From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 05 14:38:55 2014 Received: (at submit) by debbugs.gnu.org; 5 Dec 2014 19:38:56 +0000 Received: from localhost ([127.0.0.1]:54970 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XwyiN-0005m4-Bg for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:55 -0500 Received: from eggs.gnu.org ([208.118.235.92]:47426) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XwyiK-0005lv-3A for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XwyiA-00044E-0X for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:51 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:58064) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xwyi9-000449-UZ for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:38:41 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49067) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xwyi2-0001K6-EP for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:38:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xwyhu-000426-VC for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:38:34 -0500 Received: from mx2.mailbox.org ([80.241.60.215]:39356) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xwyhu-00041x-PA for bug-gnu-emacs@gnu.org; Fri, 05 Dec 2014 14:38:26 -0500 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 9321741F32 for ; Fri, 5 Dec 2014 20:38:24 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) (using TLS with cipher AES256-GCM-SHA384) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTPS id jad14TtZbtMW for ; Fri, 5 Dec 2014 20:38:23 +0100 (CET) From: Jens Lechtenboerger To: bug-gnu-emacs@gnu.org Subject: 25.0.50; imap.el with man-in-the-middle vulnerability Date: Fri, 05 Dec 2014 20:38:21 +0100 Message-ID: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) This is a followup to bug#16978, where I reported multiple MITM issues. imap.el uses openssl's s_client via imap-ssl-program. >From the man page: > The s_client utility is a test tool and is designed to continue > the handshake after any certificate verification errors. As a > result it will accept any certificate chain (trusted or not) sent > by the peer. None test applications should not do this as it makes > them vulnerable to a MITM attack. This behaviour can be changed by > with the -verify_return_error option: any verify errors are then > returned aborting the handshake. In addition, imap.el only tries SSLv2 and SSLv3, whose end-of-life might be near. I cannot access some of my servers at all (as they only allow TLS). If the above was fixed, one would still be vulnerable to attacks with =E2=80=9Ctrusted=E2=80=9D certificates. imap.el should probably use nsm.el. In the meantime, I continue to use the following: (setq imap-ssl-program '("gnutls-cli --strict-tofu -p %p %s")) Best wishes Jens From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 05 14:47:35 2014 Received: (at 19283) by debbugs.gnu.org; 5 Dec 2014 19:47:35 +0000 Received: from localhost ([127.0.0.1]:54981 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xwyql-00061u-10 for submit@debbugs.gnu.org; Fri, 05 Dec 2014 14:47:35 -0500 Received: from mail-out.m-online.net ([212.18.0.10]:49154) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xwyqi-00061l-Uk for 19283@debbugs.gnu.org; Fri, 05 Dec 2014 14:47:33 -0500 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 3jvPZq4K9Qz3hl6R; Fri, 5 Dec 2014 20:47:31 +0100 (CET) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 3jvPZq3bpQzvh1l; Fri, 5 Dec 2014 20:47:31 +0100 (CET) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavisd-new, port 10024) with ESMTP id 1R-ufMydO_HO; Fri, 5 Dec 2014 20:47:30 +0100 (CET) X-Auth-Info: rbMwP29xga79ugqMQxKQH+xH4tAGH+uKYNbl0rGasU5g+y92IFZmGF9A9WLMz3G7 Received: from igel.home (ppp-188-174-159-25.dynamic.mnet-online.de [188.174.159.25]) by mail.mnet-online.de (Postfix) with ESMTPA; Fri, 5 Dec 2014 20:47:30 +0100 (CET) Received: by igel.home (Postfix, from userid 1000) id 7A2C92C4235; Fri, 5 Dec 2014 20:47:30 +0100 (CET) From: Andreas Schwab To: Jens Lechtenboerger Subject: Re: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability References: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> X-Yow: ..I must be a VETERINARIAN.. Date: Fri, 05 Dec 2014 20:47:30 +0100 In-Reply-To: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> (Jens Lechtenboerger's message of "Fri, 05 Dec 2014 20:38:21 +0100") Message-ID: <87r3wdop4d.fsf@igel.home> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 19283 Cc: 19283@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Jens Lechtenboerger writes: > In addition, imap.el only tries SSLv2 and SSLv3, imap.el always tries STARTTLS and TLS before SSL, unless you force it to do otherwise. Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 05 15:39:48 2014 Received: (at 19283) by debbugs.gnu.org; 5 Dec 2014 20:39:48 +0000 Received: from localhost ([127.0.0.1]:55001 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XwzfH-0007Jp-RC for submit@debbugs.gnu.org; Fri, 05 Dec 2014 15:39:48 -0500 Received: from mx2.mailbox.org ([80.241.60.215]:50643) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XwzfF-0007Je-O4 for 19283@debbugs.gnu.org; Fri, 05 Dec 2014 15:39:46 -0500 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 911BE41F3E; Fri, 5 Dec 2014 21:39:44 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) (using TLS with cipher AES256-GCM-SHA384) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTPS id 64m8rXJHLJoE; Fri, 5 Dec 2014 21:39:43 +0100 (CET) From: Jens Lechtenboerger To: Andreas Schwab Subject: Re: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability References: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> <87r3wdop4d.fsf@igel.home> OpenPGP: id=0xA142FD84; url=http://www.informationelle-selbstbestimmung-im-internet.de/A142FD84.asc Date: Fri, 05 Dec 2014 21:39:41 +0100 In-Reply-To: <87r3wdop4d.fsf@igel.home> (Andreas Schwab's message of "Fri, 05 Dec 2014 20:47:30 +0100") Message-ID: <86lhmlq19u.fsf@informationelle-selbstbestimmung-im-internet.de> User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 19283 Cc: 19283@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On 2014-12-05, Andreas Schwab wrote: > Jens Lechtenboerger writes: > >> In addition, imap.el only tries SSLv2 and SSLv3, > > imap.el always tries STARTTLS and TLS before SSL, unless you force it to > do otherwise. I=E2=80=99m sorry, I meant to talk about imap-ssl-program, which I mentioned above that quote. So it should read: =E2=80=9Cimap-ssl-program in imap.el only tries SSLv2 and SSLv3=E2=80=9D But you are right, I=E2=80=99m using =E2=80=9C:stream ssl=E2=80=9D among ma= il-sources. If I remove that, the connection uses STARTTLS, which ultimately calls starttls-gnutls-program, for which I suggested (setq starttls-extra-arguments '("--strict-tofu")) in bug#16978 to avoid MITM with =E2=80=9Ctrusted=E2=80=9D certificates. Changing to =E2=80=9C:stream tls=E2=80=9D seems to invoke tls-program, abou= t which I filed bug#19284. Best wishes Jens From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 25 16:12:59 2015 Received: (at control) by debbugs.gnu.org; 25 Jul 2015 20:12:59 +0000 Received: from localhost ([127.0.0.1]:58759 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZJ5oY-0001Fv-SB for submit@debbugs.gnu.org; Sat, 25 Jul 2015 16:12:59 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35170) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZJ5oW-0001Fl-Og for control@debbugs.gnu.org; Sat, 25 Jul 2015 16:12:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZJ5oW-0007Xw-4g for control@debbugs.gnu.org; Sat, 25 Jul 2015 16:12:56 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:48804) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZJ5oW-0007Xr-1n for control@debbugs.gnu.org; Sat, 25 Jul 2015 16:12:56 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1ZJ5oV-0006l6-Kf for control@debbugs.gnu.org; Sat, 25 Jul 2015 16:12:55 -0400 Subject: control message for bug 19759 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Sat, 25 Jul 2015 16:12:55 -0400 X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.2 (------) block 19759 by 19283 From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 26 16:32:24 2015 Received: (at 19283) by debbugs.gnu.org; 26 Dec 2015 21:32:24 +0000 Received: from localhost ([127.0.0.1]:42209 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aCwRs-0002Ne-G2 for submit@debbugs.gnu.org; Sat, 26 Dec 2015 16:32:24 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:45036) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aCwRq-0002NT-CM for 19283@debbugs.gnu.org; Sat, 26 Dec 2015 16:32:22 -0500 Received: from 2.150.58.24.tmi.telenormobil.no ([2.150.58.24] helo=mouse) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1aCwRT-0005Lq-QF; Sat, 26 Dec 2015 22:31:59 +0100 From: Lars Ingebrigtsen To: Jens Lechtenboerger Subject: Re: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability References: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> Date: Sat, 26 Dec 2015 22:31:58 +0100 In-Reply-To: <86ppbxq442.fsf@informationelle-selbstbestimmung-im-internet.de> (Jens Lechtenboerger's message of "Fri, 05 Dec 2014 20:38:21 +0100") Message-ID: <878u4gq4kx.fsf@gnus.org> User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1aCwRT-0005Lq-QF X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1451770321.30276@rr5bEb4GvFZfnMj+JwASIg X-Spam-Status: No X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 19283 Cc: 19283@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Jens Lechtenboerger writes: > This is a followup to bug#16978, where I reported multiple MITM > issues. > > imap.el uses openssl's s_client via imap-ssl-program. This has been fixed in Emacs 25.1 now. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 26 16:32:30 2015 Received: (at control) by debbugs.gnu.org; 26 Dec 2015 21:32:31 +0000 Received: from localhost ([127.0.0.1]:42212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aCwRy-0002Nx-OD for submit@debbugs.gnu.org; Sat, 26 Dec 2015 16:32:30 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:45046) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aCwRx-0002Nq-VP for control@debbugs.gnu.org; Sat, 26 Dec 2015 16:32:30 -0500 Received: from 2.150.58.24.tmi.telenormobil.no ([2.150.58.24] helo=mouse) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1aCwRc-0005Lz-MZ for control@debbugs.gnu.org; Sat, 26 Dec 2015 22:32:08 +0100 Date: Sat, 26 Dec 2015 22:32:08 +0100 Message-Id: <877fk0q4kn.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #19283 X-MailScanner-ID: 1aCwRc-0005Lz-MZ X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1451770329.19911@G/+Cp7QmQ+cbPzCaMHbyJg X-Spam-Status: No X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) close 19283 25.1 From unknown Tue Jun 24 15:42:53 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 24 Jan 2016 12:24:11 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator