As a workaround for the bug/feature of openssl for not failing on a certificate verification error one might use gnutls_cli (package gnutls-bin) instead.
,----
| (setq ssl-program-name "gnutls-cli")
| (setq ssl-program-arguments
| '("--port" service "--x509cafile" "/etc/ssl/certs/ca-certificates.crt"
host))
`----
Setting the --x509cafile is hereby crucial: unless the --insecure
option is given on the command line gnutls refuses to establish a
connection with an endpoint whose identity cannot checked.
Making gnutls the default seems reasonable to me and as far as my
experience with openssl vs. gnutls goes they are equivalent.[1]
The big problem would be significant change in behaviour: Connections
that worked up to now because ssl.el/openssl silently ignored errors
will not work unless user takes steps to fix the problematic use of
SSL that was facilitated by s_client and therefor should be considered
the normal usage.
Pointing to the system wide --x509cafile may ease this problem with
regards to endpoints whose certificate is digitally signed by a CA
present in /etc/ssl/certs/ca-certificates.crt. But I fear that a lot
of local setups will break.
Maybe make the wl-beta and wl package additionally suggesting
gnutls-bin as an alternative to openssl as a first step?
-- David
[1] The only problem I encountered so far was gnutls refusing to
connect to an endpoint that offered a session encryption key that was
considered too small by gnutls. A problem that was quickly solved by
the admin of the endpoint.
--
OpenPGP... 0x99ADB83B5A4478E6
Jabber.... [email protected]
Email..... [email protected]
pgp6qAzc8HS9q.pgp
Description: PGP signature
