Commit e9aaf969 authored by Lars Magne Ingebrigtsen's avatar Lars Magne Ingebrigtsen
Browse files

Make NSM warn on `high' for older protocols, and document

* doc/emacs/misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.

(nsm-check-protocol): Also warn if using SSL3 or older.
parent be6767d5
2014-12-08 Lars Magne Ingebrigtsen <larsi@gnus.org>
* misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.
2014-12-08 Eric S. Raymond <esr@snark.thyrsus.com> 2014-12-08 Eric S. Raymond <esr@snark.thyrsus.com>
* maintaining.texi: Suopport fo Arch has been moved to obolte, * maintaining.texi: Suopport fo Arch has been moved to obolte,
......
...@@ -329,6 +329,20 @@ to be concerned about. However, if you are worried that your network ...@@ -329,6 +329,20 @@ to be concerned about. However, if you are worried that your network
connections are being hijacked by agencies who have access to pliable connections are being hijacked by agencies who have access to pliable
Certificate Authorities which issue new certificates for third-party Certificate Authorities which issue new certificates for third-party
services, you may want to keep track of these changes. services, you may want to keep track of these changes.
@item Diffie-Hellman low prime bits
When doing the public key exchange, the number of ``prime bits''
should be high to ensure that the channel can't be eavesdropped on by
third parties. If this number is too low, you will be warned.
@item @acronym{RC4} stream cipher
The @acronym{RC4} stream cipher is believed to be of low quality and
may allow eavesdropping by third parties.
@item @acronym{SSL1}, @acronym{SSL2} and @acronym{SSL3}
The protocols older than @acronym{TLS1.0} are believed to be
vulnerable to a variety of attacks, and you may want to avoid using
these if what you're doing requires higher security.
@end table @end table
Finally, if @code{network-security-level} is @code{paranoid}, you will Finally, if @code{network-security-level} is @code{paranoid}, you will
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
* net/nsm.el (nsm-check-protocol): Test for RC4 on `high'. * net/nsm.el (nsm-check-protocol): Test for RC4 on `high'.
(nsm-format-certificate): Include more data about the connection. (nsm-format-certificate): Include more data about the connection.
(nsm-query): Fill the text to that it looks nicer. (nsm-query): Fill the text to that it looks nicer.
(nsm-check-protocol): Also warn if using SSL3 or older.
   
2014-12-08 Stefan Monnier <monnier@iro.umontreal.ca> 2014-12-08 Stefan Monnier <monnier@iro.umontreal.ca>
   
......
...@@ -181,7 +181,8 @@ unencrypted." ...@@ -181,7 +181,8 @@ unencrypted."
(encryption (format "%s-%s-%s" (encryption (format "%s-%s-%s"
(plist-get status :key-exchange) (plist-get status :key-exchange)
(plist-get status :cipher) (plist-get status :cipher)
(plist-get status :mac)))) (plist-get status :mac)))
(protocol (plist-get status :protocol)))
(cond (cond
((and prime-bits ((and prime-bits
(< prime-bits 1024) (< prime-bits 1024)
...@@ -203,6 +204,16 @@ unencrypted." ...@@ -203,6 +204,16 @@ unencrypted."
host port encryption))) host port encryption)))
(delete-process process) (delete-process process)
nil) nil)
((and protocol
(string-match "SSL" protocol)
(not (memq :ssl (plist-get settings :conditions)))
(not
(nsm-query
host port status :ssl
"The connection to %s:%s uses the %s protocol, which is believed to be unsafe."
host port protocol)))
(delete-process process)
nil)
(t (t
process)))) process))))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment