Commit 95becaaf authored by Robert Pluim's avatar Robert Pluim

Don't check for :safe-renegotiation with TLS1.3

* lisp/net/nsm.el (nsm-protocol-check--renegotiation-info-ext): Don't
check when using TLS1.3, renegotiation has been removed from TLS.
Reported in
<https://lists.gnu.org/archive/html/help-gnu-emacs/2019-09/msg00005.html>
parent a8432661
Pipeline #3055 failed with stage
in 58 minutes and 12 seconds
......@@ -665,17 +665,19 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\",
If this TLS extension is not used, the connection established is
vulnerable to an attack in which an impersonator can extract
sensitive information such as HTTP session ID cookies or login
passwords.
passwords. Renegotiation was removed in TLS1.3, so this is only
checked for earlier protocol versions.
Reference:
E. Rescorla, M. Ray, S. Dispensa, N. Oskov (Feb 2010). \"Transport
Layer Security (TLS) Renegotiation Indication Extension\",
`https://tools.ietf.org/html/rfc5746'"
(let ((unsafe-renegotiation (not (plist-get status :safe-renegotiation))))
(and unsafe-renegotiation
(format-message
"safe renegotiation is not supported, connection not protected from impersonators"))))
(when (plist-member status :safe-renegotiation)
(let ((unsafe-renegotiation (not (plist-get status :safe-renegotiation))))
(and unsafe-renegotiation
(format-message
"safe renegotiation is not supported, connection not protected from impersonators")))))
;; Compression checks
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment