Add SHA1 warnings for high network security settings

* nsm.el (nsm-check-protocol): When using high security, warn
about SHA1 certificates, which are now believed to be open to
spoofing.
parent e48bacd9
......@@ -183,7 +183,9 @@ unencrypted."
(defun nsm-check-protocol (process host port status settings)
(let ((prime-bits (plist-get status :diffie-hellman-prime-bits))
(encryption (format "%s-%s-%s"
(signature-algorithm
(plist-get (plist-get status :certificate) :signature-algorithm))
(encryption (format "%s-%s-%s"
(plist-get status :key-exchange)
(plist-get status :cipher)
(plist-get status :mac)))
......@@ -209,6 +211,15 @@ unencrypted."
host port encryption)))
(delete-process process)
nil)
((and (string-match "\\bSHA1\\b" signature-algorithm)
(not (memq :signature-sha1 (plist-get settings :conditions)))
(not
(nsm-query
host port status :signature-sha1
"The certificate used to verify the connectio to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
host port signature-algorithm)))
(delete-process process)
nil)
((and protocol
(string-match "SSL" protocol)
(not (memq :ssl (plist-get settings :conditions)))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment