From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kurt Roeckx Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Sat, 20 Feb 2016 16:28:32 +0100 Message-ID: <20160220152832.GA11566@roeckx.be> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87wq7rj2fl.fsf@trouble.defaultvalue.org> <87egtyixsy.fsf@trouble.defaultvalue.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1455982149 12281 80.91.229.3 (20 Feb 2016 15:29:09 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 20 Feb 2016 15:29:09 +0000 (UTC) Cc: 766397@bugs.debian.org, 766397-forwarded@bugs.debian.org, Rob Browning , emacs-devel@gnu.org To: Ted Zlatanov Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Feb 20 16:29:02 2016 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aX9Sw-0003r7-BD for ged-emacs-devel@m.gmane.org; Sat, 20 Feb 2016 16:29:02 +0100 Original-Received: from localhost ([::1]:33571 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aX9Sv-0006dS-NV for ged-emacs-devel@m.gmane.org; Sat, 20 Feb 2016 10:29:01 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51794) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aX9Sh-0006bx-OH for emacs-devel@gnu.org; Sat, 20 Feb 2016 10:28:48 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aX9Sd-0008Su-Mn for emacs-devel@gnu.org; Sat, 20 Feb 2016 10:28:47 -0500 Original-Received: from excelsior.roeckx.be ([195.234.45.115]:38922) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aX9Sd-0008Q6-G5 for emacs-devel@gnu.org; Sat, 20 Feb 2016 10:28:43 -0500 Original-Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id 85C4CA8A0124; Sat, 20 Feb 2016 15:28:33 +0000 (UTC) Original-Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 36F971FE0578; Sat, 20 Feb 2016 16:28:32 +0100 (CET) Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 195.234.45.115 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:200318 Archived-At: On Fri, Oct 24, 2014 at 09:39:28AM -0400, Ted Zlatanov wrote: > On Thu, 23 Oct 2014 10:57:17 -0500 Rob Browning wrote: > > RB> Ted Zlatanov writes: > >> could you provide a test case? The information gathered by > >> `M-x report-emacs-bug' would be really helpful, too. > > RB> Hmm, I'm not the original reporter, and don't yet deeply understand the > RB> relevant issues, but on the surface, the "bug" appears to just ask that > RB> Emacs "stop using or mentioning s_client". > > I replied to the bug address as well, so I hope Kurt responds with a recipe. > > RB> If that turns out to be a reasonable request, then I'd imagine that the > RB> code in imap.el, etc. would need adjustment, i.e. > > No, the logic that needs to change is the one that opens the network > stream (and imap.el will be obsoleted, as Lars and Stefan mentioned). > But I'd like to know what's using imap.el in Kurt's case because I don't > know of any code that uses it. Was he just warning that imap.el *could* > use s_client? I went to the original bug report and couldn't find that > information, sorry. > > RB> In any case, I can certainly send you the report-emacs-bug information > RB> from my system, but the bug didn't originate there (I don't even have > RB> emacs23 installed at the moment). Did you mean for Kurt to send it? > > Yes, sorry, the web interface misled me. Kurt? > > RB> And what kind of test did you have in mind? > > Some code that lets me replicate the bug or issue on a Debian system, > with enough information to let me bring up such a system in a virtual > environment. Someone suggested I should reply to this. First, I'm not an emacs user, I'm the openssl maintainer in Debian. I think this started with me disabling SSLv3 support and then getting reports that I broke emacs / gnus and I just looked around what was going on. >From what I understand, it is (or was) possible to configure things in such a way that it uses s_client to set up SSL, even when it's configured to use gnutls. You should never use s_client for that. s_client is a debug tool. It does create an SSL connection for you, but in an insecure way. When looking around, I saw examples of using s_client in combination with "-ssl2" and "-ssl3". That is, only support those protocol versions. They are so broken that I removed support for them. You should clearly never document that they should use those options. That probably all comes from the time SSLv2 and SSLv3 were the only 2 supported protocol versions, and you should probably update the documentation to have more recent information in it. I hope this clears things up. Kurt