Re: A couple of questions and concerns about Emacs network security

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From:	Lars Ingebrigtsen
Subject:	Re: A couple of questions and concerns about Emacs network security
Date:	Mon, 25 Jun 2018 02:04:11 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Jimmy Yuen Ho Wong <address@hidden> writes:

> The sha1-intermediate test still fails on 'medium.

Hm!  I thought the problem was with SHA1 for intermediate certificates,
not root certificates?  But this is the certificate chain from

https://sha1-intermediate.badssl.com/

 ((:version 3 :serial-number 
"00:be:00:42:69:d7:58:79:57:10:3c:04:e7:aa:4e:d8:b2" :issuer "C=GB,ST=Greater 
Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA" :valid-from 
"2017-04-13" :valid-to "2020-05-30" :subject "OU=Domain Control 
Validated,OU=COMODO SSL Wildcard,CN=*.badssl.com" :public-key-algorithm "RSA" 
:certificate-security-level "Medium" :signature-algorithm "RSA-SHA256")
  (:version 3 :serial-number "6e:ba:f0:8f:79:83:fa:9d:e1:b2:6f:96:fc:6e:98:bf" 
:issuer "C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust 
External CA Root" :valid-from "2011-08-23" :valid-to "2020-05-30" :subject 
"C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA" 
:public-key-algorithm "RSA" :certificate-security-level "Medium" 
:signature-algorithm "RSA-SHA1"))

So the SHA1 is in the last certificate there, but it's the
intermediary...

Here's the one from eternal-september:

 ((:version 3 :serial-number 
"03:6f:ea:f0:ef:6e:57:9c:11:94:8c:1d:0e:9e:5a:a5:a7:8d" :issuer "C=US,O=Let's 
Encrypt,CN=Let's Encrypt Authority X3" :valid-from "2018-05-07" :valid-to 
"2018-08-05" :subject "CN=news.eternal-september.org" :public-key-algorithm 
"RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA256")
  (:version 3 :serial-number "0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08" 
:issuer "O=Digital Signature Trust Co.,CN=DST Root CA X3" :valid-from 
"2016-03-17" :valid-to "2021-03-17" :subject "C=US,O=Let's Encrypt,CN=Let's 
Encrypt Authority X3" :public-key-algorithm "RSA" :certificate-security-level 
"Medium" :signature-algorithm "RSA-SHA256")
  (:version 3 :serial-number "44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b" 
:issuer "O=Digital Signature Trust Co.,CN=DST Root CA X3" :valid-from 
"2000-09-30" :valid-to "2021-09-30" :subject "O=Digital Signature Trust 
Co.,CN=DST Root CA X3" :public-key-algorithm "RSA" :certificate-security-level 
"Medium" :signature-algorithm "RSA-SHA1"))

The third certificate here also has SHA1...  but that's the root
certificate?

*google*  Oh, I see.  Some servers include the root certificate
(redundantly), and some don't.  How do I determine whether a certificate
is a root certificate, then?  There must be a way...  I tried googling
but didn't immediately find anything.

> Also, shouldn't `network-security-protocol-checks' be a defcustom?

Possibly, but editing alists in customize isn't very pleasant.

> Lastly, are the dh-small-subgroup and dh-composite tests possible to
> check in LISP?

I wondered about that, too.  I couldn't find anything in the gnutls API,
but it's pretty big and I could well have missed something.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

[Prev in Thread]

Current Thread

[Next in Thread]

Re: A couple of questions and concerns about Emacs network security, (continued)

Prev by Date: Re: package.el strings
Next by Date: Re: A couple of questions and concerns about Emacs network security
Previous by thread: Re: A couple of questions and concerns about Emacs network security
Next by thread: Re: A couple of questions and concerns about Emacs network security
Index(es):
- Date
- Thread