Input and output work as for subprocesses; `delete-process' closes it.
3031d8b0	207	Args are NAME BUFFER HOST PORT.
01b2d1dd	208	NAME is name for process. It is modified if necessary to make it unique.
b890d447	209	BUFFER is the buffer (or buffer name) to associate with the process.
01b2d1dd SJ	210	Process output goes at end of that buffer, unless you specify
	211	an output stream or filter function to handle the output.
	212	BUFFER may be also nil, meaning that this process is not associated
	213	with any buffer
	214	Third arg is name of the host to connect to, or its IP address.
3031d8b0	215	Fourth arg PORT is an integer specifying a port to connect to."
0ad32c54 CY	216	(let ((cmds tls-program)
	217	(use-temp-buffer (null buffer))
	218	process cmd done)
	219	(if use-temp-buffer
	220	(setq buffer (generate-new-buffer " TLS")))
cd6db47c	221	(with-current-buffer buffer
59c95dc2 GM	222	(message "Opening TLS connection to `%s'..." host)
	223	(while (and (not done) (setq cmd (pop cmds)))
	224	(message "Opening TLS connection with `%s'..." cmd)
	225	(let ((process-connection-type tls-process-connection-type)
	226	response)
	227	(setq process (start-process
	228	name buffer shell-file-name shell-command-switch
	229	(format-spec
	230	cmd
	231	(format-spec-make
	232	?h host
	233	?p (if (integerp port)
	234	(int-to-string port)
	235	port)))))
	236	(while (and process
	237	(memq (process-status process) '(open run))
	238	(progn
	239	(goto-char (point-min))
0a4d4654 GM	240	(not (setq done (re-search-forward
0a4d4654 GM	241	tls-success nil t)))))
59c95dc2 GM	242	(unless (accept-process-output process 1)
	243	(sit-for 1)))
	244	(message "Opening TLS connection with `%s'...%s" cmd
	245	(if done "done" "failed"))
0a4d4654 GM	246	(if (not done)
	247	(delete-process process)
	248	;; advance point to after all informational messages that
	249	;; `openssl s_client' and `gnutls' print
	250	(let ((start-of-data nil))
	251	(while
ea666a77 RS	252	(not (setq start-of-data
	253	;; the string matching `tls-end-of-info'
	254	;; might come in separate chunks from
	255	;; `accept-process-output', so start the
	256	;; search where `tls-success' ended
	257	(save-excursion
	258	(if (re-search-forward tls-end-of-info nil t)
	259	(match-end 0)))))
0a4d4654 GM	260	(accept-process-output process 1))
	261	(if start-of-data
	262	;; move point to start of client data
	263	(goto-char start-of-data)))
ea666a77	264	(setq done process))))
0a4d4654 GM	265	(when (and done
	266	(or
	267	(and tls-checktrust
	268	(save-excursion
	269	(goto-char (point-min))
	270	(re-search-forward tls-untrusted nil t))
	271	(or
	272	(and (not (eq tls-checktrust 'ask))
	273	(message "The certificate presented by `%s' is \
	274	NOT trusted." host))
	275	(not (yes-or-no-p
	276	(format "The certificate presented by `%s' is \
	277	NOT trusted. Accept anyway? " host)))))
	278	(and tls-hostmismatch
	279	(save-excursion
	280	(goto-char (point-min))
	281	(re-search-forward tls-hostmismatch nil t))
	282	(not (yes-or-no-p
	283	(format "Host name in certificate doesn't \
	284	match `%s'. Connect anyway? " host))))))
	285	(setq done nil)
	286	(delete-process process)))
	287	(message "Opening TLS connection to `%s'...%s"
	288	host (if done "done" "failed"))
0ad32c54	289	(when use-temp-buffer
b7131d2f	290	(if done (set-process-buffer process nil))
0ad32c54	291	(kill-buffer buffer))
01b2d1dd SJ	292	done))
	293
	294	(provide 'tls)
	295
cbee283d	296	;; arch-tag: 5596d1c4-facc-4bc4-94a9-9863b928d7ac
01b2d1dd	297	;;; tls.el ends here