From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.devel Subject: Re: TLS smpt encryption Date: Mon, 11 Sep 2006 16:00:14 +0200 Message-ID: <87hczeijv5.fsf@latte.josefsson.org> References: <87bqptfj75.fsf@latte.josefsson.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1157983280 25115 80.91.229.2 (11 Sep 2006 14:01:20 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Mon, 11 Sep 2006 14:01:20 +0000 (UTC) Cc: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 11 16:01:16 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GMmL7-0003XZ-7Y for ged-emacs-devel@m.gmane.org; Mon, 11 Sep 2006 16:00:46 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GMmL6-00065U-EN for ged-emacs-devel@m.gmane.org; Mon, 11 Sep 2006 10:00:44 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GMmKs-000641-EG for emacs-devel@gnu.org; Mon, 11 Sep 2006 10:00:30 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GMmKq-00062u-QU for emacs-devel@gnu.org; Mon, 11 Sep 2006 10:00:29 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GMmKq-00062r-La for emacs-devel@gnu.org; Mon, 11 Sep 2006 10:00:28 -0400 Original-Received: from [217.13.230.178] (helo=yxa.extundo.com) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1GMmM7-0006pc-Ae for emacs-devel@gnu.org; Mon, 11 Sep 2006 10:01:48 -0400 Original-Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id k8BE0FMv013626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 Sep 2006 16:00:16 +0200 Original-To: Phillip Lord OpenPGP: id=B565716F; url=http://josefsson.org/key.txt Mail-Copies-To: nobody X-Hashcash: 1:22:060911:emacs-devel@gnu.org::7haG8hGegMojAGcm:E7UJ X-Hashcash: 1:22:060911:phillip.lord@newcastle.ac.uk::343zCldFdVtcO9Ms:dapH In-Reply-To: (Phillip Lord's message of "Wed\, 06 Sep 2006 13\:07\:50 +0100") User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux) X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:59676 Archived-At: Phillip Lord writes: >>>>>> "SJ" == Simon Josefsson writes: > > > >> First, the defaults. To use TLS, you have to reconfigure things > >> like the ports manually, and have to do so in multiple places. > > SJ> The supported way to use TLS is NOT to use another port. > > SJ> The recommended practice since 1999, and probably before that, > SJ> when RFC 2487 came out, is to use port 25 and use STARTTLS on > SJ> that port. > > I am sure that you are correct about the RFC's. Maybe, you are correct > about peoples use of ports as well, I don't know as I have a limited > number of mail servers to try out on. All I can say is that anything > which makes the task of connecting easier, including best guess > hueristics on port numbers. Right. > SJ> Typically, no. > > >> So you have to change this. But this is done in > >> smtpmail-smtp-service. The 25's in auth-credentials are only used > >> to determine which credentials should be used. > > SJ> Right, and you could have multiple credentials, for different > SJ> ports. > > Of course, I understand that the system as you have it set up offers > more flexibility and that this is a good thing. However, the > duplication of port numbers in general is confusing. You have said, > after all, that in general people use the same port. Yup. > >> Confusing. I don't know what the standards are, but most mail > >> readers you just click "SSL/TLS encryption" and the ports get > >> set, or guessed, automatically. > > SJ> Again, most programs use the same port. > > >> Second, the documentation. Take... > >> > >> ;;(setq smtpmail-starttls-credentials > >> ;; '(("YOUR SMTP HOST" 25 "~/.my_smtp_tls.key" > >> ;; "~/.my_smtp_tls.cert"))) > >> > >> > >> So, whats .my_smtp_tls.key then? Where does it come from? How do > >> I get it? Can I use gnutls to generate it? I have no idea at > >> all. Further investigation suggests that actually you can leave > >> this blank, and it should still work. > > SJ> Did you read the Emacs SMTP Manual? An old copy is available > SJ> from: > > SJ> http://josefsson.org/smtpmail.html > > Yes. My comments about the documentation come as a result of reading > it. I would not have commented on had I not done so. From my reading > of this what the certificates used in smtpmail-starttls-credentials > actually are is not described. Hence the confusion. Ok. A complete discussion of X.509 and certificates (a complex topic!) is not appropriate, but a shorter explanation may be useful. Patches welcome... > SJ> But it is also part of Emacs. > > SJ> If you don't have a X.509 certificate/key pair, you can leave > SJ> those fields empty. You can generate them using GnuTLS, but you > SJ> need the server admin to recognize your certificate as well. > SJ> Typically you don't need client authentication using TLS. > > SJ> The documentation for the variable seem sub-optimal here, so I > SJ> have installed this change: > > SJ> --- smtpmail.el 15 Feb 2006 10:22:36 +0100 1.84 > SJ> +++ smtpmail.el 06 Sep 2006 11:07:47 +0200 > SJ> @@ -176,7 +176,12 @@ > SJ> (defcustom smtpmail-starttls-credentials '(("" 25 "" "")) > SJ> "Specify STARTTLS keys and certificates for servers. > SJ> This is a list of four-element list with `servername' (a > SJ> string), > SJ> -`port' (an integer), `key' (a filename) and `certificate' (a > SJ> filename)." +`port' (an integer), `key' (a filename) and > SJ> `certificate' (a +filename). +If you do not have a > SJ> certificate/key pair, leave the `key' and +`certificate' fields > SJ> as `nil'. A key/certificate pair is only +needed if you want to > SJ> use X.509 client authenticated +connections." > SJ> :type '(repeat (list (string :tag "Server") > SJ> (integer :tag "Port") (file :tag "Key") > > > Thank you, this is much clear. Ok. > >> Third, it would be nice if the documentation made clear that > >> "TLS" appears to be the same thing as "SSL" -- at least in the > >> context of SMTP servers. I was under the impression for a number > >> of months that I could not use encryption for SMTP as our local > >> server requires SSL, which smtpmail doesn't do. Actually, it uses > >> TLS. Some documentation saying "if you are required to use SSL, > >> this is probably what you want". > > SJ> SSL is an earlier version of TLS, but they are compatible. SMTP > SJ> uses TLS, but people often incorrect call it SSL. I modified > SJ> the Emacs SMTP Manual to mention SSL: > > SJ> Index: smtpmail.texi > SJ> =================================================================== > SJ> RCS file: /sources/emacs/emacs/man/smtpmail.texi,v retrieving > SJ> revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14 > SJ> --- smtpmail.texi 5 Feb 2006 22:41:31 -0000 1.13 > SJ> +++ smtpmail.texi 6 Sep 2006 09:10:43 -0000 1.14 > SJ> @@ -209,6 +209,8 @@ The following example illustrates what y > SJ> @cindex CRAM-MD5 @cindex LOGIN @cindex STARTTLS > SJ> +@cindex TLS +@cindex SSL > SJ> Many environments require SMTP clients to authenticate > SJ> themselves before they are allowed to route mail via a server. > SJ> The two following variables contains the authentication > SJ> information needed for this. > SJ> @@ -220,10 +222,10 @@ that order if the server support both. > SJ> The second variable, @code{smtpmail-starttls-credentials}, > SJ> instructs the SMTP library to connect to the server using > SJ> STARTTLS. This means the protocol exchange may be integrity > SJ> protected and confidential by > SJ> -using TLS, and optionally also authentication of the client. > SJ> This -feature uses the elisp package @file{starttls.el} (see it > SJ> for more -information on customization), which in turn require > SJ> that at least one -of the following external tools are > SJ> installed: +using TLS, also known as SSL, and optionally also > SJ> authentication of +the client. This feature uses the elisp > SJ> package @file{starttls.el} +(see it for more information on > SJ> customization), which in turn require +that at least one of the > SJ> following external tools are installed: > > SJ> @enumerate @item > > > > I would modify this a bit -- TLS and SSL are not the same thing as you > suggest. I would say explicitly what you have just described to me. > > This means the protocol exchange may be integrity protected and > confidential by using TLS, and optionally also authentication of the > client. > > TLS is a secure, encrypted communication method which is compatible > with SSL. In most cases where the system admins say that "SSL is > required", TLS will work. I have installed this patch. --- smtpmail.texi 06 Sep 2006 11:10:02 +0200 1.14 +++ smtpmail.texi 11 Sep 2006 15:53:01 +0200 @@ -214,6 +214,7 @@ Many environments require SMTP clients to authenticate themselves before they are allowed to route mail via a server. The two following variables contains the authentication information needed for this. + The first variable, @code{smtpmail-auth-credentials}, instructs the SMTP library to use a SASL authentication step, currently only the CRAM-MD5 and LOGIN mechanisms are supported and will be selected in @@ -222,10 +223,17 @@ The second variable, @code{smtpmail-starttls-credentials}, instructs the SMTP library to connect to the server using STARTTLS. This means the protocol exchange may be integrity protected and confidential by -using TLS, also known as SSL, and optionally also authentication of -the client. This feature uses the elisp package @file{starttls.el} -(see it for more information on customization), which in turn require -that at least one of the following external tools are installed: +using the Transport Layer Security (TLS) protocol, and optionally also +authentication of the client and server. + +TLS is a security protocol that is also known as SSL, although +strictly speaking, SSL is an older variant of TLS. TLS is backwards +compatible with SSL. In most mundane situations, the two terms are +equivalent. + +The TLS feature uses the elisp package @file{starttls.el} (see it for +more information on customization), which in turn require that at +least one of the following external tools are installed: @enumerate @item > >> Finally, it doesn't seem to work on windows. I spent three hours > >> with a debugger a couple of days ago -- I figured this was the > >> only way to see if I had the configuration right. It appears that > >> starttls.el uses Unix specific process handling, so won't work > >> with NTEmacs. I've been told that you can get this working with > >> cygwin by calling out to kill.exe which works around the > >> problem. Bit ugly! I realise that fixing this properly may take > >> some time, but updating the documentation would be relatively > >> quick! > > SJ> I've seen it suggested that people have had success on Windows > SJ> using the starttls binary instead of gnutls-cli. But I don't > SJ> really know what works under Windows, so I don't know how to > SJ> improve things here. > > The problem is with your process handling. > > (signal-process (process-id process) 'SIGALRM) > > wont work. Why not? Wouldn't that a bug in NTEmacs? > If you are using the cygwin gnutls, then this can be faked using > "kill" directly, but NTEmacs cannot send this signal, at least to my > knowledge. If "kill" can do it, then probably NTEmacs could too. And NTEmacs probably should do that, especially if `signal-process' doesn't do anything useful at all under Windows. However, some NTEmacs person should answer this. > I might try starttls, but in general, its easier to have as few > extraneous binaries as possible, hence the desire to use > > If TLS is compatible with SSL, would it not possible to use the SSL > binaries. As I say, the IMAP code works fine using SSL? IMAP uses the same library, starttls.el, as SMTP. So they are already using the same tools. Btw, IMAP uses TLS, strictly speaking. > >> At the moment, I have access to a non TLS based stream, but this > >> isn't going to last for ever. I suspect that many people are in > >> the same boat. > > SJ> Right. Many people have migrated to SMTP over TLS already. > > > Yep. Once everwhere goes, I can no longer send email with emacs. I > spent 6 months on outlook this year and the experience was, er, less > than optimal, shall I say. Many people have migrated to SMTP over TLS with Emacs too, I remember writing the first support for this in Emacs around 2000 to 2001 somewhere, and many used it successfully even back then. /Simon