From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Simon Josefsson <simon@josefsson.org>
Newsgroups: gmane.emacs.devel
Subject: Re: gnus/starttls.el and net/tls.el
Date: Thu, 15 Nov 2007 15:20:35 +0100
Message-ID: <87mytfsi8c.fsf@mocca.josefsson.org>
References: <E1Ipflm-0004Yx-6I@fencepost.gnu.org>
	<87tznwq2r3.fsf@mocca.josefsson.org>
	<E1IqbtY-0003GD-Nt@fencepost.gnu.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1195136475 14330 80.91.229.12 (15 Nov 2007 14:21:15 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 15 Nov 2007 14:21:15 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: rms@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Nov 15 15:21:16 2007
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1Isfak-0008AA-90
	for ged-emacs-devel@m.gmane.org; Thu, 15 Nov 2007 15:21:14 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1IsfaX-0000W4-B3
	for ged-emacs-devel@m.gmane.org; Thu, 15 Nov 2007 09:21:01 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1IsfaU-0000Vp-5V
	for emacs-devel@gnu.org; Thu, 15 Nov 2007 09:20:58 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1IsfaS-0000Vd-PL
	for emacs-devel@gnu.org; Thu, 15 Nov 2007 09:20:56 -0500
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1IsfaS-0000Va-JG
	for emacs-devel@gnu.org; Thu, 15 Nov 2007 09:20:56 -0500
Original-Received: from yxa.extundo.com ([83.241.177.38])
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <simon@josefsson.org>)
	id 1IsfaQ-00024H-4P; Thu, 15 Nov 2007 09:20:54 -0500
Original-Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38])
	(authenticated bits=0)
	by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id
	lAFEKZxu027505
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 15 Nov 2007 15:20:38 +0100
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Mail-Copies-To: nobody
X-Hashcash: 1:22:071115:emacs-devel@gnu.org::2zD/+bPlNjHmoLqD:1FwQ
X-Hashcash: 1:22:071115:rms@gnu.org::D3LcvP6fijbtzekk:5G16
In-Reply-To: <E1IqbtY-0003GD-Nt@fencepost.gnu.org> (Richard Stallman's message
	of "Fri, 09 Nov 2007 17:00:08 -0500")
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)
X-Virus-Scanned: ClamAV version 0.88.2,
	clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-detected-kernel: by monty-python.gnu.org: Linux 2.6, seldom 2.4 (older, 4)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:83270
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/83270>

Richard Stallman <rms@gnu.org> writes:

>     tls.el starts talking TLS to the server directly.  starttls.el, however,
>     does not begin talking TLS until the application calls
>     starttls-negotiate.  In other words, starttls.el allows an unencrypted
>     phase before the encrypted phase starts.
>
> Would it be hard to extend tls.el to provide a way to do this?

It would require some work, but it is possible.  (Alas, I don't think I
have time to do it.)

Semantically, the tls-package could be implemented via starttls.el by
calling the 'open' and then the 'negotiate' function.  However, tls.el
and starttls.el differ by supporting different external tools, so some
users may get upset if, e.g., the 'starttls' or 'OpenSSL' way stops
working.

I'm not sure I understand the reason though.  Is it to avoid having two
files?  If so, how about moving the code in starttls.el into tls.el?
That would make it easier to slowly re-factor the code to avoid code
duplication.  On the other hand, starttls.el is used by a couple of
packages already, which may break.

>     tls.el can use openssl and gnutls.  starttls.el can use gnutls and a
>     tool called 'starttls'.
>
> What is the point of `starttls'?  For what purpose is it useful
> to use that, rather than GNUtls?

Today, I don't think there is any reason, but I may be biased towards
favoring GnuTLS.  gnutls-cli didn't used to support starttls operations,
but it does today.  As far as I remember, 'starttls' doesn't verify
server certificates, so starttls may be considered insecure.

/Simon