[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GnuTLS/TLS proposals for after the release
From: |
Ted Zlatanov |
Subject: |
GnuTLS/TLS proposals for after the release |
Date: |
Tue, 05 Jul 2016 17:26:43 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) |
Here are some thoughts about the near future of gnutls.el and friends
(none urgently needed for the release):
1) Proposal: after the 25.1 release, opening a secure network connection
without `gnutls-available-p' should be an annoying warning. The
alternative (tls.el) is less secure and IMHO should be discouraged.
2) I am concerned that SSLv3 is explicitly in the tls.el defaults. See
http://disablessl3.com/ for why, no need to write up all the reasons
here. I propose to cut those lines out.
3) refactor gnutls.el a bit to support per-host settings more easily:
`gnutls-algorithm-priority', `gnutls-verify-error', `gnutls-trustfiles',
and `gnutls-min-prime-bits' all have different kinds of customizations.
For instance `gnutls-verify-error' can be global or per host regex,
while `gnutls-trustfiles' can be a function. This mish-mash reflects the
staggered work on that library over the years.
I propose a single variable, `gnutls-settings' which can be set per host
regex or globally, and which can contain an alist or plist specifying
each of the settings above as a string/string list or as a function.
Basically a unified view of all GnuTLS-related connectivity settings
instead of scattering them over several variables. I think in Customize
that will look nicer and more friendly, plus the code will be simplified.
If proposal 3 is accepted, the old variables will be accepted for some
time, deprecated later, and finally killed off. It won't be a sudden
transition.
Thanks
Ted
- GnuTLS/TLS proposals for after the release,
Ted Zlatanov <=
- Re: GnuTLS/TLS proposals for after the release, John Wiegley, 2016/07/05
- Re: GnuTLS/TLS proposals for after the release, Ted Zlatanov, 2016/07/06
- Re: GnuTLS/TLS proposals for after the release, Ted Zlatanov, 2016/07/06
- Re: GnuTLS/TLS proposals for after the release, John Wiegley, 2016/07/06
- Re: GnuTLS/TLS proposals for after the release, Robert Pluim, 2016/07/07
- Re: GnuTLS/TLS proposals for after the release, Ted Zlatanov, 2016/07/12
- Re: GnuTLS/TLS proposals for after the release, John Wiegley, 2016/07/12
- Re: GnuTLS/TLS proposals for after the release, Eli Zaretskii, 2016/07/13
- Re: GnuTLS/TLS proposals for after the release, Ted Zlatanov, 2016/07/13
Re: GnuTLS/TLS proposals for after the release, Lars Ingebrigtsen, 2016/07/20