2 Help For Users

From the user’s perspective, there’s nothing to the GnuTLS integration. It Just Works for any Emacs Lisp code that uses open-protocol-stream or open-network-stream (see Network Connections in The Emacs Lisp Reference Manual). The two functions are equivalent, the first one being an alias of the second.

There’s one way to find out if GnuTLS is available, by calling gnutls-available-p. This is a little bit trickier on the W32 (Windows) platform, but if you have the GnuTLS DLLs (available from https://sourceforge.net/projects/ezwinports/files/ thanks to Eli Zaretskii) in the same directory as Emacs, you should be OK.

Function: gnutls-available-p

This function returns non-nil if GnuTLS is available in this instance of Emacs, nil otherwise. If GnuTLS is available, the value is a list of GnuTLS capabilities supported by the installed GnuTLS library, which depends on the library version. The meaning of the capabilities is documented in the doc string of this function.

Oh, but sometimes things go wrong. Budgets aren’t balanced, television ads lie, and even TLS and SSL connections can fail to work properly. Well, there’s something to be done in the last case.

Variable: gnutls-log-level

The gnutls-log-level variable sets the log level. 1 is verbose. 2 is very verbose. 5 is crazy. Crazy! Set it to 1 or 2 and look in the *Messages* buffer for the debugging information.

Variable: gnutls-algorithm-priority

The gnutls-algorithm-priority variable sets the GnuTLS priority string. This is global, not per host name (although gnutls-negotiate supports a priority string per connection so it could be done if needed). For details see the GnuTLS documentation and the GnuTLS priority string syntax and description.

Variable: gnutls-trustfiles

The gnutls-trustfiles variable is a list of trustfiles (certificates for the issuing authorities). This is global, not per host name (although gnutls-negotiate supports a trustfile per connection so it could be done if needed). The trustfiles can be in PEM or DER format and examples can be found in most Unix distributions. By default the following locations are tried in this order: /etc/ssl/certs/ca-certificates.crt for Debian, Ubuntu, Gentoo and Arch Linux; /etc/pki/tls/certs/ca-bundle.crt for Fedora and RHEL; /etc/ssl/ca-bundle.pem for SUSE; /usr/ssl/certs/ca-bundle.crt for Cygwin; /usr/local/share/certs/ca-root-nss.crt for FreeBSD. You can easily customize gnutls-trustfiles to be something else, but let us know if you do, so we can make the change to benefit the other users of that platform.

Variable: gnutls-verify-error

The gnutls-verify-error variable allows you to verify SSL/TLS server certificates for all connections or by host name. It defaults to nil for now but will likely be changed to t later, meaning that all certificates will be verified.

There are two checks available currently, that the certificate has been issued by a trusted authority as defined by gnutls-trustfiles, and that the hostname matches the certificate. t enables both checks, but you can enable them individually as well with :trustfiles and :hostname instead.

Because of the low-level interactions with the GnuTLS library, there is no way currently to ask if a certificate can be accepted. You have to look in the *Messages* buffer.

Variable: gnutls-min-prime-bits

The gnutls-min-prime-bits variable is a pretty exotic customization for cases where you want to refuse handshakes with keys under a specific size. If you don’t know for sure that you need it, you don’t. Leave it nil.