;; By Simon Josefsson 2001-05-06
;; See http://josefsson.org/emacs-security/

(require 'ssl)

(defvar starttls-host nil)

(defun starttls-negotiate (process)
  (nss-init (expand-file-name ssl-certdb-path))
  (nss-setdomesticpolicy)
  (ssl-cipherprefsetdefault ssl-rsa-with-null-md5 t)
  (ssl-importfd nil process)
  (ssl-seturl process starttls-host)
  (ssl-optionset process ssl-security t)
  (ssl-optionset process ssl-handshake-as-client t)
  (ssl-badcerthook process 'ssl-simple-badcerthook 42)
  (ssl-resethandshake process nil)
  (ssl-forcehandshake process)
  process)

(defun starttls-open-stream (name buffer host service)
  "Open a TLS connection for a service to a host.
Returns a subprocess-object to represent the connection.
Input and output work as for subprocesses; `delete-process' closes it.
Args are NAME BUFFER HOST SERVICE.
NAME is name for process.  It is modified if necessary to make it unique.
BUFFER is the buffer (or `buffer-name') to associate with the process.
 Process output goes at end of that buffer, unless you specify
 an output stream or filter function to handle the output.
 BUFFER may be also nil, meaning that this process is not associated
 with any buffer
Third arg is name of the host to connect to, or its IP address.
Fourth arg SERVICE is name of the service desired, or an integer
specifying a port number to connect to."
  (prog1
      (open-network-stream name buffer host service)
    (set (make-variable-buffer-local 'starttls-host) host)))

(provide 'starttls)