[devscripts] 01/01: Add STARTTLS support without certificate validity verification.

Osamu Aoki osamu at debian.org
Fri Nov 13 14:35:57 UTC 2015 

Hi,

On Thu, Nov 05, 2015 at 09:42:59AM +0100, Andrew Shadura wrote:
> On 05/11/15 02:49, James McCoy wrote:
> > Thanks for taking a look at this.
> > 
> > On Mon, Nov 02, 2015 at 09:05:23PM +0000, Andrew Shadura wrote:
> >> commit 6469c52e8b694622607478475e7cfc67f1ec6a95
> >> Author: Andrew Shadura <andrewsh at debian.org>
> >> Date:   Mon Nov 2 21:21:02 2015 +0100
> >>
> >>     Add STARTTLS support without certificate validity verification.
> 
> > Why isn't certificate validation being done?
> 
> Because very often SMTP doesn't have a perfectly valid certificate, so
> it makes no sense to validate them.

But do you have supporting rationale that this is an accepted way for
security concious people?  Please present references beyond what you
believe.  (As long as this is optional behavior enabled via user's
special command line option, I do not mind.  But making such loose
behavior as the default one raises red flag.)

> >>     Use Net::SMTPS for both SMTP+SSL and SMTP+STARTTLS.
> >>     When not connecting over SSL, always use Net::SMTPS in hope
> >>     it does STARTTLS when it's detected. If Net::SMTPS isn't
> >>     available, fall back to plain old Net::SMTP.
> >>     
> >>     Replace libnet-smtp-ssl-perl dependency with libnet-smtps-perl
> >>     dependency promoted to Recommends from Suggests.
> 
> > Why the change to Recommends?
> 
> So that it's more likely it's installed and used.

Then so many other programs needs to be moved to Recommends.
 ssh-client bsd-mailx | mailx, mutt, w3m, ...

Seriously, can you make libnet-smtp-ssl-perl optional by not always requirig
it.  Look at how LWP is used in uscan.  It outputs nice error message if
it is used by one of the executable in the devscripts package.
... 
> >> -	require Net::SMTP::SSL;
> >> +	require Net::SMTPS;
> >> +	use IO::Socket::SSL;
> 
> > This should be a require, otherwise it will happen at compile time, not
> > runtime.
> 
> It doesn't work then, I can't use IO::Socket::SSL::* options if I use
> require. Any ideas how to make it work?

Does uscan LWP example help you?  (I am not perl expert to know the
answer.)

Osamu

More information about the devscripts-devel mailing list