Make NSM warn on `high' for older protocols, and document

* doc/emacs/misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.

(nsm-check-protocol): Also warn if using SSL3 or older.
parent be6767d5
2014-12-08 Lars Magne Ingebrigtsen <larsi@gnus.org>
* misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.
2014-12-08 Eric S. Raymond <esr@snark.thyrsus.com>
* maintaining.texi: Suopport fo Arch has been moved to obolte,
......
......@@ -329,6 +329,20 @@ to be concerned about. However, if you are worried that your network
connections are being hijacked by agencies who have access to pliable
Certificate Authorities which issue new certificates for third-party
services, you may want to keep track of these changes.
@item Diffie-Hellman low prime bits
When doing the public key exchange, the number of ``prime bits''
should be high to ensure that the channel can't be eavesdropped on by
third parties. If this number is too low, you will be warned.
@item @acronym{RC4} stream cipher
The @acronym{RC4} stream cipher is believed to be of low quality and
may allow eavesdropping by third parties.
@item @acronym{SSL1}, @acronym{SSL2} and @acronym{SSL3}
The protocols older than @acronym{TLS1.0} are believed to be
vulnerable to a variety of attacks, and you may want to avoid using
these if what you're doing requires higher security.
@end table
Finally, if @code{network-security-level} is @code{paranoid}, you will
......
......@@ -3,6 +3,7 @@
* net/nsm.el (nsm-check-protocol): Test for RC4 on `high'.
(nsm-format-certificate): Include more data about the connection.
(nsm-query): Fill the text to that it looks nicer.
(nsm-check-protocol): Also warn if using SSL3 or older.
2014-12-08 Stefan Monnier <monnier@iro.umontreal.ca>
......
......@@ -181,7 +181,8 @@ unencrypted."
(encryption (format "%s-%s-%s"
(plist-get status :key-exchange)
(plist-get status :cipher)
(plist-get status :mac))))
(plist-get status :mac)))
(protocol (plist-get status :protocol)))
(cond
((and prime-bits
(< prime-bits 1024)
......@@ -203,6 +204,16 @@ unencrypted."
host port encryption)))
(delete-process process)
nil)
((and protocol
(string-match "SSL" protocol)
(not (memq :ssl (plist-get settings :conditions)))
(not
(nsm-query
host port status :ssl
"The connection to %s:%s uses the %s protocol, which is believed to be unsafe."
host port protocol)))
(delete-process process)
nil)
(t
process))))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment