[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.
From: |
Antoine Beaupre |
Subject: |
Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL. |
Date: |
Wed, 22 Feb 2017 15:38:17 -0500 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Sun, Feb 21, 2016 at 01:47:45PM +1100, Lars Ingebrigtsen wrote:
> Kurt Roeckx <address@hidden> writes:
>
> > From what I understand, it is (or was) possible to configure
> > things in such a way that it uses s_client to set up SSL, even
> > when it's configured to use gnutls. You should never use s_client
> > for that. s_client is a debug tool. It does create an SSL
> > connection for you, but in an insecure way.
>
> Emacs has built-in TLS support these days, so s_client is only used if
> the user (for some weird reason or other) has built or installed a
> version of Emacs without TLS support.
>
> I think that should probably be removed, because it's less secure than
> users would expect.
This is now a release-blocking bug, but hasn't seen any activity in the
last year or so. It would be good to see this finally fixed!
Obviously, one should never use openssl s_client for stuff like this...
I should also note that even though Emacs 24 supports TLS natively now,
its handling of X509 certificate is really problematic, as documented in
#816063. I would hardly consider it complete.
Emacs 25 doesn't suffer from those issues, but may still allow
s_client...
A.
--
Il est sage de nous réconcilier avec notre adolescence ; haїr, mépriser,
nier ou simplement oublier l’adolescent que nous fûmes est en soi une
attitude adolescente.
- Daniel Pennac, Comme un roman
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.,
Antoine Beaupre <=