Replace starttls.el with GNUTLS based version?

Replace starttls.el with GNUTLS based version?

[Simon Josefsson]

How many uses STARTTLS?  For SMTP or IMAP?  The external program
'starttls' isn't widely available (e.g., not packaged by Debian) and
it uses OpenSSL, so I would like to replace the current starttls.el
with a (partially) backwards compatible version that uses GNUTLS.  It
is currently installed in Gnus CVS contrib/starttls.el, and I have
been using it for a while.

The only problem I perceive is that if anyone is using client X.509
certificates, they will have to move from `starttls-extra-args' to
`starttls-extra-argument'.  (That is the backwards incompatible part.)
Because there appear to be a bug in the "starttls" application that
make client authentication useless because the verification result is
ignored, I suspect not many uses X.509 client certificates with
STARTTLS, or at least not anyone who cares enough about security to
audit the tools they use.  So nobody, even users that have configured
client certificates, would lose security by changing to anonymous TLS
with gnutls-cli.  However, they can increase security by setting the
new s-e-a variable.

So, does anyone have an opinion for or against moving
gnus/contrib/starttls.el into gnus/lisp/starttls.el and
emacs/lisp/gnus/starttls.el?  In Emacs, lisp/gnus/imap.el have to be
modified as well (it currently use hard coded filenames, and assumes
things about how the old starttls.el was implemented), but
lisp/mail/smtpmail.el work with STARTTLS unmodified.

To test this in Gnus, simply copy contrib/starttls.el over
lisp/starttls.el and rebuild.

Re: Replace starttls.el with GNUTLS based version?

[Steven E. Harris]

Simon Josefsson <jas@extundo.com> writes:

> How many uses STARTTLS?  For SMTP or IMAP?

I use it for IMAP.

> The external program 'starttls' isn't widely available (e.g., not
> packaged by Debian) and it uses OpenSSL, so I would like to replace
> the current starttls.el with a (partially) backwards compatible
> version that uses GNUTLS.

I built 'starttls' from source on Cygwin/Windows XP and it works
fine. However, if GNUTLS is more widely used, I'd rather rely on
something less home-grown than 'starttls.'

For the record, I don't use X.509 certificates.

-- 
Steven E. Harris

Re: Replace starttls.el with GNUTLS based version?

[Simon Josefsson]

>> The external program 'starttls' isn't widely available (e.g., not
>> packaged by Debian) and it uses OpenSSL, so I would like to replace
>> the current starttls.el with a (partially) backwards compatible
>> version that uses GNUTLS.
>
> I built 'starttls' from source on Cygwin/Windows XP and it works
> fine.

Ah, I don't recall hearing about success reports on Windows.

> However, if GNUTLS is more widely used, I'd rather rely on
> something less home-grown than 'starttls.'

Have you been able to try the new starttls.el?  You need a fairly recent
gnutls-cli though (0.9.90 or later, better get the latest development
version).  For IMAP, I believe it is safe, for SMTP I have been
experiencing some negotiation problems, but it works under the debugger.

Re: Replace starttls.el with GNUTLS based version?

[Josh Huber]

"Simon Josefsson" <jas@extundo.com> writes:

> Have you been able to try the new starttls.el?  You need a fairly
> recent gnutls-cli though (0.9.90 or later, better get the latest
> development version).  For IMAP, I believe it is safe, for SMTP I
> have been experiencing some negotiation problems, but it works under
> the debugger.

I just tried it (I use it for IMAP, and probably will be using it for
SMTP soon), and it didn't work for me.  That's probably because I've
got an old version of gnutls installed, though. (version 0.8.12, but
there is nothing newer packaged in Debian currently, anyway!)

Are there packaged versions of gnutls available which are new enough
to try this out?

-- 
Josh Huber

Re: Replace starttls.el with GNUTLS based version?

[Nevin Kapur]

Simon Josefsson <jas@extundo.com> writes:

> How many uses STARTTLS?  For SMTP or IMAP?  

I use it for both.

> The external program 'starttls' isn't widely available (e.g., not
> packaged by Debian) and it uses OpenSSL, so I would like to replace
> the current starttls.el with a (partially) backwards compatible
> version that uses GNUTLS.  It is currently installed in Gnus CVS
> contrib/starttls.el, and I have been using it for a while.

Just to make sure I understand correctly, the replacement would allow
me to continue using the starttls program (as long as I am not using
client certificates), right?  The last time I looked GNUTLS required
compiling a bunch of other libraries, whereas starttls was a
stand-alone application.

-Nevin

Re: Replace starttls.el with GNUTLS based version?

[Simon Josefsson]

>> The external program 'starttls' isn't widely available (e.g., not
>> packaged by Debian) and it uses OpenSSL, so I would like to replace
>> the current starttls.el with a (partially) backwards compatible
>> version that uses GNUTLS.  It is currently installed in Gnus CVS
>> contrib/starttls.el, and I have been using it for a while.
>
> Just to make sure I understand correctly, the replacement would allow
> me to continue using the starttls program (as long as I am not using
> client certificates), right?

No.  The new starttls.el only works with gnutls-cli.  It does work with
elisp code written for the old starttls.el, as long as client certificates
aren't used.  Sorry I was unclear.

> The last time I looked GNUTLS required compiling a bunch of other
> libraries, whereas starttls was a stand-alone application.

Right.  Hm.  Perhaps it would be wortwhile to merge the new and old
starttls.el?  So it can fall back to the old code if gnutls-cli isn't
installed?

Re: Replace starttls.el with GNUTLS based version?

[Steven E. Harris]

Nevin Kapur <nkapur@cs.caltech.edu> writes:

> The last time I looked GNUTLS required compiling a bunch of other
> libraries, whereas starttls was a stand-alone application.

ISTR that's why I went with starttls rather than GNUTLS. Even though I
built it from source, it was still basically a one-step setup.

-- 
Steven E. Harris

Re: Replace starttls.el with GNUTLS based version?

[Richard Stallman]

    So, does anyone have an opinion for or against moving
    gnus/contrib/starttls.el into gnus/lisp/starttls.el and
    emacs/lisp/gnus/starttls.el?

Do we have legal papers for it?

Re: Replace starttls.el with GNUTLS based version?

[Nevin Kapur]

"Simon Josefsson" <jas@extundo.com> writes:

>> The last time I looked GNUTLS required compiling a bunch of other
>> libraries, whereas starttls was a stand-alone application.
>
> Right.  Hm.  Perhaps it would be wortwhile to merge the new and old
> starttls.el?  So it can fall back to the old code if gnutls-cli isn't
> installed?

That would be optimal; existing setups will then continue to work.

-Nevin

Re: Replace starttls.el with GNUTLS based version?

[Simon Josefsson]

Richard Stallman <rms@gnu.org> writes:

>     So, does anyone have an opinion for or against moving
>     gnus/contrib/starttls.el into gnus/lisp/starttls.el and
>     emacs/lisp/gnus/starttls.el?
>
> Do we have legal papers for it?

Yes, I wrote it, and believe it is covered by my Gnus and Emacs
assignments.  It seems like some people find GNUTLS harder to compile
than starttls, so the solution might be to merge the old and the new
version, so it can use either starttls or gnutls-cli.

Re: Replace starttls.el with GNUTLS based version?

[Stefan Monnier]

> assignments.  It seems like some people find GNUTLS harder to compile
> than starttls,

And others already have starttls and might get annoyed if they suddenly
have to cmpile/install gnutls just because we switched code.
That'd be OK if starttls is non-free, but I believe this is not the case.

> so the solution might be to merge the old and the new
> version, so it can use either starttls or gnutls-cli.

I think that's the best solution.


        Stefan