Replace starttls.el with GNUTLS based version?
Simon Josefsson <jas <at> extundo.com>
2003-12-01 02:31:49 GMT
How many uses STARTTLS? For SMTP or IMAP? The external program
'starttls' isn't widely available (e.g., not packaged by Debian) and
it uses OpenSSL, so I would like to replace the current starttls.el
with a (partially) backwards compatible version that uses GNUTLS. It
is currently installed in Gnus CVS contrib/starttls.el, and I have
been using it for a while.
The only problem I perceive is that if anyone is using client X.509
certificates, they will have to move from `starttls-extra-args' to
`starttls-extra-argument'. (That is the backwards incompatible part.)
Because there appear to be a bug in the "starttls" application that
make client authentication useless because the verification result is
ignored, I suspect not many uses X.509 client certificates with
STARTTLS, or at least not anyone who cares enough about security to
audit the tools they use. So nobody, even users that have configured
client certificates, would lose security by changing to anonymous TLS
with gnutls-cli. However, they can increase security by setting the
new s-e-a variable.
So, does anyone have an opinion for or against moving
gnus/contrib/starttls.el into gnus/lisp/starttls.el and
emacs/lisp/gnus/starttls.el? In Emacs, lisp/gnus/imap.el have to be
modified as well (it currently use hard coded filenames, and assumes
things about how the old starttls.el was implemented), but
lisp/mail/smtpmail.el work with STARTTLS unmodified.
To test this in Gnus, simply copy contrib/starttls.el over
lisp/starttls.el and rebuild.