From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.devel Subject: Re: gnus/starttls.el and net/tls.el Date: Thu, 15 Nov 2007 15:20:35 +0100 Message-ID: <87mytfsi8c.fsf@mocca.josefsson.org> References: <87tznwq2r3.fsf@mocca.josefsson.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1195136475 14330 80.91.229.12 (15 Nov 2007 14:21:15 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 15 Nov 2007 14:21:15 +0000 (UTC) Cc: emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Nov 15 15:21:16 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1Isfak-0008AA-90 for ged-emacs-devel@m.gmane.org; Thu, 15 Nov 2007 15:21:14 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IsfaX-0000W4-B3 for ged-emacs-devel@m.gmane.org; Thu, 15 Nov 2007 09:21:01 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1IsfaU-0000Vp-5V for emacs-devel@gnu.org; Thu, 15 Nov 2007 09:20:58 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1IsfaS-0000Vd-PL for emacs-devel@gnu.org; Thu, 15 Nov 2007 09:20:56 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IsfaS-0000Va-JG for emacs-devel@gnu.org; Thu, 15 Nov 2007 09:20:56 -0500 Original-Received: from yxa.extundo.com ([83.241.177.38]) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1IsfaQ-00024H-4P; Thu, 15 Nov 2007 09:20:54 -0500 Original-Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id lAFEKZxu027505 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 Nov 2007 15:20:38 +0100 OpenPGP: id=B565716F; url=http://josefsson.org/key.txt Mail-Copies-To: nobody X-Hashcash: 1:22:071115:emacs-devel@gnu.org::2zD/+bPlNjHmoLqD:1FwQ X-Hashcash: 1:22:071115:rms@gnu.org::D3LcvP6fijbtzekk:5G16 In-Reply-To: (Richard Stallman's message of "Fri, 09 Nov 2007 17:00:08 -0500") User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean X-detected-kernel: by monty-python.gnu.org: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:83270 Archived-At: Richard Stallman writes: > tls.el starts talking TLS to the server directly. starttls.el, however, > does not begin talking TLS until the application calls > starttls-negotiate. In other words, starttls.el allows an unencrypted > phase before the encrypted phase starts. > > Would it be hard to extend tls.el to provide a way to do this? It would require some work, but it is possible. (Alas, I don't think I have time to do it.) Semantically, the tls-package could be implemented via starttls.el by calling the 'open' and then the 'negotiate' function. However, tls.el and starttls.el differ by supporting different external tools, so some users may get upset if, e.g., the 'starttls' or 'OpenSSL' way stops working. I'm not sure I understand the reason though. Is it to avoid having two files? If so, how about moving the code in starttls.el into tls.el? That would make it easier to slowly re-factor the code to avoid code duplication. On the other hand, starttls.el is used by a couple of packages already, which may break. > tls.el can use openssl and gnutls. starttls.el can use gnutls and a > tool called 'starttls'. > > What is the point of `starttls'? For what purpose is it useful > to use that, rather than GNUtls? Today, I don't think there is any reason, but I may be biased towards favoring GnuTLS. gnutls-cli didn't used to support starttls operations, but it does today. As far as I remember, 'starttls' doesn't verify server certificates, so starttls may be considered insecure. /Simon