From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Rob Browning Newsgroups: gmane.emacs.devel Subject: Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Sun, 16 Apr 2017 12:28:54 -0500 Message-ID: <87efwsuuqx.fsf@trouble.defaultvalue.org> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87wq7rj2fl.fsf@trouble.defaultvalue.org> <87egtyixsy.fsf@trouble.defaultvalue.org> <20160220152832.GA11566@roeckx.be> <87twl2hj8u.fsf@gnus.org> <20170222203817.a6pvvszox5btospa@curie.anarc.at> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1492363781 1838 195.159.176.226 (16 Apr 2017 17:29:41 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 16 Apr 2017 17:29:41 +0000 (UTC) Cc: Ted Zlatanov , 766397-forwarded@bugs.debian.org, Kurt Roeckx , emacs-devel@gnu.org To: Antoine Beaupre , Lars Ingebrigtsen , 766397@bugs.debian.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Apr 16 19:29:35 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cznzT-0000KL-BP for ged-emacs-devel@m.gmane.org; Sun, 16 Apr 2017 19:29:35 +0200 Original-Received: from localhost ([::1]:33072 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cznzZ-0002fm-6D for ged-emacs-devel@m.gmane.org; Sun, 16 Apr 2017 13:29:41 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40244) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cznyu-0002fV-5p for emacs-devel@gnu.org; Sun, 16 Apr 2017 13:29:01 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cznyq-0000Oi-Vu for emacs-devel@gnu.org; Sun, 16 Apr 2017 13:29:00 -0400 Original-Received: from defaultvalue.org ([70.85.129.156]:59260) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cznyq-0000OP-OI for emacs-devel@gnu.org; Sun, 16 Apr 2017 13:28:56 -0400 Original-Received: from trouble.defaultvalue.org (localhost [127.0.0.1]) (Authenticated sender: rlb@defaultvalue.org) by defaultvalue.org (Postfix) with ESMTPSA id 9C90F20163; Sun, 16 Apr 2017 12:28:54 -0500 (CDT) Original-Received: by trouble.defaultvalue.org (Postfix, from userid 1000) id 4B00714E05C; Sun, 16 Apr 2017 12:28:54 -0500 (CDT) In-Reply-To: <20170222203817.a6pvvszox5btospa@curie.anarc.at> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 70.85.129.156 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:214016 Archived-At: --=-=-= Content-Type: text/plain Antoine Beaupre writes: > Obviously, one should never use openssl s_client for stuff like this... > I should also note that even though Emacs 24 supports TLS natively now, > its handling of X509 certificate is really problematic, as documented in > #816063. I've just uploaded emacs24 24.5+1-9 and requested an unblock to hopefully address #816063 by configuring --without-gnutls, depending on gnutls-cli, and backporting three upstream patches that remove the --insecure argument from the gnutls-cli invocation and have it use system certificates. With respect to *this* bug, I'm slightly wary of the part of the patch suggested earlier that removes imap-ssl-open entirely, since it seems possible that external (user or other) code might be using it, perhaps with full knowledge of its limitations. So assuming (as suggested in the original patch) that it's appropriate/acceptable to just substitute imap-tls-open for imap-ssl-open, then I wondered if this or something like it might address the immediate concerns: --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=possible-s-client-fix.diff Content-Description: possible-s-client-fix.diff >From 9db659f9f18a79c7295e609472deb66467be0dbb Mon Sep 17 00:00:00 2001 From: Rob Browning Date: Sun, 16 Apr 2017 12:08:07 -0500 Subject: Don't use s_client --- lisp/net/imap.el | 2 +- lisp/net/tls.el | 15 +++++---------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/lisp/net/imap.el b/lisp/net/imap.el index 3e59823..47f3d01 100644 --- a/lisp/net/imap.el +++ b/lisp/net/imap.el @@ -293,7 +293,7 @@ Shorter values mean quicker response, but is more CPU intensive." '((gssapi imap-gssapi-stream-p imap-gssapi-open) (kerberos4 imap-kerberos4-stream-p imap-kerberos4-open) (tls imap-tls-p imap-tls-open) - (ssl imap-ssl-p imap-ssl-open) + (ssl imap-tls-p imap-tls-open) (network imap-network-p imap-network-open) (shell imap-shell-p imap-shell-open) (starttls imap-starttls-p imap-starttls-open)) diff --git a/lisp/net/tls.el b/lisp/net/tls.el index 68a3ff6..287de40 100644 --- a/lisp/net/tls.el +++ b/lisp/net/tls.el @@ -78,8 +78,7 @@ and `gnutls-cli' (version 2.0.1) output." (defcustom tls-program '("gnutls-cli --x509cafile %t -p %p %h" - "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") + "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3") "List of strings containing commands to start TLS stream to a host. Each entry in the list is tried until a connection is successful. %h is replaced with server hostname, %p with port to connect to. @@ -93,20 +92,17 @@ successful negotiation." '(choice (const :tag "Default list of commands" ("gnutls-cli --x509cafile %t -p %p %h" - "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" - "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof")) + "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")) (list :tag "Choose commands" :value ("gnutls-cli --x509cafile %t -p %p %h" - "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" - "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") + "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3") (set :inline t ;; FIXME: add brief `:tag "..."' descriptions. ;; (repeat :inline t :tag "Other" (string)) ;; No trust check: (const "gnutls-cli --insecure -p %p %h") - (const "gnutls-cli --insecure -p %p %h --protocols ssl3") - (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) + (const "gnutls-cli --insecure -p %p %h --protocols ssl3")) (repeat :inline t :tag "Other" (string))) (list :tag "List of commands" (repeat :tag "Command" (string)))) @@ -137,8 +133,7 @@ consider trustworthy, e.g.: \(setq tls-program '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\" - \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\" - \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))" + \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"))" :type '(choice (const :tag "Always" t) (const :tag "Never" nil) (const :tag "Ask" ask)) -- cgit v0.12 --=-=-= Content-Type: text/plain Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 --=-=-=--