Feature #7791

Investigate the need for python-gnutls

Added by alant 2014-08-16 21:02:26 . Updated 2014-09-13 15:30:27 .

Status:
Resolved
Priority:
High
Assignee:
Category:
Target version:
Start date:
2014-08-16
Due date:
% Done:

100%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

WhisperBack uses python-gnutls which has no python3 version. It seems replaced by https://gitorious.org/pygnutls but we might not need it anymore. That should be confirmed to know wether we should package it or not.


Files


Subtasks


Related issues

Blocks Tails - Feature #7892: Migrate WhisperBack to SSL Resolved 2014-09-13

History

#1 Updated by intrigeri 2014-08-16 23:08:26

  • Status changed from New to Confirmed

Indeed, I suspect that Python 3’s much improved ssl module is enough for our needs.

#2 Updated by BitingBird 2014-08-29 17:07:04

maker answered concerning this on the parent ticket Feature #5875

#3 Updated by intrigeri 2014-08-29 17:44:14

  • Assignee changed from alant to maker

maker wrote (on Feature #5875):
> Would it be appreciated a patch removing pygnutls as dependency?

Yes, please :) I think we used pygnutls since back then, it was the only way to have certificate verification against a single, known CA (or similar, I don’t remember the details) working. I think this has changed with the backported ssl module. This patch should not make the security of the TLS connection worse.

#4 Updated by maker 2014-09-02 05:40:41

redmine@labs.riseup.net writes:

> Yes, please :) I think we used pygnutls since back then, it was the
> only way to have certificate verification against a single, known CA
> (or similar, I don’t remember the details) working. I think this has
> changed with the backported ssl module. This patch should not make the
> security of the TLS connection worse.
I am attaching now a patch removing pygnutls as dependency.
Unfortunately, whisperBack provides no unittests, only a shitty
```test.py``` module. I am not going to start a test/ package, as I
believe that would be worth a separate issue.

Right now, I’ve tested my changes with a ::
```
python -m smtpd -c DebuggingServer -n -d
```
and firing
```
>>> mail.send_message_tls(‘me@my.server’, ‘you@your.server’, ‘hello’, host=‘localhost’, port=8025)
```
and just it.


m.

#5 Updated by maker 2014-09-02 05:47:01

Michele Orru` <maker@tumbolandia.net> writes:

> Unfortunately, whisperBack provides no unittests, only a shitty
s/shitty/confused/

sry,

m.

#6 Updated by intrigeri 2014-09-08 20:10:06

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Thanks for the patch! Here are a few comments:

  • I read “This class might be removed once SSLContexts will be available in smtplib (which right now happens only for python >= 2.7.8).” Debian Jessie has 2.7.8-6, and this ticket is about migrating Tails to Jessie, so maybe these bits can be dropped right away? (Sorry our current Jessie-based nightly builds are not exactly usable, so it may be hard to test.)
  • These changes would be easier to review if they were in a Git branch, wich atomic changes (e.g. whitespace changes should go in separate commits). Do you want a Tails Greeter Git repo? If so, please send a public SSH key to tails-sysadmins@boum.org, in an OpenPGP-signed email.
  • We’ll need to test against another HS SMTP relay, that uses an unexpected certificate.

#7 Updated by maker 2014-09-09 06:23:58

redmine@labs.riseup.net writes:

> Thanks for the patch! Here are a few comments:
>
> * I read “This class might be removed once SSLContexts will be
> available in smtplib (which right now happens only for python >=
> 2.7.8).” Debian Jessie has 2.7.8-6, and this ticket is about migrating
> Tails to Jessie, so maybe these bits can be dropped right away? (Sorry
> our current Jessie-based nightly builds are not exactly usable, so it
> may be hard to test.)
whoops, that was my fault. That should have been “python > 2.7.8”.
In python 2.7.8 there are no SSLContexts yet [0], while in the latest
revision of the 2.7 branch there are. [1]
Thanks for spotting this error.

> * These changes would be easier to review if they were in a Git
> branch, wich atomic changes (e.g. whitespace changes should go in
> separate commits). Do you want a Tails Greeter Git repo? If so, please
> send a public SSH key to tails-sysadmins@boum.org, in an
> OpenPGP-signed email.
Thanks, I will split the patch into atomic commits in the new repo as
soon as I get it.

> * We’ll need to test against another HS SMTP relay, that uses an unexpected certificate.
I would love to see this process automated with unittests though.

[0] <http://hg.python.org/cpython/file/v2.7.8/Lib/ssl.py>
[1] <http://hg.python.org/cpython/file/2.7/Lib/ssl.py>

[My apologies for not putting links in https. I tried SO many times in
vain to ask for hg.python.org to be available in https..]

m.

#8 Updated by intrigeri 2014-09-09 13:01:46

> Thanks, I will split the patch into atomic commits in the new repo as soon as I get it.

Awesome!

>> * We’ll need to test against another HS SMTP relay, that uses an unexpected certificate.
> I would love to see this process automated with unittests though.

Sure, that would be extremely useful. Worth a dedicated ticket, IMO.

#9 Updated by alant 2014-09-13 12:30:46

> > * I read “This class might be removed once SSLContexts will be
> > available in smtplib (which right now happens only for python >=
> > 2.7.8).” Debian Jessie has 2.7.8-6, and this ticket is about migrating
> > Tails to Jessie, so maybe these bits can be dropped right away? (Sorry
> > our current Jessie-based nightly builds are not exactly usable, so it
> > may be hard to test.)
> whoops, that was my fault. That should have been “python > 2.7.8”.
> In python 2.7.8 there are no SSLContexts yet [0], while in the latest
> revision of the 2.7 branch there are. [1]

This is not actually a problem as SSLContexts are present (as far as I understand) in python 3.4.1 which will be the one running whisperback in jessie-based Tails.

#10 Updated by alant 2014-09-13 15:28:30

#11 Updated by alant 2014-09-13 15:30:27

  • Status changed from In Progress to Resolved
  • Assignee deleted (maker)
  • % Done changed from 10 to 100

As maker found, python-gnutls is not needed anymore and can be replaced with SSLContexts which is present in python 3.4 included in jessie. I’m thus closing this bug. Please follow developpment on Feature #7892. Thanks a lot maker.