[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto plugged off?

To: Ian D. Leroux <idleroux@fastmail.fm>
Subject: Re: Auto plugged off?
From: Randy Bush <randy@psg.com>
Date: Mon, 28 Jun 2010 07:54:46 +0900
Cc: wl-en@lists.airs.net
Delivered-to: wl-en@lists.airs.net
In-reply-to: <m24ogogpml.wl%randy@psg.com>
List-help: <mailto:wl-en-ctl@lists.airs.net?body=help>
List-id: wl-en.lists.airs.net
List-owner: <mailto:wl-en-admin@lists.airs.net>
List-post: <mailto:wl-en@lists.airs.net>
List-software: fml [fml stable 20011102.2100]
List-unsubscribe: <mailto:wl-en-ctl@lists.airs.net?body=unsubscribe>
References: <1277567950.23826.1382019081@webmail.messagingengine.com> <4c263bed.201b8f0a.231a.51e5@mx.google.com> <1277587953.29151.1382045185@webmail.messagingengine.com> <4c26ea2f.0b698d0a.4185.ffff8698@mx.google.com> <87fx083an4.wl%idleroux@fastmail.fm> <m24ogogpml.wl%randy@psg.com>
Reply-to: wl-en@lists.airs.net
User-agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)

> but what is the security semantics behind limiting validation chain
> length at all?

as a friend reminded me, don't perform unbounded work at the whim of a
stranger.  and don't type strong assertions during first cup of coffee.

> so we care how long the chain is but we don't care if it validates?

the friend, also a wanderlust user, further pointed out

the relevant part of the s_client man page is:

       -verify depth
           The verify depth to use. This specifies the maximum length of the
           server certificate chain and turns on server certificate verifica-
           tion.  Currently the verify operation continues after errors so all
           the problems with a certificate chain can be seen. As a side effect
           the connection will never fail due to a server certificate verify
           failure.

note last sentence.

what this boils down to is that s_client is not the right tool for
this job.  stunnel would work, see the attached, hack to taste, add
parameters so you can control settings from emacs variables, etc.

you'll need to set ssl-program-arguments in your .wl to call whatever
you use as a replacement for the broken s_client command.

#!/bin/sh -

/usr/local/bin/stunnel 3<<-'EOF' -fd 3
	CAfile		= /usr/local/etc/certs/hactrn-cacert.pem
	connect		= cyteen.hactrn.net:imaps
	sslVersion	= TLSv1
	client		= yes
	verify		= 2
EOF

randy

Follow-Ups:
- Re: Auto plugged off?
  - From: Ian D. Leroux <idleroux@fastmail.fm>

References:
- Auto plugged off?
  - From: "Ian D. Leroux" <idleroux@fastmail.fm>
- Re: Auto plugged off?
  - From: Erik Hetzner <ehetzner@gmail.com>
- Re: Auto plugged off?
  - From: "Ian D. Leroux" <idleroux@fastmail.fm>
- Re: Auto plugged off?
  - From: Erik Hetzner <ehetzner@gmail.com>
- Re: Auto plugged off?
  - From: Ian D. Leroux <idleroux@fastmail.fm>
- Re: Auto plugged off?
  - From: Randy Bush <randy@psg.com>

Prev by Date: Re: Auto plugged off?
Next by Date: Re: Auto plugged off?
Previous by thread: Re: Auto plugged off?
Next by thread: Re: Auto plugged off?
Index(es):
- Date
- Thread