[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deprecate TLS1.0 support in emacs
From: |
Robert Pluim |
Subject: |
Re: Deprecate TLS1.0 support in emacs |
Date: |
Wed, 12 Jul 2017 16:30:18 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) |
Lars Ingebrigtsen <address@hidden> writes:
> Robert Pluim <address@hidden> writes:
>
>> whilst investigating another bug, I noticed that
>> https://lists.gnu.org/ is still using TLS1.0, which is seriously
>> deprecated. I propose the following patch to make emacs not use TLS1.0
>> anymore unless explicitly requested (and someone should update the
>> settings on lists.gnu.org).
>
> As you point out, removing TLS1.0 support from Emacs will make it
> impossible for people to access common resources like
> https://lists.gnu.org/ (and many other sites), so I don't think that's a
> good idea.
TLS1.0 is a seriously insecure protocol. I refrained from doing what I
actually wanted to do, which is deprecate TLS1.1 as well. I think it's
a disservice to allow TLS1.0 to continue to be used.
> It might make sense to warn people about these resources not being
> "secure", though.
That could be done with nsm, but only if you'll accept setting the
default network-security-level to 'high, or adding a specific check
for protocol version at 'medium. Option 1 looks something like this:
Warn about TLS1.0 and TLS1.1
* lisp/net/nsm.el (network-security-level): Change default to
'high so that we check protocol parameters
(nsm-check-protocol): Warn if we detect TLS1.0 at level 'high,
and TLS1.1 at level 'paranoid
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 8d3463ef0a..f4d1fbb301 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -35,7 +35,7 @@ nsm
:version "25.1"
:group 'comm)
-(defcustom network-security-level 'medium
+(defcustom network-security-level 'high
"How secure the network should be.
If a potential problem with the security of the network
connection is found, the user is asked to give input into how the
@@ -231,6 +231,27 @@ nsm-check-protocol
host port protocol)))
(delete-process process)
nil)
+ ((and protocol
+ (string-match "TLS1.0" protocol)
+ (not (memq :tls1.0 (plist-get settings :conditions)))
+ (not
+ (nsm-query
+ host port status :tls1.0
+ "The connection to %s:%s uses the %s protocol, which is unsafe."
+ host port protocol)))
+ (delete-process process)
+ nil)
+ ((and protocol
+ (eq network-security-level 'paranoid)
+ (string-match "TLS1.1" protocol)
+ (not (memq :tls1.0 (plist-get settings :conditions)))
+ (not
+ (nsm-query
+ host port status :tls1.1
+ "The connection to %s:%s uses the %s protocol, which is unsafe."
+ host port protocol)))
+ (delete-process process)
+ nil)
(t
process))))
- Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/12
- Re: Deprecate TLS1.0 support in emacs, Lars Ingebrigtsen, 2017/07/12
- Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/12
- Re: Deprecate TLS1.0 support in emacs, Lars Ingebrigtsen, 2017/07/12
- Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/13
- Re: Deprecate TLS1.0 support in emacs, Richard Stallman, 2017/07/13
- Re: Deprecate TLS1.0 support in emacs, Robert Pluim, 2017/07/13