Re: Deprecate TLS1.0 support in emacs

[Robert Pluim]

Lars Ingebrigtsen <address@hidden> writes:

> Robert Pluim <address@hidden> writes:
>
>> whilst investigating another bug, I noticed that
>> https://lists.gnu.org/ is still using TLS1.0, which is seriously
>> deprecated. I propose the following patch to make emacs not use TLS1.0
>> anymore unless explicitly requested (and someone should update the
>> settings on lists.gnu.org).
>
> As you point out, removing TLS1.0 support from Emacs will make it
> impossible for people to access common resources like
> https://lists.gnu.org/ (and many other sites), so I don't think that's a
> good idea.

TLS1.0 is a seriously insecure protocol. I refrained from doing what I
actually wanted to do, which is deprecate TLS1.1 as well. I think it's
a disservice to allow TLS1.0 to continue to be used.

> It might make sense to warn people about these resources not being
> "secure", though.

That could be done with nsm, but only if you'll accept setting the
default network-security-level to 'high, or adding a specific check
for protocol version at 'medium. Option 1 looks something like this:

Warn about TLS1.0 and TLS1.1

        * lisp/net/nsm.el (network-security-level): Change default to
        'high so that we check protocol parameters
        (nsm-check-protocol): Warn if we detect TLS1.0 at level 'high,
        and TLS1.1 at level 'paranoid

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 8d3463ef0a..f4d1fbb301 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -35,7 +35,7 @@ nsm
   :version "25.1"
   :group 'comm)
 
-(defcustom network-security-level 'medium
+(defcustom network-security-level 'high
   "How secure the network should be.
 If a potential problem with the security of the network
 connection is found, the user is asked to give input into how the
@@ -231,6 +231,27 @@ nsm-check-protocol
             host port protocol)))
       (delete-process process)
       nil)
+     ((and protocol
+          (string-match "TLS1.0" protocol)
+          (not (memq :tls1.0 (plist-get settings :conditions)))
+          (not
+           (nsm-query
+            host port status :tls1.0
+            "The connection to %s:%s uses the %s protocol, which is unsafe."
+            host port protocol)))
+      (delete-process process)
+      nil)
+     ((and protocol
+           (eq network-security-level 'paranoid)
+          (string-match "TLS1.1" protocol)
+          (not (memq :tls1.0 (plist-get settings :conditions)))
+          (not
+           (nsm-query
+            host port status :tls1.1
+            "The connection to %s:%s uses the %s protocol, which is unsafe."
+            host port protocol)))
+      (delete-process process)
+      nil)
      (t
       process))))