Re: Bug#766395: emacs/gnus: Uses s

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From:	Kurt Roeckx
Subject:	Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date:	Sat, 20 Feb 2016 16:28:32 +0100
User-agent:	Mutt/1.5.24 (2015-08-30)

On Fri, Oct 24, 2014 at 09:39:28AM -0400, Ted Zlatanov wrote:
> On Thu, 23 Oct 2014 10:57:17 -0500 Rob Browning <address@hidden> wrote: 
> 
> RB> Ted Zlatanov <address@hidden> writes:
> >> could you provide a test case?  The information gathered by
> >> `M-x report-emacs-bug' would be really helpful, too.
> 
> RB> Hmm, I'm not the original reporter, and don't yet deeply understand the
> RB> relevant issues, but on the surface, the "bug" appears to just ask that
> RB> Emacs "stop using or mentioning s_client".
> 
> I replied to the bug address as well, so I hope Kurt responds with a recipe.
> 
> RB> If that turns out to be a reasonable request, then I'd imagine that the
> RB> code in imap.el, etc. would need adjustment, i.e.
> 
> No, the logic that needs to change is the one that opens the network
> stream (and imap.el will be obsoleted, as Lars and Stefan mentioned).
> But I'd like to know what's using imap.el in Kurt's case because I don't
> know of any code that uses it.  Was he just warning that imap.el *could*
> use s_client?  I went to the original bug report and couldn't find that
> information, sorry.
> 
> RB> In any case, I can certainly send you the report-emacs-bug information
> RB> from my system, but the bug didn't originate there (I don't even have
> RB> emacs23 installed at the moment).  Did you mean for Kurt to send it?
> 
> Yes, sorry, the web interface misled me.  Kurt?
> 
> RB> And what kind of test did you have in mind?
> 
> Some code that lets me replicate the bug or issue on a Debian system,
> with enough information to let me bring up such a system in a virtual
> environment.

Someone suggested I should reply to this.

First, I'm not an emacs user, I'm the openssl maintainer in
Debian.  I think this started with me disabling SSLv3 support and
then getting reports that I broke emacs / gnus and I just looked
around what was going on.

>From what I understand, it is (or was) possible to configure
things in such a way that it uses s_client to set up SSL, even
when it's configured to use gnutls.  You should never use s_client
for that.  s_client is a debug tool.  It does create an SSL
connection for you, but in an insecure way.

When looking around, I saw examples of using s_client in combination
with "-ssl2" and "-ssl3".  That is, only support those protocol
versions.  They are so broken that I removed support for them.
You should clearly never document that they should use those
options.  That probably all comes from the time SSLv2 and SSLv3
were the only 2 supported protocol versions, and you should
probably update the documentation to have more recent information
in it.

I hope this clears things up.


Kurt

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Kurt Roeckx <=
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Ingebrigtsen, 2016/02/20

Prev by Date: Re: Human-readable file sorting
Next by Date: [no subject]
Previous by thread: Re: master 0883e98 1/3: New functions for getting and setting image properties
Next by thread: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Index(es):
- Date
- Thread