From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Antoine Beaupre <anarcat@debian.org>
Newsgroups: gmane.linux.debian.devel.bugs.general,gmane.emacs.devel
Subject: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Wed, 22 Feb 2017 15:38:17 -0500
Message-ID: <20170222203817.a6pvvszox5btospa@curie.anarc.at>
References: <20141022193441.GA11872@roeckx.be>
 <87zjcnj2k6.fsf@trouble.defaultvalue.org>
 <87wq7rj2fl.fsf@trouble.defaultvalue.org>
 <m2fveeg9yb.fsf@lifelogs.com>
 <87egtyixsy.fsf@trouble.defaultvalue.org>
 <m2h9ytegdr.fsf@lifelogs.com>
 <20160220152832.GA11566@roeckx.be>
 <87twl2hj8u.fsf@gnus.org>
Reply-To: Antoine Beaupre <anarcat@debian.org>, 766397@bugs.debian.org
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="2o6pe7fzefkyyjj6"
X-Trace: blaine.gmane.org 1487796133 6908 195.159.176.226 (22 Feb 2017 20:42:13 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 22 Feb 2017 20:42:13 +0000 (UTC)
User-Agent: NeoMutt/20170113 (1.7.2)
Cc: Kurt Roeckx <kurt@roeckx.be>, Ted Zlatanov <tzz@lifelogs.com>,
	766397-forwarded@bugs.debian.org,
	Rob Browning <rlb@defaultvalue.org>, emacs-devel@gnu.org
To: Lars Ingebrigtsen <larsi@gnus.org>, 766397@bugs.debian.org
Original-X-From: bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org Wed Feb 22 21:42:08 2017
Return-path: <bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org>
Envelope-to: glddb-debian-bugs-dist@m.gmane.org
Original-Received: from bendel.debian.org ([82.195.75.100])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org>)
	id 1cgdjf-00015d-Jj
	for glddb-debian-bugs-dist@m.gmane.org; Wed, 22 Feb 2017 21:42:03 +0100
Original-Received: from localhost (localhost [127.0.0.1])
	by bendel.debian.org (Postfix) with QMQP
	id E12C9179; Wed, 22 Feb 2017 20:42:09 +0000 (UTC)
X-Mailbox-Line: From debian-bugs-dist-request@lists.debian.org  Wed Feb 22 20:42:09 2017
Old-Return-Path: <debbugs@buxtehude.debian.org>
Original-Received: from localhost (localhost [127.0.0.1])
	by bendel.debian.org (Postfix) with ESMTP id CBD3C1E6
	for <lists-debian-bugs-dist@bendel.debian.org>; Wed, 22 Feb 2017 20:42:09 +0000 (UTC)
X-Virus-Scanned: at lists.debian.org with policy bank bug
Original-Received: from bendel.debian.org ([127.0.0.1])
	by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525)
	with ESMTP id FuZteAfXsiG2
	for <lists-debian-bugs-dist@bendel.debian.org>;
	Wed, 22 Feb 2017 20:42:05 +0000 (UTC)
Original-Received: from buxtehude.debian.org (buxtehude.debian.org [IPv6:2607:f8f0:614:1::1274:39])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client CN "buxtehude.debian.org", Issuer "Debian SMTP CA" (not verified))
	by bendel.debian.org (Postfix) with ESMTPS id CA00D179;
	Wed, 22 Feb 2017 20:42:05 +0000 (UTC)
Original-Received: from debbugs by buxtehude.debian.org with local (Exim 4.84_2)
	(envelope-from <debbugs@buxtehude.debian.org>)
	id 1cgdje-00038s-NX; Wed, 22 Feb 2017 20:42:02 +0000
X-Loop: owner@bugs.debian.org
Resent-From: Antoine Beaupre <anarcat@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Rob Browning <rlb@defaultvalue.org>
X-Loop: owner@bugs.debian.org
Resent-Date: Wed, 22 Feb 2017 20:42:01 +0000
Resent-Message-ID: <handler.766397.B766397.148779590210369@bugs.debian.org>
X-Debian-PR-Message: followup 766397
X-Debian-PR-Package: emacs24
X-Debian-PR-Keywords: jessie-ignore security
X-Debian-PR-Source: emacs24
Original-Received: via spool by 766397-submit@bugs.debian.org id=B766397.148779590210369
          (code B ref 766397); Wed, 22 Feb 2017 20:42:01 +0000
Original-Received: (at 766397) by bugs.debian.org; 22 Feb 2017 20:38:22 +0000
Original-Received: from marcos.anarc.at ([206.248.172.91])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <anarcat@debian.org>)
	id 1cgdg5-0002gk-MD; Wed, 22 Feb 2017 20:38:21 +0000
Original-Received: from [127.0.0.1] (localhost [127.0.0.1])	(Authenticated sender: anarcat)	with ESMTPSA id A91961A0092
Content-Disposition: inline
In-Reply-To: <87twl2hj8u.fsf@gnus.org>
X-CrossAssassin-Score: 2
X-Debian-Message: from BTS
X-Mailing-List: <debian-bugs-dist@lists.debian.org> archive/latest/1357048
X-Loop: debian-bugs-dist@lists.debian.org
List-Id: <debian-bugs-dist.lists.debian.org>
List-URL: <https://lists.debian.org/debian-bugs-dist/>
List-Post: <mailto:debian-bugs-dist@lists.debian.org>
List-Help: <mailto:debian-bugs-dist-request@lists.debian.org?subject=help>
List-Subscribe: <mailto:debian-bugs-dist-request@lists.debian.org?subject=subscribe>
List-Unsubscribe: <mailto:debian-bugs-dist-request@lists.debian.org?subject=unsubscribe>
Precedence: list
Resent-Sender: debian-bugs-dist-request@lists.debian.org
Xref: news.gmane.org gmane.linux.debian.devel.bugs.general:1437201 gmane.emacs.devel:212538
Archived-At: <http://permalink.gmane.org/gmane.linux.debian.devel.bugs.general/1437201>


--2o6pe7fzefkyyjj6
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Feb 21, 2016 at 01:47:45PM +1100, Lars Ingebrigtsen wrote:
> Kurt Roeckx <kurt@roeckx.be> writes:
>=20
> > From what I understand, it is (or was) possible to configure
> > things in such a way that it uses s_client to set up SSL, even
> > when it's configured to use gnutls.  You should never use s_client
> > for that.  s_client is a debug tool.  It does create an SSL
> > connection for you, but in an insecure way.
>=20
> Emacs has built-in TLS support these days, so s_client is only used if
> the user (for some weird reason or other) has built or installed a
> version of Emacs without TLS support.
>=20
> I think that should probably be removed, because it's less secure than
> users would expect.

This is now a release-blocking bug, but hasn't seen any activity in the
last year or so. It would be good to see this finally fixed!

Obviously, one should never use openssl s_client for stuff like this...
I should also note that even though Emacs 24 supports TLS natively now,
its handling of X509 certificate is really problematic, as documented in
#816063. I would hardly consider it complete.

Emacs 25 doesn't suffer from those issues, but may still allow
s_client...

A.

--=20
Il est sage de nous r=C3=A9concilier avec notre adolescence ; ha=D1=97r, m=
=C3=A9priser,
nier ou simplement oublier l=E2=80=99adolescent que nous f=C3=BBmes est en =
soi une
attitude adolescente.
                        - Daniel Pennac, Comme un roman

--2o6pe7fzefkyyjj6
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAlit9rkACgkQeSFSUnt1
kh5p0BAAxeHsuZMN8WfqBSOt69m4n94QQMfP+/6gOxq8CIVg6rs2iHoTYSYwAw4c
7obK+BSM6/IpN33gvmugRW3z5N42CnrEKklhsOIG9/yGekkGV0LlpM1G5UqbVU/f
6zOO0ZiygfEr/gIGkaRcw2oKogk3o9H/DQ6bhJhSlwLiVCmI+zbzWX4cwPUjtCYc
gAKFUJRqzrY61e2q+ki+3C9OxdF3KQ5nldAH+FRjog/6GWX/1nu0c1TBQiM9iCJi
OHBYFzLu+Pb7ONtAAlkndO6BONYraT4OZjb3wXzljY7qNEj8paw1t+aDRdFrQe5Z
/HnNzR0eO2z3lQfC0GUFh0JUHtwwA9rjQ+1jpa+L0ulqnB7x8gK07+BsrjWEv5tC
qpmPiTPQNtEB3exykGz8bizNUqcw05gOrHBjfNjDgvDWgrUY8aITXR2mUP2fF+qC
y0LvOY6wHOlFrat4Hq2wZvItXyNBMLD1N5UZ/1Uh6O4uhg3i5tocTadt6Jus6FNF
BpEXG1ECvpCnuXrRoAtmPTCJjxZWpl8H2BH75nvKyJQh+pF4sYWvLnSJRjU0A3ys
waZL1pHgZYDoAjsDybbCZPoXgy4X5cvYFyA2nAzbEDMB+aXvU38x3o/OHnA75wO3
XCSFP202VLjnb2cUY96gO+oyu0JxkW9rAldhmitMwTuBJoyz+r8=
=R7ro
-----END PGP SIGNATURE-----

--2o6pe7fzefkyyjj6--