Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

[Kurt Roeckx <kurt@roeckx.be>]

On Fri, Oct 24, 2014 at 09:39:28AM -0400, Ted Zlatanov wrote:
> On Thu, 23 Oct 2014 10:57:17 -0500 Rob Browning <rlb@defaultvalue.org> wrote: 
> 
> RB> Ted Zlatanov <tzz@lifelogs.com> writes:
> >> could you provide a test case?  The information gathered by
> >> `M-x report-emacs-bug' would be really helpful, too.
> 
> RB> Hmm, I'm not the original reporter, and don't yet deeply understand the
> RB> relevant issues, but on the surface, the "bug" appears to just ask that
> RB> Emacs "stop using or mentioning s_client".
> 
> I replied to the bug address as well, so I hope Kurt responds with a recipe.
> 
> RB> If that turns out to be a reasonable request, then I'd imagine that the
> RB> code in imap.el, etc. would need adjustment, i.e.
> 
> No, the logic that needs to change is the one that opens the network
> stream (and imap.el will be obsoleted, as Lars and Stefan mentioned).
> But I'd like to know what's using imap.el in Kurt's case because I don't
> know of any code that uses it.  Was he just warning that imap.el *could*
> use s_client?  I went to the original bug report and couldn't find that
> information, sorry.
> 
> RB> In any case, I can certainly send you the report-emacs-bug information
> RB> from my system, but the bug didn't originate there (I don't even have
> RB> emacs23 installed at the moment).  Did you mean for Kurt to send it?
> 
> Yes, sorry, the web interface misled me.  Kurt?
> 
> RB> And what kind of test did you have in mind?
> 
> Some code that lets me replicate the bug or issue on a Debian system,
> with enough information to let me bring up such a system in a virtual
> environment.

Someone suggested I should reply to this.

First, I'm not an emacs user, I'm the openssl maintainer in
Debian.  I think this started with me disabling SSLv3 support and
then getting reports that I broke emacs / gnus and I just looked
around what was going on.

From what I understand, it is (or was) possible to configure
things in such a way that it uses s_client to set up SSL, even
when it's configured to use gnutls.  You should never use s_client
for that.  s_client is a debug tool.  It does create an SSL
connection for you, but in an insecure way.

When looking around, I saw examples of using s_client in combination
with "-ssl2" and "-ssl3".  That is, only support those protocol
versions.  They are so broken that I removed support for them.
You should clearly never document that they should use those
options.  That probably all comes from the time SSLv2 and SSLv3
were the only 2 supported protocol versions, and you should
probably update the documentation to have more recent information
in it.

I hope this clears things up.


Kurt