From: Rob Browning <rlb@defaultvalue.org>
To: Antoine Beaupre <anarcat@debian.org>,
Lars Ingebrigtsen <larsi@gnus.org>,
766397@bugs.debian.org
Cc: Ted Zlatanov <tzz@lifelogs.com>,
766397-forwarded@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>,
emacs-devel@gnu.org
Subject: Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Sun, 16 Apr 2017 12:28:54 -0500 [thread overview]
Message-ID: <87efwsuuqx.fsf@trouble.defaultvalue.org> (raw)
In-Reply-To: <20170222203817.a6pvvszox5btospa@curie.anarc.at>
[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]
Antoine Beaupre <anarcat@debian.org> writes:
> Obviously, one should never use openssl s_client for stuff like this...
> I should also note that even though Emacs 24 supports TLS natively now,
> its handling of X509 certificate is really problematic, as documented in
> #816063.
I've just uploaded emacs24 24.5+1-9 and requested an unblock to
hopefully address #816063 by configuring --without-gnutls, depending on
gnutls-cli, and backporting three upstream patches that remove the
--insecure argument from the gnutls-cli invocation and have it use
system certificates.
With respect to *this* bug, I'm slightly wary of the part of the patch
suggested earlier that removes imap-ssl-open entirely, since it seems
possible that external (user or other) code might be using it, perhaps
with full knowledge of its limitations.
So assuming (as suggested in the original patch) that it's
appropriate/acceptable to just substitute imap-tls-open for
imap-ssl-open, then I wondered if this or something like it might
address the immediate concerns:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: possible-s-client-fix.diff --]
[-- Type: text/x-diff, Size: 3297 bytes --]
From 9db659f9f18a79c7295e609472deb66467be0dbb Mon Sep 17 00:00:00 2001
From: Rob Browning <rlb@defaultvalue.org>
Date: Sun, 16 Apr 2017 12:08:07 -0500
Subject: Don't use s_client
---
lisp/net/imap.el | 2 +-
lisp/net/tls.el | 15 +++++----------
2 files changed, 6 insertions(+), 11 deletions(-)
diff --git a/lisp/net/imap.el b/lisp/net/imap.el
index 3e59823..47f3d01 100644
--- a/lisp/net/imap.el
+++ b/lisp/net/imap.el
@@ -293,7 +293,7 @@ Shorter values mean quicker response, but is more CPU intensive."
'((gssapi imap-gssapi-stream-p imap-gssapi-open)
(kerberos4 imap-kerberos4-stream-p imap-kerberos4-open)
(tls imap-tls-p imap-tls-open)
- (ssl imap-ssl-p imap-ssl-open)
+ (ssl imap-tls-p imap-tls-open)
(network imap-network-p imap-network-open)
(shell imap-shell-p imap-shell-open)
(starttls imap-starttls-p imap-starttls-open))
diff --git a/lisp/net/tls.el b/lisp/net/tls.el
index 68a3ff6..287de40 100644
--- a/lisp/net/tls.el
+++ b/lisp/net/tls.el
@@ -78,8 +78,7 @@ and `gnutls-cli' (version 2.0.1) output."
(defcustom tls-program
'("gnutls-cli --x509cafile %t -p %p %h"
- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
- "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+ "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
"List of strings containing commands to start TLS stream to a host.
Each entry in the list is tried until a connection is successful.
%h is replaced with server hostname, %p with port to connect to.
@@ -93,20 +92,17 @@ successful negotiation."
'(choice
(const :tag "Default list of commands"
("gnutls-cli --x509cafile %t -p %p %h"
- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
- "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
+ "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"))
(list :tag "Choose commands"
:value
("gnutls-cli --x509cafile %t -p %p %h"
- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
- "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+ "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
(set :inline t
;; FIXME: add brief `:tag "..."' descriptions.
;; (repeat :inline t :tag "Other" (string))
;; No trust check:
(const "gnutls-cli --insecure -p %p %h")
- (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
- (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+ (const "gnutls-cli --insecure -p %p %h --protocols ssl3"))
(repeat :inline t :tag "Other" (string)))
(list :tag "List of commands"
(repeat :tag "Command" (string))))
@@ -137,8 +133,7 @@ consider trustworthy, e.g.:
\(setq tls-program
'(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
- \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
- \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
+ \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"))"
:type '(choice (const :tag "Always" t)
(const :tag "Never" nil)
(const :tag "Ask" ask))
--
cgit v0.12
[-- Attachment #3: Type: text/plain, Size: 205 bytes --]
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
next prev parent reply other threads:[~2017-04-16 17:28 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20141022193441.GA11872@roeckx.be>
2014-10-22 20:02 ` Bug#766395: emacs/gnus: Uses s_client to for SSL Rob Browning
2014-10-22 20:05 ` Rob Browning
2014-10-23 14:03 ` Ted Zlatanov
2014-10-23 15:57 ` Rob Browning
2014-10-24 13:39 ` Ted Zlatanov
2016-02-20 15:28 ` Kurt Roeckx
2016-02-21 2:47 ` Lars Ingebrigtsen
2017-02-22 20:38 ` Bug#766397: " Antoine Beaupre
2017-04-16 17:28 ` Rob Browning [this message]
2014-10-22 20:14 ` Stefan Monnier
2014-10-22 21:02 ` Andreas Schwab
2014-10-23 16:49 ` Andreas Schwab
2014-10-23 17:29 ` Lars Magne Ingebrigtsen
2014-10-23 20:36 ` Stefan Monnier
2014-10-24 7:01 ` Lars Magne Ingebrigtsen
2014-10-27 19:42 ` Filipp Gunbin
2014-10-23 16:34 ` Richard Stallman
2014-10-23 18:00 ` Florian Weimer
2014-10-23 18:37 ` Perry E. Metzger
2014-10-23 18:43 ` Florian Weimer
2014-10-23 18:57 ` Perry E. Metzger
2014-10-23 18:59 ` Florian Weimer
2014-10-23 19:11 ` Kurt Roeckx
2014-10-23 19:42 ` Perry E. Metzger
2014-10-23 19:50 ` Florian Weimer
2014-10-23 20:26 ` Perry E. Metzger
2014-10-23 21:05 ` Kurt Roeckx
2014-10-24 2:56 ` Perry E. Metzger
2014-10-23 21:48 ` Stephen J. Turnbull
2014-10-24 3:00 ` Perry E. Metzger
2014-10-24 20:51 ` Stephen J. Turnbull
2014-10-24 21:14 ` Perry E. Metzger
2014-10-24 21:33 ` Lars Magne Ingebrigtsen
2014-10-25 0:36 ` Perry E. Metzger
2014-10-25 15:27 ` Ted Zlatanov
2014-10-25 15:53 ` Lars Magne Ingebrigtsen
2014-10-26 8:15 ` Florian Weimer
2014-10-26 11:42 ` Lars Magne Ingebrigtsen
2014-10-26 12:45 ` Florian Weimer
2014-10-26 1:42 ` Richard Stallman
2014-10-26 7:38 ` Florian Weimer
2014-10-24 21:47 ` Stephen J. Turnbull
2014-10-25 0:42 ` Perry E. Metzger
2014-10-27 17:17 ` Stephen J. Turnbull
2014-10-27 19:39 ` Perry E. Metzger
2014-10-28 7:04 ` Stephen J. Turnbull
2014-10-28 7:45 ` Thien-Thi Nguyen
2014-10-28 8:44 ` Stephen J. Turnbull
2014-10-28 13:31 ` Stefan Monnier
2014-10-28 15:19 ` Perry E. Metzger
2014-10-28 15:33 ` Florian Weimer
2014-10-28 16:20 ` Perry E. Metzger
2014-10-28 16:52 ` Stefan Monnier
2014-10-28 17:11 ` Perry E. Metzger
2014-10-29 3:19 ` Stephen J. Turnbull
2014-10-28 15:10 ` Perry E. Metzger
2014-10-29 2:33 ` Stephen J. Turnbull
2014-10-29 3:06 ` Perry E. Metzger
2014-10-29 7:28 ` Stephen J. Turnbull
2014-10-29 11:19 ` Perry E. Metzger
2014-10-23 19:03 ` Kurt Roeckx
2014-10-24 13:35 ` Ted Zlatanov
2014-10-25 7:31 ` Richard Stallman
2014-10-25 14:33 ` Perry E. Metzger
2014-10-25 15:49 ` removing SSLv3 support by default from the Emacs GnuTLS integration (was: Bug#766395: emacs/gnus: Uses s_client to for SSL.) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87efwsuuqx.fsf@trouble.defaultvalue.org \
--to=rlb@defaultvalue.org \
--cc=766397-forwarded@bugs.debian.org \
--cc=766397@bugs.debian.org \
--cc=anarcat@debian.org \
--cc=emacs-devel@gnu.org \
--cc=kurt@roeckx.be \
--cc=larsi@gnus.org \
--cc=tzz@lifelogs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).