[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19284: 25.0.50; tls.el uses option --insecure
|
From: |
Lars Ingebrigtsen |
|
Subject: |
bug#19284: 25.0.50; tls.el uses option --insecure |
|
Date: |
Sat, 26 Dec 2015 22:15:45 +0100 |
|
User-agent: |
Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux) |
Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:
> This is a followup to bug#16978, where I reported multiple MITM
> issues.
>
> tls.el calls gnutls-cli with option --insecure.
>
> As Emacs applies TOFU by default via nsm.el (great work, many
> thanks!), the above is dangerous. I continue to use the following:
> (setq tls-program '("gnutls-cli --strict-tofu -p %p %h"))
>
> I’m not sure under what conditions tls.el is necessary. Is it?
tls is not used if Emacs is build with GnuTLS (which all significant
distributions are, I think).
As Stefan said in a different report -- perhaps we should just require
Emacs with built-in TLS support if you want to use TLS. That would
essentially mean that we should just remove tls.el and starttls.el.
Alternatively we could, in Emacs 25.1, just remove the --insecure
settings and let people who try to connect to their IMAP server just
fail somewhat mysteriously (it's very common to have self-signed certs
for IMAP).
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- bug#19284: 25.0.50; tls.el uses option --insecure,
Lars Ingebrigtsen <=