gnutls hangs

gnutls hangs

[Bruno Tavernier]

Using the latest gnus and emacs from git repositories, the starttls
connection is hanging when connection via IMAP (dovecot). (debug buffers
content at the end of this message).

I am not very knowledgeable about tls, however I tried the command line
tools to gather some info.

Work fine
,----
| openssl s_client -connect 127.0.0.1:10143 -starttls imap
`----

Does not work (used by Gnus during connection, *message* buffer)
,----
| gnutls-cli -s -p 10143 127.0.0.1 -s
`----
(note: why is there 2 time -s option?)

Dovecot returns
,----
| - Simple Client Mode:
| 
| * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED] Dovecot ready.
| a login to to
| * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
| a NO [CLIENTBUG] Plaintext authentication disallowed on non-secure
| (SSL/TLS) connections.
`----

I also tried without success
,----
| gnutls-cli -s -p 10143 10143 127.0.0.1
`----
,----
| gnutls-cli --starttls -p 10143 10143 127.0.0.1
`----

So is that a gnutls bug? Or is the command used with gnutls-cli incorrect?



*Message*
,----
| Opening TLS connection to `localhost'...
| Opening TLS connection with `gnutls-cli -s -p 10143 localhost -s'...
`----

*gnus trace*
,----
| 16:23:13 (nnimap "Cloud" (nnimap-address "localhost") (nnimap-server-port 10143) (nnimap-stream network) (nnimap-nov-is-evil nil) (nnir-search-engine imap))
| 16:23:18 (nnimap "Cloud" (nnimap-address "localhost") (nnimap-server-port 10143) (nnimap-stream network) (nnimap-nov-is-evil nil) (nnir-search-engine imap))
| 16:23:18 (nntp "localhost" (nntp-port-number 10119))
| 16:23:19 (nntp "localhost" (nntp-port-number 10119))
| 16:23:19 (nnimap "Cloud" (nnimap-address "localhost") (nnimap-server-port 10143) (nnimap-stream network) (nnimap-nov-is-evil nil) (nnir-search-engine imap))
| 16:23:19 (nntp "localhost" (nntp-port-number 10119))
| 16:23:19 (nnimap "Cloud" (nnimap-address "localhost") (nnimap-server-port 10143) (nnimap-stream network) (nnimap-nov-is-evil nil) (nnir-search-engine imap))
| 16:23:19 (nntp "localhost" (nntp-port-number 10119))
| 16:23:19 (nnimap "Cloud" (nnimap-address "localhost") (nnimap-server-port 10143) (nnimap-stream network) (nnimap-nov-is-evil nil) (nnir-search-engine imap))
| 16:23:19 (nntp "localhost" (nntp-port-number 10119))
`----

* nnimap localhost 10143 *nntpd**
,----
| * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS STARTTLS AUTH=PLAIN^M
| 1 OK Capability completed.^M
`----

*imap log*
,----
| 16:23:13 1 CAPABILITY^M
`----

-- 
Bruno

Re: gnutls hangs

[Bjørn Mork]

Bruno Tavernier <tavernier.bruno@gmail.com> writes:

> Does not work (used by Gnus during connection, *message* buffer)
> ,----
> | gnutls-cli -s -p 10143 127.0.0.1 -s
> `----

Might be related to certificate verification.  Do you really have a
certificate for localhost?  You can test by hand by typing "x starttls"
after connecting and then Ctrl-D after the "OK Begin SSL/TLS negotiation
now" (or whatever OK message your server gives) to start TLS.

Examples:

bjorn@canardo:~$ gnutls-cli -s -p 143 127.0.0.1 
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc.  See COPYING for distribution information.
a starttls
a OK Begin SSL/TLS negotiation now.
*** Starting TLS handshake
- Certificate type: X.509
 - Got a certificate list of 2 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match '127.0.0.1'.

bjorn@canardo:~$ gnutls-cli -s -p 143 mail.mork.no 
Resolving 'mail.mork.no'...
Connecting to '2001:16d8:ffb4::1:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc.  See COPYING for distribution information.
x starttls
x OK Begin SSL/TLS negotiation now.
*** Starting TLS handshake
- Certificate type: X.509
 - Got a certificate list of 2 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match 'mail.mork.no'.

bjorn@canardo:~$ gnutls-cli -s -p 143 canardo.mork.no 
Resolving 'canardo.mork.no'...
Connecting to '148.122.252.1:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc.  See COPYING for distribution information.
y starttls
y OK Begin SSL/TLS negotiation now.
*** Starting TLS handshake
- Certificate type: X.509
 - Got a certificate list of 2 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'canardo.mork.no'.
 # valid since: Wed May 19 17:34:31 CEST 2010
 # expires at: Thu May 19 17:34:31 CEST 2011
 # fingerprint: E8:A4:E0:56:AA:40:1B:D2:A0:9C:D5:14:F9:E1:98:B3
 # Subject's DN: C=NO,O=Mork,CN=canardo.mork.no,EMAIL=postmaster@mork.no
 # Issuer's DN: C=NO,L=Oslo,O=Mork,CN=Mork CA,EMAIL=ca@mork.no

 - Certificate[1] info:
 # valid since: Thu May  1 02:27:22 CEST 2003
 # expires at: Wed May  1 02:27:22 CEST 2013
 # fingerprint: 46:C5:1D:4F:BD:38:89:44:83:0C:A5:33:F1:96:1F:55
 # Subject's DN: C=NO,L=Oslo,O=Mork,CN=Mork CA,EMAIL=ca@mork.no
 # Issuer's DN: C=NO,L=Oslo,O=Mork,CN=Mork CA,EMAIL=ca@mork.no


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL



So gnutls will only allow you to connect to the name in the certificate.
Any alias etc will not work.  openssl, on the other hand, accepts any
certificate.

I'm not going to judge right or wrong.  Depends on what you believe the
SSL is for. But if you really are worried about the (in)security of the
wireless network you're on, then you should do certificate verification.  
You cannont trust neither DNS nor plain ip addresses on an untrusted
network.  It's easy do redirect them.

BTW, the gnutls IPv6 printout doesn't look good. There's no way to guess
that '2001:16d8:ffb4::1:143' means port 143 on 2001:16d8:ffb4:0:0:0:0:1
and not any port on 2001:16d8:ffb4:0:0:0:1:143


Bjørn

Re: gnutls hangs

[Lars Magne Ingebrigtsen]

Bruno Tavernier <tavernier.bruno@gmail.com> writes:

> Work fine
> ,----
> | openssl s_client -connect 127.0.0.1:10143 -starttls imap
> `----

I've now given up on using gnutls-cli for starttls with tls.el -- it's
just too complicated.  starttls for Gnus now requires that you have
openssl installed, and it seems to work for me.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: gnutls hangs

[Norbert Koch]

* Lars Magne Ingebrigtsen <larsi@gnus.org>:

> I've now given up on using gnutls-cli for starttls with tls.el -- it's
> just too complicated.  starttls for Gnus now requires that you have
> openssl installed, and it seems to work for me.

Whatever.  At least this works :-)
norbert.
-- 

Re: gnutls hangs

[Ted Zlatanov]

On Fri, 01 Oct 2010 14:09:57 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Bruno Tavernier <tavernier.bruno@gmail.com> writes:
>> Work fine
>> ,----
>> | openssl s_client -connect 127.0.0.1:10143 -starttls imap
>> `----

LMI> I've now given up on using gnutls-cli for starttls with tls.el -- it's
LMI> just too complicated.  starttls for Gnus now requires that you have
LMI> openssl installed, and it seems to work for me.

I plan to finish the GnuTLS API this weekend.  Sorry it's taking me a while.

Ted

Re: gnutls hangs

[Bruno Tavernier]

> Bjørn Mork <bjorn@mork.no> writes:

> So gnutls will only allow you to connect to the name in the certificate.
> Any alias etc will not work.  openssl, on the other hand, accepts any
> certificate.

Bingo! Just tested it now, gnutls hung because the hostname did not match.


> I'm not going to judge right or wrong.  Depends on what you believe the
> SSL is for. But if you really are worried about the (in)security of the
> wireless network you're on, then you should do certificate verification.  
> You cannont trust neither DNS nor plain ip addresses on an untrusted
> network.  It's easy do redirect them.

Interesting. However that makes gnutls sort of "unconvenient" for ssh
purpose.

AFAIK, only 1 hostname is allowed per certificate.

Thus if one want login from the internet
  -> certificate hostname = domain name

In turn it implies that login from ssh should be done in plain or with tls
regardless of the hostname.

The later being impossible(?) with gnutls, plain connection has to be
possible even on starttls enabled servers. 
Cf earlier post today -> Allow network login over secured network.

<- sorry I don't know how to make link to newsgroup articles from gnus
m(_ _)m


-- 
Bruno

Re: gnutls hangs

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I plan to finish the GnuTLS API this weekend.  Sorry it's taking me a while.

No, that's fine.  The tls/starttls stuff should work for Emacsen without
built-in tls support, and I have a feeling that the non-built-in stuff
won't get much testing (by me) after the built-in stuff is finished.
:-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen