Re: Bug#766397: Bug#766395: emacs/gnus: Uses s

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From:	Rob Browning
Subject:	Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date:	Sun, 16 Apr 2017 12:28:54 -0500

Antoine Beaupre <address@hidden> writes:

> Obviously, one should never use openssl s_client for stuff like this...
> I should also note that even though Emacs 24 supports TLS natively now,
> its handling of X509 certificate is really problematic, as documented in
> #816063.

I've just uploaded emacs24 24.5+1-9 and requested an unblock to
hopefully address #816063 by configuring --without-gnutls, depending on
gnutls-cli, and backporting three upstream patches that remove the
--insecure argument from the gnutls-cli invocation and have it use
system certificates.

With respect to *this* bug, I'm slightly wary of the part of the patch
suggested earlier that removes imap-ssl-open entirely, since it seems
possible that external (user or other) code might be using it, perhaps
with full knowledge of its limitations.

So assuming (as suggested in the original patch) that it's
appropriate/acceptable to just substitute imap-tls-open for
imap-ssl-open, then I wondered if this or something like it might
address the immediate concerns:

>From 9db659f9f18a79c7295e609472deb66467be0dbb Mon Sep 17 00:00:00 2001
From: Rob Browning <address@hidden>
Date: Sun, 16 Apr 2017 12:08:07 -0500
Subject: Don't use s_client

---
 lisp/net/imap.el |  2 +-
 lisp/net/tls.el  | 15 +++++----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/lisp/net/imap.el b/lisp/net/imap.el
index 3e59823..47f3d01 100644
--- a/lisp/net/imap.el
+++ b/lisp/net/imap.el
@@ -293,7 +293,7 @@ Shorter values mean quicker response, but is more CPU 
intensive."
   '((gssapi    imap-gssapi-stream-p    imap-gssapi-open)
     (kerberos4 imap-kerberos4-stream-p imap-kerberos4-open)
     (tls       imap-tls-p              imap-tls-open)
-    (ssl       imap-ssl-p              imap-ssl-open)
+    (ssl       imap-tls-p              imap-tls-open)
     (network   imap-network-p          imap-network-open)
     (shell     imap-shell-p            imap-shell-open)
     (starttls  imap-starttls-p         imap-starttls-open))
diff --git a/lisp/net/tls.el b/lisp/net/tls.el
index 68a3ff6..287de40 100644
--- a/lisp/net/tls.el
+++ b/lisp/net/tls.el
@@ -78,8 +78,7 @@ and `gnutls-cli' (version 2.0.1) output."
 
 (defcustom tls-program
   '("gnutls-cli --x509cafile %t -p %p %h"
-    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
-    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
   "List of strings containing commands to start TLS stream to a host.
 Each entry in the list is tried until a connection is successful.
 %h is replaced with server hostname, %p with port to connect to.
@@ -93,20 +92,17 @@ successful negotiation."
   '(choice
     (const :tag "Default list of commands"
           ("gnutls-cli --x509cafile %t -p %p %h"
-           "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
-           "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
+           "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"))
     (list :tag "Choose commands"
          :value
          ("gnutls-cli --x509cafile %t -p %p %h"
-          "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
-          "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+          "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
          (set :inline t
               ;; FIXME: add brief `:tag "..."' descriptions.
               ;; (repeat :inline t :tag "Other" (string))
               ;; No trust check:
               (const "gnutls-cli --insecure -p %p %h")
-              (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
-              (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
+              (const "gnutls-cli --insecure -p %p %h --protocols ssl3"))
          (repeat :inline t :tag "Other" (string)))
     (list :tag "List of commands"
          (repeat :tag "Command" (string))))
@@ -137,8 +133,7 @@ consider trustworthy, e.g.:
 
 \(setq tls-program
       '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
-       \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h 
--protocols ssl3\"
-       \"openssl s_client -connect %h:%p -CAfile 
/etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
+       \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h 
--protocols ssl3\"))"
   :type '(choice (const :tag "Always" t)
                 (const :tag "Never" nil)
                 (const :tag "Ask" ask))
-- 
cgit v0.12

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL., Rob Browning <=

Prev by Date: Re: JSON encoding and decoding performance
Next by Date: Re: scroll-down with pixel transition
Previous by thread: make-thread with lambda form instead of function symbol
Next by thread: [ELPA] Update package: psgml
Index(es):
- Date
- Thread