Feature #7791
Investigate the need for python-gnutls
100%
Description
WhisperBack uses python-gnutls which has no python3 version. It seems replaced by https://gitorious.org/pygnutls but we might not need it anymore. That should be confirmed to know wether we should package it or not.
Files
Subtasks
History
#1 Updated by intrigeri 2014-08-16 23:08:26
- Status changed from New to Confirmed
Indeed, I suspect that Python 3’s much improved ssl module is enough for our needs.
#2 Updated by BitingBird 2014-08-29 17:07:04
maker answered concerning this on the parent ticket Feature #5875
#3 Updated by intrigeri 2014-08-29 17:44:14
- Assignee changed from alant to maker
maker wrote (on Feature #5875):
> Would it be appreciated a patch removing pygnutls as dependency?
Yes, please :) I think we used pygnutls since back then, it was the only way to have certificate verification against a single, known CA (or similar, I don’t remember the details) working. I think this has changed with the backported ssl module. This patch should not make the security of the TLS connection worse.
#4 Updated by maker 2014-09-02 05:40:41
redmine@labs.riseup.net writes:
> Yes, please :) I think we used pygnutls since back then, it was the
> only way to have certificate verification against a single, known CA
> (or similar, I don’t remember the details) working. I think this has
> changed with the backported ssl module. This patch should not make the
> security of the TLS connection worse.
I am attaching now a patch removing pygnutls as dependency.
Unfortunately, whisperBack provides no unittests, only a shitty
```test.py``` module. I am not going to start a test/ package, as I
believe that would be worth a separate issue.
Right now, I’ve tested my changes with a ::
```
python -m smtpd -c DebuggingServer -n -d
```
and firing
```
>>> mail.send_message_tls(‘me@my.server’, ‘you@your.server’, ‘hello’, host=‘localhost’, port=8025)
```
and just it.
—
m.
#5 Updated by maker 2014-09-02 05:47:01
Michele Orru` <maker@tumbolandia.net> writes:
> Unfortunately, whisperBack provides no unittests, only a shitty
s/shitty/confused/
sry,
—
m.
#6 Updated by intrigeri 2014-09-08 20:10:06
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
Thanks for the patch! Here are a few comments:
- I read “This class might be removed once SSLContexts will be available in smtplib (which right now happens only for python >= 2.7.8).” Debian Jessie has 2.7.8-6, and this ticket is about migrating Tails to Jessie, so maybe these bits can be dropped right away? (Sorry our current Jessie-based nightly builds are not exactly usable, so it may be hard to test.)
- These changes would be easier to review if they were in a Git branch, wich atomic changes (e.g. whitespace changes should go in separate commits). Do you want a Tails Greeter Git repo? If so, please send a public SSH key to tails-sysadmins@boum.org, in an OpenPGP-signed email.
- We’ll need to test against another HS SMTP relay, that uses an unexpected certificate.
#7 Updated by maker 2014-09-09 06:23:58
redmine@labs.riseup.net writes:
> Thanks for the patch! Here are a few comments:
>
> * I read “This class might be removed once SSLContexts will be
> available in smtplib (which right now happens only for python >=
> 2.7.8).” Debian Jessie has 2.7.8-6, and this ticket is about migrating
> Tails to Jessie, so maybe these bits can be dropped right away? (Sorry
> our current Jessie-based nightly builds are not exactly usable, so it
> may be hard to test.)
whoops, that was my fault. That should have been “python > 2.7.8”.
In python 2.7.8 there are no SSLContexts yet [0], while in the latest
revision of the 2.7 branch there are. [1]
Thanks for spotting this error.
> * These changes would be easier to review if they were in a Git
> branch, wich atomic changes (e.g. whitespace changes should go in
> separate commits). Do you want a Tails Greeter Git repo? If so, please
> send a public SSH key to tails-sysadmins@boum.org, in an
> OpenPGP-signed email.
Thanks, I will split the patch into atomic commits in the new repo as
soon as I get it.
> * We’ll need to test against another HS SMTP relay, that uses an unexpected certificate.
I would love to see this process automated with unittests though.
[0] <http://hg.python.org/cpython/file/v2.7.8/Lib/ssl.py>
[1] <http://hg.python.org/cpython/file/2.7/Lib/ssl.py>
[My apologies for not putting links in https. I tried SO many times in
vain to ask for hg.python.org to be available in https..]
—
m.
#8 Updated by intrigeri 2014-09-09 13:01:46
> Thanks, I will split the patch into atomic commits in the new repo as soon as I get it.
Awesome!
>> * We’ll need to test against another HS SMTP relay, that uses an unexpected certificate.
> I would love to see this process automated with unittests though.
Sure, that would be extremely useful. Worth a dedicated ticket, IMO.
#9 Updated by alant 2014-09-13 12:30:46
> > * I read “This class might be removed once SSLContexts will be
> > available in smtplib (which right now happens only for python >=
> > 2.7.8).” Debian Jessie has 2.7.8-6, and this ticket is about migrating
> > Tails to Jessie, so maybe these bits can be dropped right away? (Sorry
> > our current Jessie-based nightly builds are not exactly usable, so it
> > may be hard to test.)
> whoops, that was my fault. That should have been “python > 2.7.8”.
> In python 2.7.8 there are no SSLContexts yet [0], while in the latest
> revision of the 2.7 branch there are. [1]
This is not actually a problem as SSLContexts are present (as far as I understand) in python 3.4.1 which will be the one running whisperback in jessie-based Tails.
#10 Updated by alant 2014-09-13 15:28:30
- blocks
Feature #7892: Migrate WhisperBack to SSL added
#11 Updated by alant 2014-09-13 15:30:27
- Status changed from In Progress to Resolved
- Assignee deleted (
maker) - % Done changed from 10 to 100
As maker found, python-gnutls is not needed anymore and can be replaced with SSLContexts which is present in python 3.4 included in jessie. I’m thus closing this bug. Please follow developpment on Feature #7892. Thanks a lot maker.