On Fri, Oct 24, 2014 at 09:39:28AM -0400, Ted Zlatanov wrote: > On Thu, 23 Oct 2014 10:57:17 -0500 Rob Browning <r...@defaultvalue.org> > wrote: > > RB> Ted Zlatanov <t...@lifelogs.com> writes: > >> could you provide a test case? The information gathered by > >> `M-x report-emacs-bug' would be really helpful, too. > > RB> Hmm, I'm not the original reporter, and don't yet deeply understand the > RB> relevant issues, but on the surface, the "bug" appears to just ask that > RB> Emacs "stop using or mentioning s_client". > > I replied to the bug address as well, so I hope Kurt responds with a recipe. > > RB> If that turns out to be a reasonable request, then I'd imagine that the > RB> code in imap.el, etc. would need adjustment, i.e. > > No, the logic that needs to change is the one that opens the network > stream (and imap.el will be obsoleted, as Lars and Stefan mentioned). > But I'd like to know what's using imap.el in Kurt's case because I don't > know of any code that uses it. Was he just warning that imap.el *could* > use s_client? I went to the original bug report and couldn't find that > information, sorry. > > RB> In any case, I can certainly send you the report-emacs-bug information > RB> from my system, but the bug didn't originate there (I don't even have > RB> emacs23 installed at the moment). Did you mean for Kurt to send it? > > Yes, sorry, the web interface misled me. Kurt? > > RB> And what kind of test did you have in mind? > > Some code that lets me replicate the bug or issue on a Debian system, > with enough information to let me bring up such a system in a virtual > environment.
Someone suggested I should reply to this. First, I'm not an emacs user, I'm the openssl maintainer in Debian. I think this started with me disabling SSLv3 support and then getting reports that I broke emacs / gnus and I just looked around what was going on. >From what I understand, it is (or was) possible to configure things in such a way that it uses s_client to set up SSL, even when it's configured to use gnutls. You should never use s_client for that. s_client is a debug tool. It does create an SSL connection for you, but in an insecure way. When looking around, I saw examples of using s_client in combination with "-ssl2" and "-ssl3". That is, only support those protocol versions. They are so broken that I removed support for them. You should clearly never document that they should use those options. That probably all comes from the time SSLv2 and SSLv3 were the only 2 supported protocol versions, and you should probably update the documentation to have more recent information in it. I hope this clears things up. Kurt
