From 3e7692f07d9e90f495ff4104cf1320954398c9fa Mon Sep 17 00:00:00 2001 From: Lars Ingebrigtsen Date: Mon, 25 Jun 2018 02:40:25 +0200 Subject: [PATCH] Make the intermediary-sha1 check work * lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Make the "skip the root cert" logic work (suggested by Noam Postavsky). --- lisp/net/nsm.el | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 2c4f8bf5ed5..146d0d55254 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -256,13 +256,14 @@ HOST PORT STATUS OPTIONAL-PARAMETER.") host port signature-algorithm)))) (defun nsm-protocol-check--intermediary-sha1 (host port status _) - ;; We want to check all intermediary certificates, so we skip the - ;; first, reverse the list and then skip the first again, so we miss - ;; the first and final certificates in the chain. - (cl-loop for certificate in (cdr (reverse - (cdr (plist-get status :certificates)))) + ;; Skip the first certificate, because that's the host certificate. + (cl-loop for certificate in (cdr (plist-get status :certificates)) for algo = (plist-get certificate :signature-algorithm) - when (and (string-match "\\bSHA1\\b" algo) + ;; Don't check root certificates -- SHA1 isn't dangerous + ;; there. + when (and (not (equal (plist-get certificate :issuer) + (plist-get certificate :subject))) + (string-match "\\bSHA1\\b" algo) (not (nsm-query host port status :signature-sha1 "An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe." -- 2.39.5