From: Robert Pluim <rpluim@gmail.com>
To: emacs-devel@gnu.org
Subject: Re: Deprecate TLS1.0 support in emacs
Date: Wed, 12 Jul 2017 16:30:18 +0200 [thread overview]
Message-ID: <87fue17mo5.fsf@gmail.com> (raw)
In-Reply-To: 87zic9vk98.fsf@mouse
Lars Ingebrigtsen <larsi@gnus.org> writes:
> Robert Pluim <rpluim@gmail.com> writes:
>
>> whilst investigating another bug, I noticed that
>> https://lists.gnu.org/ is still using TLS1.0, which is seriously
>> deprecated. I propose the following patch to make emacs not use TLS1.0
>> anymore unless explicitly requested (and someone should update the
>> settings on lists.gnu.org).
>
> As you point out, removing TLS1.0 support from Emacs will make it
> impossible for people to access common resources like
> https://lists.gnu.org/ (and many other sites), so I don't think that's a
> good idea.
TLS1.0 is a seriously insecure protocol. I refrained from doing what I
actually wanted to do, which is deprecate TLS1.1 as well. I think it's
a disservice to allow TLS1.0 to continue to be used.
> It might make sense to warn people about these resources not being
> "secure", though.
That could be done with nsm, but only if you'll accept setting the
default network-security-level to 'high, or adding a specific check
for protocol version at 'medium. Option 1 looks something like this:
Warn about TLS1.0 and TLS1.1
* lisp/net/nsm.el (network-security-level): Change default to
'high so that we check protocol parameters
(nsm-check-protocol): Warn if we detect TLS1.0 at level 'high,
and TLS1.1 at level 'paranoid
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 8d3463ef0a..f4d1fbb301 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -35,7 +35,7 @@ nsm
:version "25.1"
:group 'comm)
-(defcustom network-security-level 'medium
+(defcustom network-security-level 'high
"How secure the network should be.
If a potential problem with the security of the network
connection is found, the user is asked to give input into how the
@@ -231,6 +231,27 @@ nsm-check-protocol
host port protocol)))
(delete-process process)
nil)
+ ((and protocol
+ (string-match "TLS1.0" protocol)
+ (not (memq :tls1.0 (plist-get settings :conditions)))
+ (not
+ (nsm-query
+ host port status :tls1.0
+ "The connection to %s:%s uses the %s protocol, which is unsafe."
+ host port protocol)))
+ (delete-process process)
+ nil)
+ ((and protocol
+ (eq network-security-level 'paranoid)
+ (string-match "TLS1.1" protocol)
+ (not (memq :tls1.0 (plist-get settings :conditions)))
+ (not
+ (nsm-query
+ host port status :tls1.1
+ "The connection to %s:%s uses the %s protocol, which is unsafe."
+ host port protocol)))
+ (delete-process process)
+ nil)
(t
process))))
next prev parent reply other threads:[~2017-07-12 14:30 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 13:03 Deprecate TLS1.0 support in emacs Robert Pluim
2017-07-12 13:48 ` Lars Ingebrigtsen
2017-07-12 14:30 ` Robert Pluim [this message]
2017-07-12 14:36 ` Andreas Schwab
2017-07-12 14:39 ` Robert Pluim
2017-07-12 14:55 ` Andreas Schwab
2017-07-12 15:59 ` Robert Pluim
2017-07-12 14:44 ` Lars Ingebrigtsen
2017-07-12 16:10 ` Robert Pluim
2017-07-12 19:05 ` Lars Ingebrigtsen
2017-07-13 8:45 ` Robert Pluim
2017-07-13 12:25 ` Richard Stallman
2017-07-13 13:29 ` Robert Pluim
2017-08-01 12:02 ` Robert Pluim
2017-08-01 12:38 ` Lars Ingebrigtsen
2017-08-01 13:01 ` Robert Pluim
2017-08-01 14:45 ` Paul Eggert
2017-08-01 14:53 ` Lars Ingebrigtsen
2017-08-01 15:12 ` Robert Pluim
2017-08-01 17:56 ` Stefan Monnier
2017-08-03 11:48 ` Lars Ingebrigtsen
2017-08-03 15:52 ` Stefan Monnier
2017-08-03 19:30 ` Ted Zlatanov
2017-08-04 5:40 ` Eli Zaretskii
2017-08-04 13:13 ` Ted Zlatanov
2017-08-04 14:51 ` Eli Zaretskii
2017-08-04 17:26 ` Stefan Monnier
2017-08-04 19:50 ` Ted Zlatanov
2017-08-04 21:21 ` Stefan Monnier
2017-08-04 23:09 ` Ted Zlatanov
2017-08-05 7:21 ` Michael Albinus
2017-08-06 19:17 ` common Emacs notifications and alert.el (John W.) package (was: Deprecate TLS1.0 support in emacs) Ted Zlatanov
2017-08-07 1:42 ` common Emacs notifications and alert.el (John W.) package John Wiegley
2017-08-11 13:55 ` Ted Zlatanov
2017-08-15 17:06 ` common Emacs notifications and alert.el (John W.) package (was: Deprecate TLS1.0 support in emacs) Eli Zaretskii
2017-08-15 17:13 ` common Emacs notifications and alert.el (John W.) package John Wiegley
2017-08-04 14:59 ` Deprecate TLS1.0 support in emacs Michael Albinus
2017-08-03 19:39 ` Lars Ingebrigtsen
2017-08-04 21:35 ` Richard Stallman
2017-08-03 19:32 ` Ted Zlatanov
2017-08-04 3:17 ` Stefan Monnier
2017-08-04 13:09 ` Ted Zlatanov
2017-08-04 15:02 ` Lars Ingebrigtsen
2017-08-04 17:29 ` Stefan Monnier
2017-08-07 9:54 ` Robert Pluim
2017-08-10 15:33 ` Ted Zlatanov
2017-08-11 3:15 ` Paul Eggert
2017-08-11 13:53 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fue17mo5.fsf@gmail.com \
--to=rpluim@gmail.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).