]> git.eshelyaron.com Git - emacs.git/commit
projects / emacs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 023f4c6) | patch
Revamp Network Security manager checks for TLS
authorJimmy Yuen Ho Wong <wyuenho@gmail.com>
Tue, 10 Jul 2018 13:20:09 +0000 (14:20 +0100)
committerJimmy Yuen Ho Wong <wyuenho@gmail.com>
Sat, 14 Jul 2018 16:50:44 +0000 (17:50 +0100)
commit534a3d5d3a99a6b86a47b3d91840ce8771ee0ae6
tree6d5b0271e6f248fea43fd434d05d630cda2ebaa1tree | snapshot
parent023f4c60e9279b69be1dc7db83f69674ce1e1917commit | diff
Revamp Network Security manager checks for TLS

* lisp/net/nsm.el (network-security-level, nsm-level,
  nsm-new-fingerprint-ok-p): Remove `paranoid' level and related code.

* lisp/net/nsm.el (nsm-tls-checks, nsm-tls-check-version,
    nsm-tls-check-compression, nsm-tls-check-renegotiation-info-ext,
    nsm-tls-check-verify-cert, nsm-tls-check-same-cert,
    nsm-tls-check-null-suite, nsm-tls-check-export-kx,
    nsm-tls-check-anon-kx, nsm-tls-check-md5-sig,
    nsm-tls-check-rc4-cipher, nsm-tls-check-dhe-prime-kx,
    nsm-tls-check-sha1-sig, nsm-tls-check-ecdsa-cbc-cipher
    nsm-tls-check-dhe-kx, nsm-tls-check-rsa-kx,
    nsm-tls-check-3des-cipher, nsm-tls-check-cbc-cipher,
    nsm-save-fingerprint-maybe, nsm-tls-post-check-functions): New
    options and functions for checking TLS handshake problems.

* lisp/net/nsm.el (nsm-check-certificate,
  network-security-protocol-checks,
  nsm-protocol-check--diffie-hellman-prime-bits,
  nsm-protocol-check--3des, nsm-protocol-check--rc4,
  nsm-protocol-check--signature-sha1,
  nsm-protocol-check--intermediate-sha1, nsm-protocol-check--ssl,
  nsm-check-protocol): Remove in favor of `nsm-tls-checks' and
  `nsm-tls-check-*' functions.

* lisp/net/nsm.el (nsm-verify-connection): Ensure connection is
  checked even when `network-security-level' is `low'.

* lisp/net/nsm.el (nsm-check-tls-connection): Batch all problems found
  before querying the user.

* lisp/net/nsm.el (nsm--encryption): Renamed to `nsm-cipher-suite'.

* lisp/net/nsm.el (nsm-fingerprint-ok-p): No longer prompt when
  certificate fingerprints mismatch.  Returns a boolean instead when
  the fingerprint of the certificate received matches the saved
  fingerprints.

* lisp/net/nsm.el (nsm-query): Change signature.  Accepts a list of
  problems and a preformatted message instead of just a message format
  and the arguments for the message.

* lisp/net/nsm.el (nsm-query-user): Change signature.  Accepts a
  preformatted message and the peer status of the handshake instead of
  a message format, its arguments and the certificate for the host.

* lisp/net/nsm.el (nsm-save-host): Change signature.  Accepts a list of
  problems after the WHAT parameter.  Saves multiple fingerprints for
  the same host in case the host load balances a TLS server with more
  than one certificates signed with different keys.  Makes sure
  conditions are not removed when updating a fingerprint.

* lisp/net/nsm.el (nsm-format-certificate): Display the TLS handshake's
  renegotiation info extension, compression level, encrypt-then-MAC
  extension, and key exchange prime bit length.

* src/gnutls.c (gnutls-peer-status-warning-describe,
  gnutls-peer-status): Check for certificate verification problems
  introduced since GnuTLS 3.1.

* src/gnutls.c (gnutls-peer-status): `:compression', `:encrypt-then-mac'
  and `:safe-renegotiation' are now contained in the peer status
  result return value.
lisp/net/nsm.el diff | blob | history
src/gnutls.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.