bug#20078: imap with openssl

bug#20078: imap with openssl

[William F Hammond]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

I've been using imap with openssl happily for about 15 years.

Recently it stopped working with a very well-known mail host.  A friend who
is usually on top of these things tells me that there is a vulnerability
named "poodle" when using the -ssl3 option of openssl s_client and one
should now have at the top of the list
imap-ssl-program (in imap.el) the following:

         "openssl s_client -quiet -tls1 -connect %s:%p"

He hastens to point out that the option -tls1 does not mean that one is
using tls rather than ssl -- a statement that means little to me.

Meanwhile, without the latest imap.el one can patch this easily enough in
.gnus by cons-ing the new string into imap-ssl-program AFTER manually
loading imap.

-- 
William F Hammond
Email: gellmu@gmail.com
https://www.facebook.com/william.f.hammond
http://www.albany.edu/~hammond

[-- Attachment #2: Type: text/html, Size: 1293 bytes --]

bug#20078: imap with openssl

[Glenn Morris]

Thanks for the report.
I think basically what you are talking about is the same as

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766397

which was forwarded to emacs-devel, which is a great way to ensure
things get lost, so it's good to have an actual bug report for it now.

The discussion is here, but AFAICS nothing actually happened:
http://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00803.html

bug#20078: imap with openssl

[William F Hammond]

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

On Wed, Mar 11, 2015 at 10:33 AM, Glenn Morris <rgm@gnu.org> wrote:

>
> Thanks for the report.
> I think basically what you are talking about is the same as
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766397
>
> which was forwarded to emacs-devel, which is a great way to ensure
> things get lost, so it's good to have an actual bug report for it now.
>
> The discussion is here, but AFAICS nothing actually happened:
> http://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00803.html
>

Debian is not really the place to talk about this kind of issue for
emacs/gnus.

But I note in the Debian thread that Richard Stallman, based on his
reading, made the same point about avoiding the options ssl3 and ssl2 with
s_client though he did not ask for the abandonment of s_client or of
imap.el.

There's discussion in those threads about whether 'anyone' still uses
imap.el and its calls to external openssl.  It arises, for example, when
using mail-sources with, say, nnmbox.

My 'crisis' arose in a sun/solaris system where neither starttls nor gnutls
is available.  It seems that starttls is now no longer maintained (for
cause) and, in my case, gnutls is not easy to build from source because of
recursive library dependencies.  But openssl is available.

Would it make sense for emacs to incorporate gnutls?  That way one could be
sure for a given build of emacs that it would work with gnutls.

-- 
William F Hammond
Email: gellmu@gmail.com
https://www.facebook.com/william.f.hammond
http://www.albany.edu/~hammond/

[-- Attachment #2: Type: text/html, Size: 2637 bytes --]

bug#20078: imap with openssl

[Glenn Morris]

William F Hammond wrote:

> Would it make sense for emacs to incorporate gnutls?

You mean, bundle it?
No, bundling libraries is terrible eg wrt security updates.

bug#20078: imap with openssl

[Stefan Monnier]

> There's discussion in those threads about whether 'anyone' still uses
> imap.el and its calls to external openssl.  It arises, for example, when
> using mail-sources with, say, nnmbox.

I consider imap.el's use of an external process to be a bug.

> My 'crisis' arose in a sun/solaris system where neither starttls nor gnutls
> is available.  It seems that starttls is now no longer maintained (for
> cause) and, in my case, gnutls is not easy to build from source because of
> recursive library dependencies.

Hmm... we're definitely moving in the direction of requiring libgnutls
when building Emacs.

> Would it make sense for emacs to incorporate gnutls?

No, there be dragons.

> That way one could be sure for a given build of emacs that it would
> work with gnutls.

That would just mean that you wouldn't be able to build Emacs without
first solving the "recursive library dependencies".

But yes, I encourage you to try and solve these gnutls build problems,


        Stefan

bug#20078: imap with openssl

[Lars Ingebrigtsen]

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> There's discussion in those threads about whether 'anyone' still uses
>> imap.el and its calls to external openssl.  It arises, for example, when
>> using mail-sources with, say, nnmbox.
>
> I consider imap.el's use of an external process to be a bug.

I've now changed imap.el to use open-network-stream and removed all the
variables specifying gnutls-cli etc.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#20078: imap with openssl

[William F Hammond]

[-- Attachment #1: Type: text/plain, Size: 481 bytes --]

On Sat, Dec 26, 2015 at 12:48 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote:

> I've now changed imap.el to use open-network-stream and removed all the
> variables specifying gnutls-cli etc.
>

Thanks.

Do you have any guess as to when, e.g., year or emacs version, this will
find its way into the version of gnus included with GNU Emacs?

            -- Bill

-- 
William F Hammond
Email: gellmu@gmail.com
https://www.facebook.com/william.f.hammond
http://www.albany.edu/~hammond/

[-- Attachment #2: Type: text/html, Size: 1280 bytes --]

bug#20078: imap with openssl

[Lars Ingebrigtsen]

William F Hammond <gellmu@gmail.com> writes:

> Do you have any guess as to when, e.g., year or emacs version, this will find
> its way into the version of gnus included with GNU Emacs?

It's already in GNU Emacs.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no