-
Jimmy Yuen Ho Wong authored
* lisp/net/nsm.el (network-security-level, nsm-level, nsm-new-fingerprint-ok-p): Remove `paranoid' level and related code. * lisp/net/nsm.el (nsm-tls-checks, nsm-tls-check-version, nsm-tls-check-compression, nsm-tls-check-renegotiation-info-ext, nsm-tls-check-verify-cert, nsm-tls-check-same-cert, nsm-tls-check-null-suite, nsm-tls-check-export-kx, nsm-tls-check-anon-kx, nsm-tls-check-md5-sig, nsm-tls-check-rc4-cipher, nsm-tls-check-dhe-prime-kx, nsm-tls-check-sha1-sig, nsm-tls-check-ecdsa-cbc-cipher nsm-tls-check-dhe-kx, nsm-tls-check-rsa-kx, nsm-tls-check-3des-cipher, nsm-tls-check-cbc-cipher, nsm-save-fingerprint-maybe, nsm-tls-post-check-functions): New options and functions for checking TLS handshake problems. * lisp/net/nsm.el (nsm-check-certificate, network-security-protocol-checks, nsm-protocol-check--diffie-hellman-prime-bits, nsm-protocol-check--3des, nsm-protocol-check--rc4, nsm-protocol-check--signature-sha1, nsm-protocol-check--intermediate-sha1, nsm-protocol-check--ssl, nsm-check-protocol): Remove in favor of `nsm-tls-checks' and `nsm-tls-check-*' functions. * lisp/net/nsm.el (nsm-verify-connection): Ensure connection is checked even when `network-security-level' is `low'. * lisp/net/nsm.el (nsm-check-tls-connection): Batch all problems found before querying the user. * lisp/net/nsm.el (nsm--encryption): Renamed to `nsm-cipher-suite'. * lisp/net/nsm.el (nsm-fingerprint-ok-p): No longer prompt when certificate fingerprints mismatch. Returns a boolean instead when the fingerprint of the certificate received matches the saved fingerprints. * lisp/net/nsm.el (nsm-query): Change signature. Accepts a list of problems and a preformatted message instead of just a message format and the arguments for the message. * lisp/net/nsm.el (nsm-query-user): Change signature. Accepts a preformatted message and the peer status of the handshake instead of a message format, its arguments and the certificate for the host. * lisp/net/nsm.el (nsm-save-host): Change signature. Accepts a list of problems after the WHAT parameter. Saves multiple fingerprints for the same host in case the host load balances a TLS server with more than one certificates signed with different keys. Makes sure conditions are not removed when updating a fingerprint. * lisp/net/nsm.el (nsm-format-certificate): Display the TLS handshake's renegotiation info extension, compression level, encrypt-then-MAC extension, and key exchange prime bit length. * src/gnutls.c (gnutls-peer-status-warning-describe, gnutls-peer-status): Check for certificate verification problems introduced since GnuTLS 3.1. * src/gnutls.c (gnutls-peer-status): `:compression', `:encrypt-then-mac' and `:safe-renegotiation' are now contained in the peer status result return value.
534a3d5d