Add SHA1 warnings for high network security settings

* nsm.el (nsm-check-protocol): When using high security, warn
about SHA1 certificates, which are now believed to be open to
spoofing.

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 31f2b32792fb385e9e476c1287a5e934a0d6888f..dadf0b9d212d3c01f31b859856dfc0f4879bec9c 100644 (file)
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -183,7 +183,9 @@ unencrypted."
 
 (defun nsm-check-protocol (process host port status settings)
   (let ((prime-bits (plist-get status :diffie-hellman-prime-bits))
-       (encryption (format "%s-%s-%s"
+        (signature-algorithm
+         (plist-get (plist-get status :certificate) :signature-algorithm))
+        (encryption (format "%s-%s-%s"
                            (plist-get status :key-exchange)
                            (plist-get status :cipher)
                            (plist-get status :mac)))
@@ -209,6 +211,15 @@ unencrypted."
             host port encryption)))
       (delete-process process)
       nil)
+     ((and (string-match "\\bSHA1\\b" signature-algorithm)
+          (not (memq :signature-sha1 (plist-get settings :conditions)))
+          (not
+           (nsm-query
+            host port status :signature-sha1
+            "The certificate used to verify the connectio to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
+            host port signature-algorithm)))
+      (delete-process process)
+      nil)
      ((and protocol
           (string-match "SSL" protocol)
           (not (memq :ssl (plist-get settings :conditions)))