these if what you're doing requires higher security. (This is the
@code{ssl} check in @code{network-security-protocol-checks}).
+@item Triple DES (or @acronym{3DES}) cipher
+The @acronym{3DES} stream cipher provides at most 112 bits of
+effective security, and a major security vulnerability in it was
+disclosed in 2016 (CVE-2016-2183). It has been deprecated by NIST in
+all applications from late 2023 onwards. (This is the
+@code{3des-cipher} check in @code{network-security-protocol-checks}).
@end table
If @code{network-security-level} is @code{high}, the following checks
will be made, in addition to the above:
@table @asis
-@item @acronym{3DES} cipher
-The @acronym{3DES} stream cipher provides at most 112 bits of
-effective security, which is considered to be towards the low end.
-(This is the @code{3des} check in
-@code{network-security-protocol-checks}).
-
@item a validated certificate changes the public key
Servers change their keys occasionally, and that is normally nothing
to be concerned about. However, if you are worried that your network
** Emacs now supports Unicode Standard version 15.1.
+** The Network Security Manager now warns about 3DES by default.
+This cypher is no longer recommended owing to a major vulnerability
+disclosed in 2016, and its small 112 bit key size. Emacs now warns
+about its use also when 'network-security-level' is set to 'medium'
+(the default). See 'network-security-protocol-checks'.
+
** Help
*** 'describe-function' shows function inferred type when available.
(dhe-prime-kx medium)
(sha1-sig medium)
(ecdsa-cbc-cipher medium)
+ ;; Deprecated by NIST from 2016/2023 (see also CVE-2016-2183).
+ (3des-cipher medium)
;; Towards TLS 1.3
(dhe-kx high)
(rsa-kx high)
- (3des-cipher high)
(cbc-cipher high))
"This variable specifies what TLS connection checks to perform.
It's an alist where the key is the name of the check, and the
See also: `nsm-check-tls-connection', `nsm-save-host-names',
`nsm-settings-file'"
- :version "27.1"
:type '(repeat (list (symbol :tag "Check function")
(choice :tag "Level"
:value medium
(const :tag "Low" low)
(const :tag "Medium" medium)
- (const :tag "High" high)))))
+ (const :tag "High" high))))
+ :version "30.1")
(defun nsm-save-fingerprint-maybe (host port status &rest _)
"Save the certificate's fingerprint.