Hi,
Simon Josefsson <[EMAIL PROTECTED]> writes:
> Reiner Steib <[EMAIL PROTECTED]> writes:
>
>> Would it make sense to prefer gnutls-cli and warn when using starttls
>> (if gnutls-cli is not installed)?
>
> Possibly, yes.
I use stunnel w/ Gnus. Some friends of mine use socat.
> Note that emacs22 (the version in debian testing) supports both starttls
> and gnutls-cli, so the comment made earlier that removing the starttls
> package will break imaps/pop3s connections from emacs based muas is
> false.
+1
>>> "This software does not have any authentication capabilities: it does
>>> not allow you to authenticate your peer, which is a basic requirement
>>> for TLS/SSL to be used securely. You should only use it for testing
>>> purposes and not relaying important information. Be aware that you are
>>> vulnerable to MITM when using it"
>
> That seems correct to me.
>
> Note that even if you use gnutls-cli, you need to configure it to use
> appropriate trust anchors to get full security.
^^^^^^^^^^^^^
I hope you mean "a working setup". If you do not provide it any (set of)
trust anchor, it should not be able to verify server's certificate and
should fail, shouldn't it?
> If you don't, I believe gnutls-cli is still superior to starttls
> though, since gnutls-cli verify that the server hostname match the
> hostname in the certificate.
IMHO, this is not superior. It is just as broken.
Cheers,
a+
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]