[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Emacs-diffs] master e9aaf96: Make NSM warn on `high' for older protocol
From: |
Lars Ingebrigtsen |
Subject: |
[Emacs-diffs] master e9aaf96: Make NSM warn on `high' for older protocols, and document |
Date: |
Mon, 08 Dec 2014 21:52:00 +0000 |
branch: master
commit e9aaf969661d134fa7e1548817fc9a05fa6b1bfb
Author: Lars Magne Ingebrigtsen <address@hidden>
Commit: Lars Magne Ingebrigtsen <address@hidden>
Make NSM warn on `high' for older protocols, and document
* doc/emacs/misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.
(nsm-check-protocol): Also warn if using SSL3 or older.
---
doc/emacs/ChangeLog | 5 +++++
doc/emacs/misc.texi | 14 ++++++++++++++
lisp/ChangeLog | 1 +
lisp/net/nsm.el | 13 ++++++++++++-
4 files changed, 32 insertions(+), 1 deletions(-)
diff --git a/doc/emacs/ChangeLog b/doc/emacs/ChangeLog
index 458a478..d969b8e 100644
--- a/doc/emacs/ChangeLog
+++ b/doc/emacs/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-08 Lars Magne Ingebrigtsen <address@hidden>
+
+ * misc.texi (Network Security): Mention the new protocol-level
+ `high' NSM checks.
+
2014-12-08 Eric S. Raymond <address@hidden>
* maintaining.texi: Suopport fo Arch has been moved to obolte,
diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi
index 39632cb..3943305 100644
--- a/doc/emacs/misc.texi
+++ b/doc/emacs/misc.texi
@@ -329,6 +329,20 @@ to be concerned about. However, if you are worried that
your network
connections are being hijacked by agencies who have access to pliable
Certificate Authorities which issue new certificates for third-party
services, you may want to keep track of these changes.
+
address@hidden Diffie-Hellman low prime bits
+When doing the public key exchange, the number of ``prime bits''
+should be high to ensure that the channel can't be eavesdropped on by
+third parties. If this number is too low, you will be warned.
+
address@hidden @acronym{RC4} stream cipher
+The @acronym{RC4} stream cipher is believed to be of low quality and
+may allow eavesdropping by third parties.
+
address@hidden @acronym{SSL1}, @acronym{SSL2} and @acronym{SSL3}
+The protocols older than @acronym{TLS1.0} are believed to be
+vulnerable to a variety of attacks, and you may want to avoid using
+these if what you're doing requires higher security.
@end table
Finally, if @code{network-security-level} is @code{paranoid}, you will
diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index c109bc7..2669e07 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -3,6 +3,7 @@
* net/nsm.el (nsm-check-protocol): Test for RC4 on `high'.
(nsm-format-certificate): Include more data about the connection.
(nsm-query): Fill the text to that it looks nicer.
+ (nsm-check-protocol): Also warn if using SSL3 or older.
2014-12-08 Stefan Monnier <address@hidden>
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index d1de128..2306894 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -181,7 +181,8 @@ unencrypted."
(encryption (format "%s-%s-%s"
(plist-get status :key-exchange)
(plist-get status :cipher)
- (plist-get status :mac))))
+ (plist-get status :mac)))
+ (protocol (plist-get status :protocol)))
(cond
((and prime-bits
(< prime-bits 1024)
@@ -203,6 +204,16 @@ unencrypted."
host port encryption)))
(delete-process process)
nil)
+ ((and protocol
+ (string-match "SSL" protocol)
+ (not (memq :ssl (plist-get settings :conditions)))
+ (not
+ (nsm-query
+ host port status :ssl
+ "The connection to %s:%s uses the %s protocol, which is believed
to be unsafe."
+ host port protocol)))
+ (delete-process process)
+ nil)
(t
process))))
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Emacs-diffs] master e9aaf96: Make NSM warn on `high' for older protocols, and document,
Lars Ingebrigtsen <=