Skip to content

GitLab

Switch branch/tag
Find file BlameHistoryPermalink
  • Jimmy Yuen Ho Wong's avatar
    Revamp Network Security manager checks for TLS · 534a3d5d
    Jimmy Yuen Ho Wong authored 
    * lisp/net/nsm.el (network-security-level, nsm-level,
  nsm-new-fingerprint-ok-p): Remove `paranoid' level and related code.

* lisp/net/nsm.el (nsm-tls-checks, nsm-tls-check-version,
    nsm-tls-check-compression, nsm-tls-check-renegotiation-info-ext,
    nsm-tls-check-verify-cert, nsm-tls-check-same-cert,
    nsm-tls-check-null-suite, nsm-tls-check-export-kx,
    nsm-tls-check-anon-kx, nsm-tls-check-md5-sig,
    nsm-tls-check-rc4-cipher, nsm-tls-check-dhe-prime-kx,
    nsm-tls-check-sha1-sig, nsm-tls-check-ecdsa-cbc-cipher
    nsm-tls-check-dhe-kx, nsm-tls-check-rsa-kx,
    nsm-tls-check-3des-cipher, nsm-tls-check-cbc-cipher,
    nsm-save-fingerprint-maybe, nsm-tls-post-check-functions): New
    options and functions for checking TLS handshake problems.

* lisp/net/nsm.el (nsm-check-certificate,
  network-security-protocol-checks,
  nsm-protocol-check--diffie-hellman-prime-bits,
  nsm-protocol-check--3des, nsm-protocol-check--rc4,
  nsm-protocol-check--signature-sha1,
  nsm-protocol-check--intermediate-sha1, nsm-protocol-check--ssl,
  nsm-check-protocol): Remove in favor of `nsm-tls-checks' and
  `nsm-tls-check-*' functions.

* lisp/net/nsm.el (nsm-verify-connection): Ensure connection is
  checked even when `network-security-level' is `low'.

* lisp/net/nsm.el (nsm-check-tls-connection): Batch all problems found
  before querying the user.

* lisp/net/nsm.el (nsm--encryption): Renamed to `nsm-cipher-suite'.

* lisp/net/nsm.el (nsm-fingerprint-ok-p): No longer prompt when
  certificate fingerprints mismatch.  Returns a boolean instead when
  the fingerprint of the certificate received matches the saved
  fingerprints.

* lisp/net/nsm.el (nsm-query): Change signature.  Accepts a list of
  problems and a preformatted message instead of just a message format
  and the arguments for the message.

* lisp/net/nsm.el (nsm-query-user): Change signature.  Accepts a
  preformatted message and the peer status of the handshake instead of
  a message format, its arguments and the certificate for the host.

* lisp/net/nsm.el (nsm-save-host): Change signature.  Accepts a list of
  problems after the WHAT parameter.  Saves multiple fingerprints for
  the same host in case the host load balances a TLS server with more
  than one certificates signed with different keys.  Makes sure
  conditions are not removed when updating a fingerprint.

* lisp/net/nsm.el (nsm-format-certificate): Display the TLS handshake's
  renegotiation info extension, compression level, encrypt-then-MAC
  extension, and key exchange prime bit length.

* src/gnutls.c (gnutls-peer-status-warning-describe,
  gnutls-peer-status): Check for certificate verification problems
  introduced since GnuTLS 3.1.

* src/gnutls.c (gnutls-peer-status): `:compression', `:encrypt-then-mac'
  and `:safe-renegotiation' are now contained in the peer status
  result return value.
    534a3d5d
gnutls.c 89.2 KB