From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Jens Lechtenboerger Newsgroups: gmane.emacs.bugs Subject: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability Date: Fri, 05 Dec 2014 21:39:41 +0100 Message-ID: <86lhmlq19u.fsf@informationelle-selbstbestimmung-im-internet.de> References: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> <87r3wdop4d.fsf@igel.home> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1417812026 20710 80.91.229.3 (5 Dec 2014 20:40:26 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 5 Dec 2014 20:40:26 +0000 (UTC) Cc: 19283@debbugs.gnu.org To: Andreas Schwab Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Dec 05 21:40:19 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xwzfm-0002Xx-5c for geb-bug-gnu-emacs@m.gmane.org; Fri, 05 Dec 2014 21:40:18 +0100 Original-Received: from localhost ([::1]:52407 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xwzfl-0006N6-OU for geb-bug-gnu-emacs@m.gmane.org; Fri, 05 Dec 2014 15:40:17 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35663) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xwzfd-0006Mt-5c for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 15:40:15 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XwzfW-0002Qw-TZ for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 15:40:09 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:57788) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XwzfW-0002QP-Q8 for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 15:40:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1XwzfW-0007KO-4R for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 15:40:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Jens Lechtenboerger Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 05 Dec 2014 20:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19283 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 19283-submit@debbugs.gnu.org id=B19283.141781198828141 (code B ref 19283); Fri, 05 Dec 2014 20:40:02 +0000 Original-Received: (at 19283) by debbugs.gnu.org; 5 Dec 2014 20:39:48 +0000 Original-Received: from localhost ([127.0.0.1]:55001 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XwzfH-0007Jp-RC for submit@debbugs.gnu.org; Fri, 05 Dec 2014 15:39:48 -0500 Original-Received: from mx2.mailbox.org ([80.241.60.215]:50643) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XwzfF-0007Je-O4 for 19283@debbugs.gnu.org; Fri, 05 Dec 2014 15:39:46 -0500 Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 911BE41F3E; Fri, 5 Dec 2014 21:39:44 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Original-Received: from smtp1.mailbox.org ([80.241.60.240]) (using TLS with cipher AES256-GCM-SHA384) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTPS id 64m8rXJHLJoE; Fri, 5 Dec 2014 21:39:43 +0100 (CET) OpenPGP: id=0xA142FD84; url=http://www.informationelle-selbstbestimmung-im-internet.de/A142FD84.asc In-Reply-To: <87r3wdop4d.fsf@igel.home> (Andreas Schwab's message of "Fri, 05 Dec 2014 20:47:30 +0100") User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:96904 Archived-At: On 2014-12-05, Andreas Schwab wrote: > Jens Lechtenboerger writes: > >> In addition, imap.el only tries SSLv2 and SSLv3, > > imap.el always tries STARTTLS and TLS before SSL, unless you force it to > do otherwise. I=E2=80=99m sorry, I meant to talk about imap-ssl-program, which I mentioned above that quote. So it should read: =E2=80=9Cimap-ssl-program in imap.el only tries SSLv2 and SSLv3=E2=80=9D But you are right, I=E2=80=99m using =E2=80=9C:stream ssl=E2=80=9D among ma= il-sources. If I remove that, the connection uses STARTTLS, which ultimately calls starttls-gnutls-program, for which I suggested (setq starttls-extra-arguments '("--strict-tofu")) in bug#16978 to avoid MITM with =E2=80=9Ctrusted=E2=80=9D certificates. Changing to =E2=80=9C:stream tls=E2=80=9D seems to invoke tls-program, abou= t which I filed bug#19284. Best wishes Jens