bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability


From: Jens Lechtenboerger
Subject: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
Date: Fri, 05 Dec 2014 21:39:41 +0100
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On 2014-12-05, Andreas Schwab wrote:

> Jens Lechtenboerger <address@hidden> writes:
>
>> In addition, imap.el only tries SSLv2 and SSLv3,
>
> imap.el always tries STARTTLS and TLS before SSL, unless you force it to
> do otherwise.

I’m sorry, I meant to talk about imap-ssl-program, which I mentioned
above that quote.  So it should read: “imap-ssl-program in imap.el
only tries SSLv2 and SSLv3”

But you are right, I’m using “:stream ssl” among mail-sources.
If I remove that, the connection uses STARTTLS, which ultimately
calls starttls-gnutls-program, for which I suggested
(setq starttls-extra-arguments '("--strict-tofu"))
in bug#16978 to avoid MITM with “trusted” certificates.

Changing to “:stream tls” seems to invoke tls-program, about which I
filed bug#19284.

Best wishes
Jens





reply via email to

[Prev in Thread] Current Thread [Next in Thread]