From b401d1f08481324f9c971bfadb5836d02f0941f6 Mon Sep 17 00:00:00 2001
From: yamaoka <yamaoka>
Date: Sun, 23 Mar 2003 15:24:26 +0000
Subject: [PATCH] Synch to Oort Gnus 200303231443.

---
 GNUS-NEWS         |    6 +++
 lisp/ChangeLog    |   23 ++++++++++
 lisp/imap.el      |   30 ++++++++++++-
 lisp/nnimap.el    |   13 +++---
 lisp/nntp.el      |   15 ++++++-
 lisp/rfc2047.el   |    1 +
 lisp/tls.el       |  127 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 texi/ChangeLog    |    6 +++
 texi/gnus-ja.texi |   63 +++++++++++++++++---------
 texi/gnus.texi    |   61 +++++++++++++++++--------
 10 files changed, 299 insertions(+), 46 deletions(-)
 create mode 100644 lisp/tls.el

diff --git a/GNUS-NEWS b/GNUS-NEWS
index 7716767..c7cd2e8 100644
--- a/GNUS-NEWS
+++ b/GNUS-NEWS
@@ -8,6 +8,12 @@ For older news, see Gnus info node "New Features".
 
 * Changes in Oort Gnus
 
+** TLS wrapper shipped with Gnus
+
+TLS/SSL is now supported in IMAP and NNTP via tls.el and GNUTLS.  The
+old TLS/SSL support via (external third party) ssl.el and OpenSSL
+still works.
+
 ** New make.bat for compiling and installing Gnus under MS Windows
 
 Use make.bat if you want to install Gnus under MS Windows, the first
diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 06aae03..f5358bb 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,3 +1,26 @@
+2003-03-23  Simon Josefsson  <jas@extundo.com>
+
+	* rfc2047.el (rfc2047-header-encoding-alist): Make Followup-To
+	same as Newsgroups.
+
+	* nntp.el (nntp-open-connection-function): Mention
+	nntp-open-tls-stream.
+	(nntp-open-tls-stream): New function.
+
+	* tls.el: New file.
+
+	* nnimap.el (nnimap-server-port, nnimap-stream): Say TLS/SSL
+	instead of SSL.
+	(nnimap-stream): Add other streams, link to imap variables.
+	(nnimap-authenticator): Add other authenticator, link to imap
+	variables.
+
+	* imap.el: Autoload open-tls-stream.
+	(imap-streams): Add tls in front of ssl.
+	(imap-stream-alist): Add tls.
+	(imap-default-tls-port): New variable.
+	(imap-tls-p, imap-tls-open): New functions.
+
 2003-03-22  ShengHuo ZHU  <zsh@cs.rochester.edu>
 
 	* mm-url.el (mm-url-insert-file-contents): parse url only if
diff --git a/lisp/imap.el b/lisp/imap.el
index 6e00ff9..23cd746 100644
--- a/lisp/imap.el
+++ b/lisp/imap.el
@@ -150,6 +150,7 @@
   (autoload 'utf7-decode "utf7")
   (autoload 'format-spec "format-spec")
   (autoload 'format-spec-make "format-spec")
+  (autoload 'open-tls-stream "tls")
   ;; Avoid use gnus-point-at-eol so we're independent of Gnus.  These
   ;; days we have point-at-eol anyhow.
   (if (fboundp 'point-at-eol)
@@ -250,12 +251,13 @@ encoded mailboxes which doesn't translate into ISO-8859-1."
 (defvar imap-fetch-data-hook nil
   "Hooks called after receiving each FETCH response.")
 
-(defvar imap-streams '(gssapi kerberos4 starttls ssl network shell)
+(defvar imap-streams '(gssapi kerberos4 starttls tls ssl network shell)
   "Priority of streams to consider when opening connection to server.")
 
 (defvar imap-stream-alist
   '((gssapi    imap-gssapi-stream-p    imap-gssapi-open)
     (kerberos4 imap-kerberos4-stream-p imap-kerberos4-open)
+    (tls       imap-tls-p              imap-tls-open)
     (ssl       imap-ssl-p              imap-ssl-open)
     (network   imap-network-p          imap-network-open)
     (shell     imap-shell-p            imap-shell-open)
@@ -298,6 +300,7 @@ for doing the actual authentication.")
 
 (defconst imap-default-port 143)
 (defconst imap-default-ssl-port 993)
+(defconst imap-default-tls-port 993)
 (defconst imap-default-stream 'network)
 (defconst imap-local-variables '(imap-server
 				 imap-port
@@ -611,6 +614,31 @@ sure of changing the value of `foo'."
       (message "imap: Opening SSL connection with `%s'...failed" cmd)
       nil)))
 
+(defun imap-tls-p (buffer)
+  nil)
+
+(defun imap-tls-open (name buffer server port)
+  (let* ((port (or port imap-default-tls-port))
+	 (coding-system-for-read imap-coding-system-for-read)
+	 (coding-system-for-write imap-coding-system-for-write)
+	 (process (open-tls-stream name buffer server port)))
+    (when process
+      (while (and (memq (process-status process) '(open run))
+		  (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
+		  (goto-char (point-max))
+		  (forward-line -1)
+		  (not (imap-parse-greeting)))
+	(accept-process-output process 1)
+	(sit-for 1))
+      (and imap-log
+	   (with-current-buffer (get-buffer-create imap-log-buffer)
+	     (imap-disable-multibyte)
+	     (buffer-disable-undo)
+	     (goto-char (point-max))
+	     (insert-buffer-substring buffer)))
+      (when (memq (process-status process) '(open run))
+	process))))
+
 (defun imap-network-p (buffer)
   t)
 
diff --git a/lisp/nnimap.el b/lisp/nnimap.el
index 0ae687c..3f6390b 100644
--- a/lisp/nnimap.el
+++ b/lisp/nnimap.el
@@ -85,7 +85,7 @@
 
 (defvoo nnimap-server-port nil
   "Port number on physical IMAP server.
-If nil, defaults to 993 for SSL connections and 143 otherwise.")
+If nil, defaults to 993 for TLS/SSL connections and 143 otherwise.")
 
 ;; Splitting variables
 
@@ -262,14 +262,16 @@ handle.
 
 Change this if
 
-1) you want to connect with SSL.  The SSL integration with IMAP is
-   brain-dead so you'll have to tell it specifically.
+1) you want to connect with TLS/SSL.  The TLS/SSL integration
+   with IMAP is suboptimal so you'll have to tell it
+   specifically.
 
 2) your server is more capable than your environment -- i.e. your
    server accept Kerberos login's but you haven't installed the
    `imtest' program or your machine isn't configured for Kerberos.
 
-Possible choices: kerberos4, ssl, network")
+Possible choices: gssapi, kerberos4, starttls, tls, ssl, network, shell.
+See also `imap-streams' and `imap-stream-alist'.")
 
 (defvoo nnimap-authenticator nil
   "How nnimap authenticate itself to the server.
@@ -283,7 +285,8 @@ connect to a server that accept Kerberos login's but you haven't
 installed the `imtest' program or your machine isn't configured for
 Kerberos.
 
-Possible choices: kerberos4, cram-md5, login, anonymous.")
+Possible choices: gssapi, kerberos4, digest-md5, cram-md5, login, anonymous.
+See also `imap-authenticators' and `imap-authenticator-alist'")
 
 (defvoo nnimap-directory (nnheader-concat gnus-directory "overview/")
   "Directory to keep NOV cache files for nnimap groups.
diff --git a/lisp/nntp.el b/lisp/nntp.el
index 9d55a15..6b36580 100644
--- a/lisp/nntp.el
+++ b/lisp/nntp.el
@@ -111,6 +111,7 @@ host.
 Direct connections:
 - `nntp-open-network-stream' (the default),
 - `nntp-open-ssl-stream',
+- `nntp-open-tls-stream',
 - `nntp-open-telnet-stream'.
 
 Indirect connections:
@@ -1227,7 +1228,19 @@ password contained in '~/.nntp-authinfo'."
     (process-kill-without-query proc)
     (save-excursion
       (set-buffer buffer)
-      (nntp-wait-for-string "^\r*20[01]")
+      (let ((nntp-connection-alist (list proc buffer nil)))
+	(nntp-wait-for-string "^\r*20[01]"))
+      (beginning-of-line)
+      (delete-region (point-min) (point))
+      proc)))
+
+(defun nntp-open-tls-stream (buffer)
+  (let ((proc (open-tls-stream "nntpd" buffer nntp-address nntp-port-number)))
+    (process-kill-without-query proc)
+    (save-excursion
+      (set-buffer buffer)
+      (let ((nntp-connection-alist (list proc buffer nil)))
+	(nntp-wait-for-string "^\r*20[01]"))
       (beginning-of-line)
       (delete-region (point-min) (point))
       proc)))
diff --git a/lisp/rfc2047.el b/lisp/rfc2047.el
index 9bb8c0f..aade0dd 100644
--- a/lisp/rfc2047.el
+++ b/lisp/rfc2047.el
@@ -42,6 +42,7 @@
 
 (defvar rfc2047-header-encoding-alist
   '(("Newsgroups" . nil)
+    ("Followup-To" . nil)
     ("Message-ID" . nil)
     ("\\(Resent-\\)?\\(From\\|Cc\\|To\\|Bcc\\|Reply-To\\|Sender\\)" .
      "-A-Za-z0-9!*+/=_")
diff --git a/lisp/tls.el b/lisp/tls.el
new file mode 100644
index 0000000..7027077
--- /dev/null
+++ b/lisp/tls.el
@@ -0,0 +1,127 @@
+;;; tls.el --- TLS/SSL support via wrapper around GnuTLS
+
+;; Copyright (C) 2003 Free Software Foundation, Inc.
+
+;; Author: Simon Josefsson <simon@josefsson.org>
+;; Keywords: comm, tls, gnutls, ssl
+
+;; This file is part of GNU Emacs.
+
+;; GNU Emacs is free software; you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published by
+;; the Free Software Foundation; either version 2, or (at your option)
+;; any later version.
+
+;; GNU Emacs is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	 See the
+;; GNU General Public License for more details.
+
+;; You should have received a copy of the GNU General Public License
+;; along with GNU Emacs; see the file COPYING.  If not, write to the
+;; Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+;; Boston, MA 02111-1307, USA.
+
+;;; Commentary:
+
+;; This package implements a simple wrapper around "gnutls-cli" to
+;; make Emacs support TLS/SSL.
+;;
+;; Usage is the same as `open-network-stream', i.e.:
+;;
+;; (setq tmp (open-tls-stream "test" (current-buffer) "news.mozilla.org" 563))
+;; ...
+;; #<process test>
+;; (process-send-string tmp "mode reader\n")
+;; 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready ...
+;; nil
+;; (process-send-string tmp "quit\n")
+;; 205
+;; nil
+
+;; To use this package as a replacement for ssl.el by William M. Perry
+;; <wmperry@cs.indiana.edu>, you need to evaluate the following:
+;;
+;; (defalias 'open-ssl-stream 'open-tls-stream)
+
+;;; Code:
+
+(eval-and-compile
+  (autoload 'format-spec "format-spec")
+  (autoload 'format-spec-make "format-spec"))
+
+(defgroup tls nil
+  "Transport Layer Security (TLS) parameters."
+  :group 'comm)
+
+(defcustom tls-program '("gnutls-cli -p %p %h"
+			 "gnutls-cli -p %p %h --protocols ssl3")
+  "List of strings containing commands to start TLS stream to a host.
+Each entry in the list is tried until a connection is successful.
+%s is replaced with server hostname, %p with port to connect to.
+The program should read input on stdin and write output to
+stdout.  Also see `tls-success' for what the program should output
+after successful negotiation."
+  :type '(repeat string)
+  :group 'tls)
+
+(defcustom tls-process-connection-type nil
+  "*Value for `process-connection-type' to use when starting process."
+  :type 'boolean
+  :group 'tls)
+
+(defcustom tls-success "- Handshake was completed"
+  "*Regular expression indicating completed TLS handshakes.
+The default is what GNUTLS's \"gnutls-cli\" outputs."
+  :type 'regexp
+  :group 'tls)
+
+(defun open-tls-stream (name buffer host service)
+  "Open a TLS connection for a service to a host.
+Returns a subprocess-object to represent the connection.
+Input and output work as for subprocesses; `delete-process' closes it.
+Args are NAME BUFFER HOST SERVICE.
+NAME is name for process.  It is modified if necessary to make it unique.
+BUFFER is the buffer (or buffer-name) to associate with the process.
+ Process output goes at end of that buffer, unless you specify
+ an output stream or filter function to handle the output.
+ BUFFER may be also nil, meaning that this process is not associated
+ with any buffer
+Third arg is name of the host to connect to, or its IP address.
+Fourth arg SERVICE is name of the service desired, or an integer
+specifying a port number to connect to."
+  (let ((cmds tls-program) cmd done)
+    (message "Opening TLS connection to `%s'..." host)
+    (while (and (not done) (setq cmd (pop cmds)))
+      (message "Opening TLS connection with `%s'..." cmd)
+      (let* ((process-connection-type tls-process-connection-type)
+	     (process (start-process
+		       name buffer shell-file-name shell-command-switch
+		       (format-spec
+			cmd
+			(format-spec-make
+			 ?h host
+			 ?p (if (integerp service)
+				(int-to-string service)
+			      service)))))
+	     response)
+	(while (and process
+		    (memq (process-status process) '(open run))
+		    (save-excursion
+		      (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
+		      (goto-char (point-min))
+		      (not (setq done (re-search-forward tls-success nil t)))))
+	  (accept-process-output process 1)
+	  (sit-for 1))
+	(message "Opening TLS connection with `%s'...%s" cmd
+		 (if done "done" "failed"))
+	(if done
+	    (setq done process)
+	  (delete-process process))))
+    (message "Opening TLS connection to `%s'...%s"
+	     host (if done "done" "failed"))
+    done))
+
+(provide 'tls)
+
+;;; tls.el ends here
diff --git a/texi/ChangeLog b/texi/ChangeLog
index 6567f89..8cd29f6 100644
--- a/texi/ChangeLog
+++ b/texi/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-23  Simon Josefsson  <jas@extundo.com>
+
+	* gnus.texi (Direct Functions, Common Variables)
+	(Mail Source Specifiers, IMAP): Add TLS wherever SSL is mentioned
+	now.
+
 2003-03-23  Jesper Harder  <harder@ifa.au.dk>
 
 	* gnus.texi (Group Information, Article Washing)
diff --git a/texi/gnus-ja.texi b/texi/gnus-ja.texi
index f5136d3..28d1c19 100644
--- a/texi/gnus-ja.texi
+++ b/texi/gnus-ja.texi
@@ -11801,15 +11801,29 @@ LIST $B%3%^%s%I$N%*%W%7%g%s$K;H$C$F!"(B($B%5!<%P!<$N(B) $B%j%9%H=PNO$r@_Dj$
 @item nntp-open-network-stream
 $B$3$l$O%G%#%U%)%k%H$G!"C1=c$K1s3V%7%9%F%`$N%]!<%H$J$I$K@\B3$7$^$9!#(B
 
+@findex nntp-open-tls-stream
+@item nntp-open-tls-stream
+@dfn{$B0BA4$J(B} $B%A%c%s%M%k$r;H$C$F%5!<%P!<$K@\B3$7$^$9!#$3$l$r;H$&$?$a$K$O!"(B
+GNUTLS (@uref{http://www.gnu.org/software/gnutls/} $B;2>H(B) $B$r%$%s%9%H!<%k(B
+$B$7$F$*$+$J$1$l$P$J$j$^$;$s!#$=$l$+$i%5!<%P!<$r<!$N$h$&$KDj5A$7$^$9(B:
+
+@lisp
+;; $B%]!<%H(B 563 $B$,(B "nntps" $B$H$7$F(B /etc/services $B$GDj5A:Q$_$G$"$C$F$b(B
+;; gnutls-cli -p $B$G$=$NL>A0$O;H$($^$;$s!#(B
+;;
+(nntp "snews.bar.com"
+      (nntp-open-connection-function nntp-open-tls-stream)
+      (nntp-port-number )
+      (nntp-address "snews.bar.com"))
+@end lisp
+
 @findex nntp-open-ssl-stream
 @item nntp-open-ssl-stream
 @dfn{$B0BA4$J(B} $B%A%c%s%M%k$r;H$C$F%5!<%P!<$K@\B3$7$^$9!#$3$l$r;H$&$?$a$K$O!"(B
-OpenSSL (@uref{http://www.openssl.org}) $B$+(B SSLeay $B$,%$%s%9%H!<%k$5$l$F$$(B
+OpenSSL (@uref{http://www.openssl.org}) $B$+(B SSLeay $B$r%$%s%9%H!<%k$7$F$*$+(B
 $B$J$1$l$P$J$j$^$;$s!#$=$l$+$i%5!<%P!<$r<!$N$h$&$KDj5A$7$^$9(B:
 
 @lisp
-;; $BJT=8$7=*$o$C$?$i(B `C-c C-c' $B$r%?%$%W$7$F2<$5$$!#(B
-;;
 ;; $B%]!<%H(B 563 $B$,(B "snews" $B$H$7$F(B /etc/services $B$GDj5A:Q$_$G$"$C$F$b(B
 ;; openssl s_client -port $B$G$=$NL>A0$O;H$($^$;$s!#(B
 ;;
@@ -11931,9 +11945,10 @@ Emacs $B$N%;%C%7%g%sA4BN$r%i%C%W$7$F!"%G%#%U%)%k%H$N%a%=%C%I$r;H$&$H$$$&$N(B
 @item nntp-pre-command
 @vindex nntp-pre-command
 $BAG$N@\B3MQ$N4X(B
-$B?t(B (@code{nntp-open-network-stream} $B$H(B @code{nntp-open-ssl-stream} $B$@$1(B
-$B$@$H;W$&(B) $B$G$O$J$$$b$N$rDL$7$F@\B3$9$k$H$-$K;H$&%3%^%s%I%i%C%Q!<$G$9!#Nc(B
-$B$($P$"$J$?$O(B @samp{SOCKS} $B%i%C%Q!<$r3d$jEv$F$k$G$7$g$&!#(B
+$B?t(B (@code{nntp-open-network-stream}$B!"(B@code{nntp-open-tls-stream} $B$*$h(B
+$B$S(B @code{nntp-open-ssl-stream} $B$@$1$@$H;W$&(B) $B$G$O$J$$$b$N$rDL$7$F@\B3$9(B
+$B$k$H$-$K;H$&%3%^%s%I%i%C%Q!<$G$9!#Nc$($P$"$J$?$O(B @samp{SOCKS} $B%i%C%Q!<$r(B
+$B3d$jEv$F$k$G$7$g$&!#(B
 
 @item nntp-address
 @vindex nntp-address
@@ -11942,9 +11957,10 @@ Emacs $B$N%;%C%7%g%sA4BN$r%i%C%W$7$F!"%G%#%U%)%k%H$N%a%=%C%I$r;H$&$H$$$&$N(B
 @item nntp-port-number
 @vindex nntp-port-number
 $B@\B3$9$k(B @sc{nntp} $B%5!<%P!<$N%]!<%HHV9f$G$9!#%G%#%U%)%k%H(B
-$B$O(B @samp{nntp} $B$G$9!#(B@sc{ssl} $B$r2p$7$?(B @sc{nntp} $B$r;H$&$K$O!"%]!<%H$NL>(B
-$BA0$G$O$J$/$F@0?t(B ($B$D$^$j(B @samp{snews} $B$G$O$J$/$F(B @samp{563}) $B$r;XDj$7$F(B
-$B2<$5$$!#30It$N(B SSL $B%D!<%k$O%]!<%H$NL>A0$G$OF0:n$7$J$$$+$i$G$9!#(B
+$B$O(B @samp{nntp} $B$G$9!#(B@sc{tls}/@sc{ssl} $B$r2p$7$?(B @sc{nntp} $B$r;H$&$K$O!"%]!<(B
+$B%H$NL>A0$G$O$J$/$F@0?t(B ($B$D$^$j(B @samp{snews} $B$d(B @samp{nntps} $B$G$O$J$/(B
+$B$F(B @samp{563}) $B$r;XDj$7$F2<$5$$!#30It$N(B TLS/SSL $B%D!<%k$O%]!<%H$NL>A0$G$O(B
+$BF0:n$7$J$$$+$i$G$9!#(B
 
 @item nntp-end-of-line
 @vindex nntp-end-of-line
@@ -12561,8 +12577,8 @@ Maildir $B%a!<%k%=!<%9$NNc$r$U$?$D(B:
 $B$?(B @sc{imap} $B%a!<%k%\%C%/%9$+$i5-;v$r<hF@$7$^$9!#>\$7$/$O(B @xref{IMAP} $B$r(B
 $B;2>H$7$F2<$5$$!#(B
 
-Kerberos, GSSAPI, SSL/TLS $B$*$h$S(B STARTTLS $B$N$?$a$N30It%W%m%0%i%`$H%i%$%V(B
-$B%i%j$,I,MW$G$"$k$3$H$KN10U$7$F2<$5$$!#(B@xref{IMAP}
+Kerberos, GSSAPI, TLS/SSL $B$*$h$S(B STARTTLS $B$N$?$a$N30It%W%m%0%i%`$H%i%$%V(B
+$B%i%j$,I,MW$G$"$k$3$H$KN10U$7$F2<$5$$!#(B@xref{IMAP}$B!#(B
 
 $B%-!<%o!<%I(B:
 
@@ -12571,7 +12587,7 @@ Kerberos, GSSAPI, SSL/TLS $B$*$h$S(B STARTTLS $B$N$?$a$N30It%W%m%0%i%`$H%i%$%
 @sc{imap} $B%5!<%P!<$NL>A0!#=i4|CM$O4D6-JQ?t(B @code{MAILHOST} $B$+$iF@$^$9!#(B
 
 @item :port
-@sc{imap} $B%5!<%P!<$N%]!<%HHV9f!#IaDL$O=i4|CM$O(B @samp{143} $B$G!"(BSSL/TLS $B@\(B
+@sc{imap} $B%5!<%P!<$N%]!<%HHV9f!#IaDL$O=i4|CM$O(B @samp{143} $B$G!"(BTLS/SSL $B@\(B
 $BB3$K$O(B @samp{993} $B$G$9!#(B
 
 @item :user
@@ -12584,8 +12600,8 @@ Kerberos, GSSAPI, SSL/TLS $B$*$h$S(B STARTTLS $B$N$?$a$N30It%W%m%0%i%`$H%i%$%
 @item :stream
 $B%5!<%P!<$K@\B3$9$k$H$-$K;H$&%9%H%j!<%`!#(B@code{imap-stream-alist} $B$K$"$k(B
 $B%7%s%\%k$NCf$N$R$H$D$r@_Dj$7$^$9!#8=>u$G$O(B @samp{gssapi},
-@samp{kerberos4}, @samp{starttls}, @samp{ssl}, @samp{shell} $B$^$?$O=i4|CM(B
-$B$N(B @samp{network} $B$K$J$j$^$9!#(B
+@samp{kerberos4}, @samp{starttls}, @samp{tls}, @samp{ssl},
+@samp{shell} $B$^$?$O=i4|CM$N(B @samp{network} $B$K$J$j$^$9!#(B
 
 @item :authentication
 $B%5!<%P!<$G$NG'>Z$K$I$NG'>ZK!$r;H$&$+!#$3$l(B
@@ -15028,7 +15044,7 @@ Gnus $B$O%&%'%V%Z!<%8$r<hF@$9$k$?$a$K(B url $B%i%$%V%i%j$r!"%&%'%V%Z!<%8$rI=<
 $B$J$j$^$9!#$3$l$,$3$3$G@bL@$9$k;H$$J}$G$9!#(B
 
 $B$$$/$D$+$N(B @sc{imap} $B%5!<%P!<$r(B @file{~/.gnus} $B$G@_Dj$9$k$H!"$?$V$s0J2<(B
-$B$N$h$&$J$b$N$K$J$k$G$7$g$&!#(B($BCm(B: SSL/TLS $B$G$O30It%W%m%0%i%`$H%i%$%V%i%j(B
+$B$N$h$&$J$b$N$K$J$k$G$7$g$&!#(B($BCm(B: TLS/SSL $B$G$O30It%W%m%0%i%`$H%i%$%V%i%j(B
 $B$,I,MW$G$9!#0J2<$r;2>H$7$F2<$5$$!#(B)
 
 @lisp
@@ -15072,8 +15088,8 @@ Gnus $B$O%&%'%V%Z!<%8$r<hF@$9$k$?$a$K(B url $B%i%$%V%i%j$r!"%&%'%V%Z!<%8$rI=<
 
 @item nnimap-server-port
 @vindex nnimap-server-port
-$B@\B3$r;n$_$k%5!<%P!<$N%]!<%H$G$9!#=i4|CM$G$O!"%]!<%H(B 143 $B$+!"(BSSL $B$G(B
-$B$O(B 993 $B$G$9!#(B
+$B@\B3$r;n$_$k%5!<%P!<$N%]!<%H$G$9!#%G%#%U%)%k%H$O%]!<%H(B 143$B!"$^$?(B
+$B$O(B TLS/SSL $B$G$O(B 993 $B$G$9!#(B
 
 $B$3$l$O@0?t$G$J$1$l$P$J$j$^$;$s!#0J2<$O%5!<%P!<;XDj$NNc$G$9!#(B
 
@@ -15105,8 +15121,8 @@ Gnus $B$O%&%'%V%Z!<%8$r<hF@$9$k$?$a$K(B url $B%i%$%V%i%j$r!"%&%'%V%Z!<%8$rI=<
 @item nnimap-stream
 @vindex nnimap-stream
 $B%5!<%P!<$K@\B3$9$k$H$-$K;H$o$l$k%9%H%j!<%`$N7?$G$9!#=i4|@_Dj$G(B
-$B$O(B nnimap $B$O(B SSL/TLS $B$r=|$/0J2<$N$9$Y$F$r<+F0E*$K8!CN$7$F$=$l$r;H$$$^$9!#(B
-(SSL/TLS $B$r;H$&(B @sc{imap} $B$O(B STARTTLS $B$GCV$-49$($i$l$F$$$^$9!#$3$l$O<+F0(B
+$B$O(B nnimap $B$O(B TLS/SSL $B$r=|$/0J2<$N$9$Y$F$r<+F0E*$K8!CN$7$F$=$l$r;H$$$^$9!#(B
+(TLS/SSL $B$r;H$&(B @sc{imap} $B$O(B STARTTLS $B$GCV$-49$($i$l$F$$$^$9!#$3$l$O<+F0(B
 $B8!=P$G$-$^$9$,!"$^$@9-HO0O$KG[Hw$5$l$F$$$^$;$s!#(B)
 
 $B0J2<$O%5!<%P!<;XDj$NNc$G$9!#(B
@@ -15127,9 +15143,12 @@ Gnus $B$O%&%'%V%Z!<%8$r<hF@$9$k$?$a$K(B url $B%i%$%V%i%j$r!"%&%'%V%Z!<%8$rI=<
 @dfn{kerberos4:} Kerberos 4 $B$r;H$$$^$9!#(B@samp{imtest} $B%W%m%0%i%`$,I,MW$G(B
 $B$9!#(B
 @item
-@dfn{starttls:} STARTTLS (SSL $B$KN`;w(B) $B$r;H$$$^$9!#30It%i%$%V%i(B
+@dfn{starttls:} STARTTLS (TLS/SSL $B$KN`;w(B) $B$r;H$$$^$9!#30It%i%$%V%i(B
 $B%j(B @samp{starttls.el} $B$H(B @samp{starttls} $B%W%m%0%i%`$,I,MW$G$9!#(B
 @item
+@dfn{tls:} TLS $B$r;H$$$^$9!#(BGNUTLS (@samp{gnutls-cli} $B%W%m%0%i%`(B) $B$,I,MW(B
+$B$G$9!#(B
+@item
 @dfn{ssl:} SSL $B$r;H$$$^$9!#(BOpenSSL (@samp{openssl} $B%W%m%0%i%`(B) $B$+(B SSLeay
 (@samp{s_client}) $B$,I,MW$G$9!#(B
 @item
@@ -15150,6 +15169,10 @@ Gnus $B$O%&%'%V%Z!<%8$r<hF@$9$k$?$a$K(B url $B%i%$%V%i%j$r!"%&%'%V%Z!<%8$rI=<
 $B?t(B @code{imap-kerberos4-program} $B$O(B imtest $B%W%m%0%i%`$KEO$9%Q%?%a!<%?$r(B
 $B4^$_$^$9!#(B
 
+TLS $B@\B3$G$O(B GNUTLS $BM3Mh$N(B @code{gnutls-cli} $B%W%m%0%i%`$,I,MW$G$9!#$3$l(B
+$B$O(B @uref{http://www.gnu.org/software/gnutls/} $B$+$i<j$KF~$l$k$3$H$,$G$-$^(B
+$B$9!#(B
+
 @vindex imap-ssl-program
 SSL $B@\B3$N$?$a$N(B OpenSSL $B%W%m%0%i%`$O(B @uref{http://www.openssl.org/} $B$+(B
 $B$iF~<j$G$-$^$9!#(BOpenSSL $B$O0JA0$O(B SSLeay $B$H$7$FCN$i$l$F$$$?$b$N$G!"(B
diff --git a/texi/gnus.texi b/texi/gnus.texi
index 4ef680b..dbb31d4 100644
--- a/texi/gnus.texi
+++ b/texi/gnus.texi
@@ -12387,6 +12387,23 @@ functions is also affected by commonly understood variables
 This is the default, and simply connects to some port or other on the
 remote system.
 
+@findex nntp-open-tls-stream
+@item nntp-open-tls-stream
+Opens a connection to a server over a @dfn{secure} channel.  To use
+this you must have GNUTLS installed (see
+@uref{http://www.gnu.org/software/gnutls/}).  You then define a server
+as follows:
+
+@lisp
+;; "nntps" is port 563 and is predefined in our /etc/services
+;; however, gnutls-cli -p doesn't like named ports.
+;;
+(nntp "snews.bar.com"
+      (nntp-open-connection-function nntp-open-tls-stream)
+      (nntp-port-number )
+      (nntp-address "snews.bar.com"))
+@end lisp
+
 @findex nntp-open-ssl-stream
 @item nntp-open-ssl-stream
 Opens a connection to a server over a @dfn{secure} channel.  To use this
@@ -12395,10 +12412,8 @@ installed (@uref{ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL}.  You then
 define a server as follows:
 
 @lisp
-;; Type `C-c C-c' after you've finished editing.
-;;
 ;; "snews" is port 563 and is predefined in our /etc/services
-;; however, openssl s_client -port doesn't like named ports
+;; however, openssl s_client -port doesn't like named ports.
 ;;
 (nntp "snews.bar.com"
       (nntp-open-connection-function nntp-open-ssl-stream)
@@ -12528,10 +12543,10 @@ affected.
 
 @item nntp-pre-command
 @vindex nntp-pre-command
-A command wrapper to use when connecting through a non native connection
-function (all except @code{nntp-open-network-stream} and
-@code{nntp-open-ssl-stream}.  This is where you would put a @samp{SOCKS}
-wrapper for instance.
+A command wrapper to use when connecting through a non native
+connection function (all except @code{nntp-open-network-stream},
+@code{nntp-open-tls-stream}, and @code{nntp-open-ssl-stream}.  This is
+where you would put a @samp{SOCKS} wrapper for instance.
 
 @item nntp-address
 @vindex nntp-address
@@ -12539,10 +12554,11 @@ The address of the @sc{nntp} server.
 
 @item nntp-port-number
 @vindex nntp-port-number
-Port number to connect to the @sc{nntp} server.  The default is @samp{nntp}.
-If you use @sc{nntp} over @sc{ssl}, you may want to use integer ports rather
-than named ports (i.e, use @samp{563} instead of @samp{snews}), because
-external SSL tools may not work with named ports.
+Port number to connect to the @sc{nntp} server.  The default is
+@samp{nntp}.  If you use @sc{nntp} over @sc{tls}/@sc{ssl}, you may
+want to use integer ports rather than named ports (i.e, use @samp{563}
+instead of @samp{snews} or @samp{nntps}), because external TLS/SSL
+tools may not work with named ports.
 
 @item nntp-end-of-line
 @vindex nntp-end-of-line
@@ -13180,7 +13196,7 @@ some reason or other, Gnus let you treat it similar to a POP server
 and fetches articles from a given @sc{imap} mailbox.  @xref{IMAP}, for
 more information.
 
-Note that for the Kerberos, GSSAPI, SSL/TLS and STARTTLS support you
+Note that for the Kerberos, GSSAPI, TLS/SSL and STARTTLS support you
 may need external programs and libraries, @xref{IMAP}.
 
 Keywords:
@@ -13192,7 +13208,7 @@ The name of the @sc{imap} server.  The default is taken from the
 
 @item :port
 The port number of the @sc{imap} server.  The default is @samp{143}, or
-@samp{993} for SSL/TLS connections.
+@samp{993} for TLS/SSL connections.
 
 @item :user
 The user name to give to the @sc{imap} server.  The default is the login
@@ -13205,8 +13221,8 @@ prompted.
 @item :stream
 What stream to use for connecting to the server, this is one of the
 symbols in @code{imap-stream-alist}.  Right now, this means
-@samp{gssapi}, @samp{kerberos4}, @samp{starttls}, @samp{ssl},
-@samp{shell} or the default @samp{network}.
+@samp{gssapi}, @samp{kerberos4}, @samp{starttls}, @samp{tls},
+@samp{ssl}, @samp{shell} or the default @samp{network}.
 
 @item :authentication
 Which authenticator to use for authenticating to the server, this is
@@ -15499,7 +15515,7 @@ manipulate mails stored on the @sc{imap} server.  This is the kind of
 usage explained in this section.
 
 A server configuration in @file{~/.gnus} with a few @sc{imap} servers
-might look something like the following. (Note that for SSL/TLS, you
+might look something like the following. (Note that for TLS/SSL, you
 need external programs and libraries, see below.)
 
 @lisp
@@ -15544,7 +15560,7 @@ server name if not specified.
 
 @item nnimap-server-port
 @vindex nnimap-server-port
-Port on server to contact.  Defaults to port 143, or 993 for SSL.
+Port on server to contact.  Defaults to port 143, or 993 for TLS/SSL.
 
 Note that this should be an integer, example server specification:
 
@@ -15578,7 +15594,7 @@ Example server specification:
 @vindex nnimap-stream
 The type of stream used to connect to your server.  By default, nnimap
 will detect and automatically use all of the below, with the exception
-of SSL/TLS. (@sc{imap} over SSL/TLS is being replaced by STARTTLS, which
+of TLS/SSL. (@sc{imap} over TLS/SSL is being replaced by STARTTLS, which
 can be automatically detected, but it's not widely deployed yet.)
 
 Example server specification:
@@ -15598,9 +15614,12 @@ Please note that the value of @code{nnimap-stream} is a symbol!
 @dfn{kerberos4:} Connect with Kerberos 4. Requires the @samp{imtest} program.
 @item
 @dfn{starttls:} Connect via the STARTTLS extension (similar to
-SSL).  Requires the external library @samp{starttls.el} and program
+TLS/SSL).  Requires the external library @samp{starttls.el} and program
 @samp{starttls}.
 @item
+@dfn{tls:} Connect through TLS.  Requires GNUTLS (the program
+@samp{gnutls-cli}).
+@item
 @dfn{ssl:} Connect through SSL.  Requires OpenSSL (the program
 @samp{openssl}) or SSLeay (@samp{s_client}).
 @item
@@ -15620,6 +15639,10 @@ indefinitely if you have many articles in a mailbox.  The variable
 @code{imap-kerberos4-program} contain parameters to pass to the imtest
 program.
 
+For TLS connection, the @code{gnutls-cli} program from GNUTLS is
+needed.  It is available from
+@uref{http://www.gnu.org/software/gnutls/}.
+
 @vindex imap-ssl-program
 For SSL connections, the OpenSSL program is available from
 @uref{http://www.openssl.org/}. OpenSSL was formerly known as SSLeay,
-- 
1.7.10.4