Deprecate TLS1.0 support in emacs

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Deprecate TLS1.0 support in emacs

From:	Robert Pluim
Subject:	Deprecate TLS1.0 support in emacs
Date:	Wed, 12 Jul 2017 15:03:39 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)

Hi,

whilst investigating another bug, I noticed that
https://lists.gnu.org/ is still using TLS1.0, which is seriously
deprecated. I propose the following patch to make emacs not use TLS1.0
anymore unless explicitly requested (and someone should update the
settings on lists.gnu.org).

Perhaps this warrants a NEWS entry as well, let me know.

Regards

Robert

>From e0526d6ac7a2622a1b8781be4825fbef985a5ed3 Mon Sep 17 00:00:00 2001
From: Robert Pluim <address@hidden>
Date: Wed, 12 Jul 2017 14:59:35 +0200
Subject: [PATCH] Remove TLS1.0 from default gnutls connection parameters

        * lisp/net/gnutls.el (gnutls-boot-parameters): Remove TLS1.0
        from default parameters.
        * src/gnutls.c (Fgnutls_boot): Likewise.
---
 lisp/net/gnutls.el | 4 ++--
 src/gnutls.c       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 5db87329c3..3386dc5efc 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -264,11 +264,11 @@ gnutls-log-level
         (priority-string (or priority-string
                              (cond
                               ((eq type 'gnutls-anon)
-                               "NORMAL:+ANON-DH:!ARCFOUR-128")
+                               "NORMAL:+ANON-DH:!ARCFOUR-128:-VERS-TLS1.0")
                               ((eq type 'gnutls-x509pki)
                                (if gnutls-algorithm-priority
                                    (upcase gnutls-algorithm-priority)
-                                 "NORMAL")))))
+                                 "NORMAL:-VERS-TLS1.0")))))
         (verify-error (or verify-error
                           ;; this uses the value of `gnutls-verify-error'
                           (cond
diff --git a/src/gnutls.c b/src/gnutls.c
index 2078ad88f2..c3d7f54b73 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1333,7 +1333,7 @@ PROPLIST is a property list with the following keys:
 
 :hostname is a string naming the remote host.
 
-:priority is a GnuTLS priority string, defaults to "NORMAL".
+:priority is a GnuTLS priority string, defaults to "NORMAL:-VERS-TLS1.0".
 
 :trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
 
@@ -1389,7 +1389,7 @@ one trustfile (usually a CA bundle).  */)
   gnutls_certificate_credentials_t x509_cred = NULL;
   gnutls_anon_client_credentials_t anon_cred = NULL;
   Lisp_Object global_init;
-  char const *priority_string_ptr = "NORMAL"; /* default priority string.  */
+  char const *priority_string_ptr = "NORMAL:-VERS-TLS1.0"; /* default priority 
string.  */
   char *c_hostname;
 
   /* Placeholders for the property list elements.  */
-- 
2.13.0.rc0

[Prev in Thread]

Current Thread

[Next in Thread]

Deprecate TLS1.0 support in emacs, Robert Pluim <=
- Re: Deprecate TLS1.0 support in emacs, Lars Ingebrigtsen, 2017/07/12
  - Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Andreas Schwab, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Andreas Schwab, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Lars Ingebrigtsen, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Lars Ingebrigtsen, 2017/07/12
    - Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/13

Prev by Date: Re: How to block tests on hydra
Next by Date: Re: In Support of ELPA
Previous by thread: Re: Composing messages with format=flowed in Gnus from master branch
Next by thread: Re: Deprecate TLS1.0 support in emacs
Index(es):
- Date
- Thread