From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67408 Path: news.gmane.org!not-for-mail From: arno@natisbad.org (Arnaud Ebalard) Newsgroups: gmane.linux.debian.devel.bugs.rc,gmane.emacs.gnus.general Subject: Bug#499774: starttls is a joke Date: Mon, 22 Sep 2008 10:52:06 +0200 Message-ID: <871vzca7gp.fsf@natisbad.org> Reply-To: arno@natisbad.org (Arnaud Ebalard), 499774@bugs.debian.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222073960 8468 80.91.229.12 (22 Sep 2008 08:59:20 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 22 Sep 2008 08:59:20 +0000 (UTC) Cc: security@debian.org, ding@gnus.org, emacs-mime-en@m17n.org To: submit@bugs.debian.org Original-X-From: bounce-debian-bugs-rc=glddbr-debian-bugs-rc=gmane.org@lists.debian.org Mon Sep 22 11:00:10 2008 Return-path: Envelope-to: glddbr-debian-bugs-rc@gmane.org Original-Received: from liszt.debian.org ([82.195.75.100]) by lo.gmane.org with esmtp (Exim 4.50) id 1KhhH4-0005UG-Jp for glddbr-debian-bugs-rc@gmane.org; Mon, 22 Sep 2008 11:00:06 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with QMQP id 0F90213A534C; Mon, 22 Sep 2008 08:59:03 +0000 (UTC) Old-Return-Path: Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with ESMTP id 9A65313A5344 for ; Mon, 22 Sep 2008 08:59:02 +0000 (UTC) Original-Received: from liszt.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id 26377-22 for ; Mon, 22 Sep 2008 08:59:00 +0000 (UTC) Original-Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by liszt.debian.org (Postfix) with ESMTP id 7D24713A47B4; Mon, 22 Sep 2008 08:59:00 +0000 (UTC) Original-Received: from debbugs by rietz.debian.org with local (Exim 4.63) (envelope-from ) id 1KhhE8-0005oR-Jf; Mon, 22 Sep 2008 08:57:04 +0000 X-Loop: owner@bugs.debian.org Resent-From: arno@natisbad.org (Arnaud Ebalard) Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: RISKO Gergely Resent-Date: Mon, 22 Sep 2008 08:57:02 +0000 Resent-Message-ID: X-Debian-PR-Message: report 499774 X-Debian-PR-Package: starttls X-Debian-PR-Keywords: X-Debian-PR-Source: starttls Original-Received: via spool by submit@bugs.debian.org id=B.122207365118994 (code B ref -1); Mon, 22 Sep 2008 08:57:02 +0000 Original-Received: (at submit) by bugs.debian.org; 22 Sep 2008 08:54:11 +0000 X-Spam-Bayes: score:0.0000 Tokens: new, 78; hammy, 92; neutral, 51; spammy, 3. spammytokens:0.999-1--joke, 0.993-1--anchors, 0.944-+--H*r:sk:rietz.d hammytokens:0.000-+--Severity, 0.000-+--H*M:fsf, 0.000-+--H*UA:Gnus, 0.000-+--H*u:Gnus, 0.000-+--H*r:sk:RSA_AES Original-Received: from moog.chdir.org ([88.191.42.160]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KhhBL-0004ub-Kk for submit@bugs.debian.org; Mon, 22 Sep 2008 08:54:11 +0000 Original-Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f78] (helo=localhost.localdomain) by moog.chdir.org with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1KhhAt-0000nR-LK; Mon, 22 Sep 2008 10:53:43 +0200 X-Hashcash: 1:20:080922:submit@bugs.debian.org::+X73FxPaFqMZLvbo:00000000000000000000000000000000000000019Tk X-Hashcash: 1:20:080922:security@debian.org::I4+Pv9Z8RGAgLLHu:00000000000000000000000000000000000000000020Dr X-Hashcash: 1:20:080922:ding@gnus.org::u6EIRQQpIsVHyGVq:00001YS4 X-Hashcash: 1:20:080922:emacs-mime-en@m17n.org::hvAQ9dmdaWg0TGXR:0000000000000000000000000000000000000005QHB X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026 User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux) Resent-Date: Mon, 22 Sep 2008 08:57:04 +0000 X-Virus-Scanned: at lists.debian.org with policy bank bug X-Spam-Status: No, score=-1.9 tagged_above=3.6 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1] X-Spam-Level: X-Debian-Message: from BTS X-Mailing-List: archive/latest/211423 X-Loop: debian-bugs-rc@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Precedence: list Resent-Sender: debian-bugs-rc-request@lists.debian.org Xref: news.gmane.org gmane.linux.debian.devel.bugs.rc:203228 gmane.emacs.gnus.general:67408 Archived-At: Package: starttls Version: 0.10-3 Severity: critical starttls package should IMHO be removed from Debian repositories, as it looks like a security joke: - it does not allow passing trust anchors to be used to verify the remote peer: are users expected to see the issue by themselves and not use it? - usage advertises a --verify option to set the verificaion level (no details on accepted values): in all cases, it is not considered in the code and SSL_VERIFY_NONE is used instead. - The man page does not describe the options the program accept and does not warn the user about the lack of checks. AFAICT, starttls provides a good example of how OpenSSL API should *not* be used! Its use should only be limited to testing purposes and a *huge* disclaimer on its limitations should be put somewhere. Comments welcome. Cheers, a+ ps: emacs-mime-en@m17n.org is in CC, because previous list of issues is still valid against CVS version of starttls. pps: Gnus ML is in CC as some people might be using it (for years?).