MYN - 2017/04/25 12:22 / Wanderlust+IMAP/SSL w/emacs24 24.5+1-10

2017/04/25 12:22 / Wanderlust+IMAP/SSL w/emacs24 24.5+1-10

Debian GNU/Linux unstable (sid) で emacs24 が 24.5+1-10 に上がった際に，以下のとおりopenssl s_clientが使えなくなった．

[/usr/share/doc/emacs24-common/changelog.Debian.gz]
* Don't offer/use openssl s_client by default: "s_client is a debug
  tool, it does not set up a secure connection, it ignores all
  errors and just continues.  It also doesn't do checks it should be
  doing.  This is all documented behaviour." -- Kurt Roeckx
  Add these patches to fix the problem:
    0028-IMAP-connections-no-longer-use-openssl-s_client.patch
    0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
  Thanks to Kurt Roeckx for reporting the issue. (Closes: #766397)

おそらくその影響で，Wanderlust の IMAP/SSL が gnutls-cli を使うようになって，うまくサーバに接続できない状況となってしまった．

% gnutls-cli --port XXXXX localhost
Processed 173 CA certificate(s).
Resolving 'localhost:XXXXX'...
Connecting to '::1:XXXXX'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=postmaster@example.com,CN=localhost,OU=Automatically-generated IMAP SSL key,O=Courier Mail Server,L=New York,ST=NY,C=US', issuer `EMAIL=postmaster@example.com,CN=localhost,OU=Automatically-generated IMAP SSL key,O=Courier Mail Server,L=New York,ST=NY,C=US', serial 0x.................., RSA key 4096 bits, signed using RSA-SHA1, activated `2015-03-.. ..:..:.. UTC', expires `2016-03-.. ..:..:.. UTC', key-ID `sha256:........'
        Public Key ID:
                sha1:........
                sha256:........
        Public key's random art:
(snip)

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

Wanderlust から /usr/share/emacs/24.5/lisp/net/tls.el.gz が呼ばれて，gnutls-cli の引数は以下のように定義されている．

(defcustom tls-program
  '("gnutls-cli --x509cafile %t -p %p %h"
    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
; snip

ということで ~/.wl に以下を書いて解決．自前サーバを port forward して使っているので--insecureでとりあえずは問題なし．

(setq tls-program '("gnutls-cli --insecure --x509cafile %t -p %p %h"))