Make NSM warn on `high' for older protocols, and document

* doc/emacs/misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.

(nsm-check-protocol): Also warn if using SSL3 or older.

diff --git a/doc/emacs/ChangeLog b/doc/emacs/ChangeLog
index 458a4782ffe6c2ccd12f6dfdd9c3afbb7f1c023a..d969b8e2b072d231383cdbc471185aeeb2e463aa 100644 (file)
--- a/doc/emacs/ChangeLog
+++ b/doc/emacs/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-08  Lars Magne Ingebrigtsen  <larsi@gnus.org>
+
+       * misc.texi (Network Security): Mention the new protocol-level
+       `high' NSM checks.
+
 2014-12-08  Eric S. Raymond  <esr@snark.thyrsus.com>
 
        * maintaining.texi: Suopport fo Arch has been moved to obolte,

diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi
index 39632cbe07779f702615b651c479eb2299d530a8..39433056f15cd050ee3c7ed147bd7b77d964bfe6 100644 (file)
--- a/doc/emacs/misc.texi
+++ b/doc/emacs/misc.texi
@@ -329,6 +329,20 @@ to be concerned about.  However, if you are worried that your network
 connections are being hijacked by agencies who have access to pliable
 Certificate Authorities which issue new certificates for third-party
 services, you may want to keep track of these changes.
+
+@item Diffie-Hellman low prime bits
+When doing the public key exchange, the number of ``prime bits''
+should be high to ensure that the channel can't be eavesdropped on by
+third parties.  If this number is too low, you will be warned.
+
+@item @acronym{RC4} stream cipher
+The @acronym{RC4} stream cipher is believed to be of low quality and
+may allow eavesdropping by third parties.
+
+@item @acronym{SSL1}, @acronym{SSL2} and @acronym{SSL3}
+The protocols older than @acronym{TLS1.0} are believed to be
+vulnerable to a variety of attacks, and you may want to avoid using
+these if what you're doing requires higher security.
 @end table
 
 Finally, if @code{network-security-level} is @code{paranoid}, you will

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index c109bc7cab65e79887564a2f18fd98342c1a0d3b..2669e07cd158afe7b671668fe721c3de8769a056 100644 (file)
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -3,6 +3,7 @@
        * net/nsm.el (nsm-check-protocol): Test for RC4 on `high'.
        (nsm-format-certificate): Include more data about the connection.
        (nsm-query): Fill the text to that it looks nicer.
+       (nsm-check-protocol): Also warn if using SSL3 or older.
 
 2014-12-08  Stefan Monnier  <monnier@iro.umontreal.ca>
 

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index d1de1288ca6d60a93f3b056f634cefb4d4f8afeb..2306894cde3ef44a33be575343638cb01e6a0ec9 100644 (file)
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -181,7 +181,8 @@ unencrypted."
        (encryption (format "%s-%s-%s"
                            (plist-get status :key-exchange)
                            (plist-get status :cipher)
-                           (plist-get status :mac))))
+                           (plist-get status :mac)))
+       (protocol (plist-get status :protocol)))
     (cond
      ((and prime-bits
           (< prime-bits 1024)
@@ -203,6 +204,16 @@ unencrypted."
             host port encryption)))
       (delete-process process)
       nil)
+     ((and protocol
+          (string-match "SSL" protocol)
+          (not (memq :ssl (plist-get settings :conditions)))
+          (not
+           (nsm-query
+            host port status :ssl
+            "The connection to %s:%s uses the %s protocol, which is believed to be unsafe."
+            host port protocol)))
+      (delete-process process)
+      nil)
      (t
       process))))