GNU bug report logs -
#20078
imap with openssl
Previous Next
Reported by: William F Hammond <gellmu <at> gmail.com>
Date: Wed, 11 Mar 2015 03:05:04 UTC
Severity: important
Tags: security
Merged with 21134
Found in version 24.5
Fixed in version 25.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 20078 in the body.
You can then email your comments to 20078 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Wed, 11 Mar 2015 03:05:04 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
William F Hammond <gellmu <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Wed, 11 Mar 2015 03:05:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I've been using imap with openssl happily for about 15 years.
Recently it stopped working with a very well-known mail host. A friend who
is usually on top of these things tells me that there is a vulnerability
named "poodle" when using the -ssl3 option of openssl s_client and one
should now have at the top of the list
imap-ssl-program (in imap.el) the following:
"openssl s_client -quiet -tls1 -connect %s:%p"
He hastens to point out that the option -tls1 does not mean that one is
using tls rather than ssl -- a statement that means little to me.
Meanwhile, without the latest imap.el one can patch this easily enough in
.gnus by cons-ing the new string into imap-ssl-program AFTER manually
loading imap.
--
William F Hammond
Email: gellmu <at> gmail.com
https://www.facebook.com/william.f.hammond
http://www.albany.edu/~hammond
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Wed, 11 Mar 2015 17:34:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 20078 <at> debbugs.gnu.org (full text, mbox):
Thanks for the report.
I think basically what you are talking about is the same as
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766397
which was forwarded to emacs-devel, which is a great way to ensure
things get lost, so it's good to have an actual bug report for it now.
The discussion is here, but AFAICS nothing actually happened:
http://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00803.html
Severity set to 'important' from 'normal'
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 11 Mar 2015 17:34:03 GMT)
Full text and
rfc822 format available.
Added tag(s) security.
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 11 Mar 2015 17:34:03 GMT)
Full text and
rfc822 format available.
Added indication that bug 20078 blocks19759
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 11 Mar 2015 17:35:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Wed, 11 Mar 2015 18:48:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 20078 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Mar 11, 2015 at 10:33 AM, Glenn Morris <rgm <at> gnu.org> wrote:
>
> Thanks for the report.
> I think basically what you are talking about is the same as
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766397
>
> which was forwarded to emacs-devel, which is a great way to ensure
> things get lost, so it's good to have an actual bug report for it now.
>
> The discussion is here, but AFAICS nothing actually happened:
> http://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00803.html
>
Debian is not really the place to talk about this kind of issue for
emacs/gnus.
But I note in the Debian thread that Richard Stallman, based on his
reading, made the same point about avoiding the options ssl3 and ssl2 with
s_client though he did not ask for the abandonment of s_client or of
imap.el.
There's discussion in those threads about whether 'anyone' still uses
imap.el and its calls to external openssl. It arises, for example, when
using mail-sources with, say, nnmbox.
My 'crisis' arose in a sun/solaris system where neither starttls nor gnutls
is available. It seems that starttls is now no longer maintained (for
cause) and, in my case, gnutls is not easy to build from source because of
recursive library dependencies. But openssl is available.
Would it make sense for emacs to incorporate gnutls? That way one could be
sure for a given build of emacs that it would work with gnutls.
--
William F Hammond
Email: gellmu <at> gmail.com
https://www.facebook.com/william.f.hammond
http://www.albany.edu/~hammond/
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Wed, 11 Mar 2015 19:00:05 GMT)
Full text and
rfc822 format available.
Message #20 received at 20078 <at> debbugs.gnu.org (full text, mbox):
William F Hammond wrote:
> Would it make sense for emacs to incorporate gnutls?
You mean, bundle it?
No, bundling libraries is terrible eg wrt security updates.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Thu, 12 Mar 2015 14:25:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 20078 <at> debbugs.gnu.org (full text, mbox):
> There's discussion in those threads about whether 'anyone' still uses
> imap.el and its calls to external openssl. It arises, for example, when
> using mail-sources with, say, nnmbox.
I consider imap.el's use of an external process to be a bug.
> My 'crisis' arose in a sun/solaris system where neither starttls nor gnutls
> is available. It seems that starttls is now no longer maintained (for
> cause) and, in my case, gnutls is not easy to build from source because of
> recursive library dependencies.
Hmm... we're definitely moving in the direction of requiring libgnutls
when building Emacs.
> Would it make sense for emacs to incorporate gnutls?
No, there be dragons.
> That way one could be sure for a given build of emacs that it would
> work with gnutls.
That would just mean that you wouldn't be able to build Emacs without
first solving the "recursive library dependencies".
But yes, I encourage you to try and solve these gnutls build problems,
Stefan
Forcibly Merged 20078 21134.
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Sat, 25 Jul 2015 20:13:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Sat, 26 Dec 2015 20:50:01 GMT)
Full text and
rfc822 format available.
Message #28 received at 20078 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> There's discussion in those threads about whether 'anyone' still uses
>> imap.el and its calls to external openssl. It arises, for example, when
>> using mail-sources with, say, nnmbox.
>
> I consider imap.el's use of an external process to be a bug.
I've now changed imap.el to use open-network-stream and removed all the
variables specifying gnutls-cli etc.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug marked as fixed in version 25.1, send any further explanations to
20078 <at> debbugs.gnu.org and William F Hammond <gellmu <at> gmail.com>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Sat, 26 Dec 2015 20:50:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Sat, 26 Dec 2015 21:47:02 GMT)
Full text and
rfc822 format available.
Message #33 received at 20078 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Dec 26, 2015 at 12:48 PM, Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
> I've now changed imap.el to use open-network-stream and removed all the
> variables specifying gnutls-cli etc.
>
Thanks.
Do you have any guess as to when, e.g., year or emacs version, this will
find its way into the version of gnus included with GNU Emacs?
-- Bill
--
William F Hammond
Email: gellmu <at> gmail.com
https://www.facebook.com/william.f.hammond
http://www.albany.edu/~hammond/
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#20078; Package
emacs.
(Sat, 26 Dec 2015 21:54:02 GMT)
Full text and
rfc822 format available.
Message #36 received at 20078 <at> debbugs.gnu.org (full text, mbox):
William F Hammond <gellmu <at> gmail.com> writes:
> Do you have any guess as to when, e.g., year or emacs version, this will find
> its way into the version of gnus included with GNU Emacs?
It's already in GNU Emacs.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 24 Jan 2016 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 152 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.