From: Stefan Kangas Date: Fri, 17 Jan 2025 11:19:21 +0000 (+0100) Subject: Make NSM warn for TLS 1.1 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=66dece172d88c7e6fdce314669ddd3a0c074aa94;p=emacs.git Make NSM warn for TLS 1.1 * lisp/net/nsm.el (nsm-protocol-check--version): Warn also for TLS 1.1. Update docstring. (cherry picked from commit 965e50e3aeda4bdca4d225194770796fc56d2b96) --- diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 9205c1df4b6..6d648701e15 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -700,9 +700,10 @@ Security (DTLS)\", `https://tools.ietf.org/html/rfc7525'" (defun nsm-protocol-check--version (_host _port status &optional _settings) "Check for SSL/TLS protocol version. -This function guards against the usage of SSL3.0, which has been -deprecated by RFC7568[1], and TLS 1.0, which has been deprecated -by PCI DSS[2]. +This function guards against the usage of SSL3.0, TLS 1.0, and TLS 1.1. +- SSL 3.0 has been deprecated by RFC7568[1]. +- TLS 1.0 has been deprecated by PCI DSS[2], and later by RFC8996[3]. +- TLS 1.1 has been deprecated by RFC8996[3]. References: @@ -710,12 +711,15 @@ References: Sockets Layer Version 3.0\", `https://tools.ietf.org/html/rfc7568' [2]: PCI Security Standards Council (2016). \"Migrating from SSL and Early TLS\" -`https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf'" +`https://docs-prv.pcisecuritystandards.org/Guidance%20Document/SSL%20TLS/Migrating_from_SSL_and_Early_TLS_-v12.pdf' +[3]: Moriarty, Farrell (2021). \"Deprecating TLS 1.0 and TLS 1.1\" +`https://tools.ietf.org/html/rfc7568' +" (let ((protocol (plist-get status :protocol))) (and protocol (or (string-match "SSL" protocol) (and (string-match "TLS1.\\([0-9]+\\)" protocol) - (< (string-to-number (match-string 1 protocol)) 1))) + (< (string-to-number (match-string 1 protocol)) 2))) (format-message "%s protocol is deprecated by standard bodies" protocol))))