From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Jens Lechtenboerger <jens.lechtenboerger@fsfe.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
Date: Fri, 05 Dec 2014 20:38:21 +0100
Message-ID: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1417808375 26766 80.91.229.3 (5 Dec 2014 19:39:35 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 5 Dec 2014 19:39:35 +0000 (UTC)
To: 19283@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Dec 05 20:39:27 2014
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Xwyis-0004KZ-JR
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 05 Dec 2014 20:39:26 +0100
Original-Received: from localhost ([::1]:52250 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Xwyis-0001n1-7A
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 05 Dec 2014 14:39:26 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49415)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Xwyif-0001jl-86
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:39:23 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XwyiV-0004CG-EK
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:39:13 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:57757)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XwyiV-0004CB-Bz
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:39:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XwyiU-0005mS-PO
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:39:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Jens Lechtenboerger <jens.lechtenboerger@fsfe.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 05 Dec 2014 19:39:02 +0000
Resent-Message-ID: <handler.19283.B.141780833622205@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 19283
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.141780833622205
	(code B ref -1); Fri, 05 Dec 2014 19:39:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 5 Dec 2014 19:38:56 +0000
Original-Received: from localhost ([127.0.0.1]:54970 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1XwyiN-0005m4-Bg
	for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:55 -0500
Original-Received: from eggs.gnu.org ([208.118.235.92]:47426)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <jens.lechtenboerger@fsfe.org>) id 1XwyiK-0005lv-3A
	for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:52 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jens.lechtenboerger@fsfe.org>) id 1XwyiA-00044E-0X
	for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:51 -0500
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:58064)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jens.lechtenboerger@fsfe.org>) id 1Xwyi9-000449-UZ
	for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:41 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49067)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jens.lechtenboerger@fsfe.org>) id 1Xwyi2-0001K6-EP
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:38:41 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jens.lechtenboerger@fsfe.org>) id 1Xwyhu-000426-VC
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:38:34 -0500
Original-Received: from mx2.mailbox.org ([80.241.60.215]:39356)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jens.lechtenboerger@fsfe.org>) id 1Xwyhu-00041x-PA
	for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:38:26 -0500
Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx2.mailbox.org (Postfix) with ESMTPS id 9321741F32
	for <bug-gnu-emacs@gnu.org>; Fri,  5 Dec 2014 20:38:24 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Original-Received: from smtp1.mailbox.org ([80.241.60.240]) (using TLS with cipher
	AES256-GCM-SHA384)
	by gerste.heinlein-support.de (gerste.heinlein-support.de
	[91.198.250.173]) (amavisd-new, port 10030)
	with ESMTPS id jad14TtZbtMW for <bug-gnu-emacs@gnu.org>;
	Fri,  5 Dec 2014 20:38:23 +0100 (CET)
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:96899
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/96899>

This is a followup to bug#16978, where I reported multiple MITM
issues.

imap.el uses openssl's s_client via imap-ssl-program.

>From the man page:
> The s_client utility is a test tool and is designed to continue
> the handshake after any certificate verification errors. As a
> result it will accept any certificate chain (trusted or not) sent
> by the peer. None test applications should not do this as it makes
> them vulnerable to a MITM attack. This behaviour can be changed by
> with the -verify_return_error option: any verify errors are then
> returned aborting the handshake.

In addition, imap.el only tries SSLv2 and SSLv3, whose end-of-life
might be near.  I cannot access some of my servers at all (as they
only allow TLS).

If the above was fixed, one would still be vulnerable to attacks
with =E2=80=9Ctrusted=E2=80=9D certificates.

imap.el should probably use nsm.el.  In the meantime, I continue to
use the following:
(setq imap-ssl-program '("gnutls-cli --strict-tofu -p %p %s"))

Best wishes
Jens