bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19284: 25.0.50; tls.el uses option --insecure


From: Lars Ingebrigtsen
Subject: bug#19284: 25.0.50; tls.el uses option --insecure
Date: Sat, 26 Dec 2015 22:15:45 +0100
User-agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux)

Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

> This is a followup to bug#16978, where I reported multiple MITM
> issues.
>
> tls.el calls gnutls-cli with option --insecure.
>
> As Emacs applies TOFU by default via nsm.el (great work, many
> thanks!), the above is dangerous.  I continue to use the following:
> (setq tls-program '("gnutls-cli --strict-tofu -p %p %h"))
>
> I’m not sure under what conditions tls.el is necessary.  Is it?

tls is not used if Emacs is build with GnuTLS (which all significant
distributions are, I think).  

As Stefan said in a different report -- perhaps we should just require
Emacs with built-in TLS support if you want to use TLS.  That would
essentially mean that we should just remove tls.el and starttls.el.

Alternatively we could, in Emacs 25.1, just remove the --insecure
settings and let people who try to connect to their IMAP server just
fail somewhat mysteriously (it's very common to have self-signed certs
for IMAP).

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no





reply via email to

[Prev in Thread] Current Thread [Next in Thread]