How do I set `gnutls-verify-error` to not check if certain hostname matches the certificate?

Question

I have the host chat.deshackra.com pointing to tigase.im (with a CNAME entry), and I want to use the starttls connection type for my jabber.el account, however the connection fails:

gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange has been lowered to 256 bits and this may allow decryption of the session data

jorge@chat.deshackra.com/emacs: connection lost: `STARTTLS negotiation failed: Certificate validation failed chat.deshackra.com, verification code 66'

So, how can I set gnutls-verify-error to ignore any error for my domain name?

EDIT: If I disable any encryption at all, I get this message:

Connecting to chat.deshackra.com:5222...
STARTTLS encryption required, but disabled/non-functional at our end

and my account is not connected.

From the linked documentation, it looks like you could potentially add your certificate into the `gnutls-trustfiles` list? — dgtized, Oct 18 '14 at 00:18

score 3 · Accepted Answer · answered Oct 18 '14 at 15:46

3

As jabber.el started using the GnuTLS facility of Emacs before the variable gnutls-verify-error existed, it uses its own variable jabber-invalid-certificate-servers. That variable contains a list of all servers for which certificate errors should be ignored. Try this:

(setq jabber-invalid-certificate-servers '("chat.deshackra.com"))

answered Oct 18 '14 at 15:46

legoscia

6,012
29
54

setting that variable and reseting the connection-type to `starttls` did the work! – shackra Oct 20 '14 at 02:14

How do I set `gnutls-verify-error` to not check if certain hostname matches the certificate?

1 Answers1