From: Robert Pluim <rpluim@gmail.com>
To: emacs-devel@gnu.org
Subject: Deprecate TLS1.0 support in emacs
Date: Wed, 12 Jul 2017 15:03:39 +0200 [thread overview]
Message-ID: <87o9sp7qok.fsf@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 361 bytes --]
Hi,
whilst investigating another bug, I noticed that
https://lists.gnu.org/ is still using TLS1.0, which is seriously
deprecated. I propose the following patch to make emacs not use TLS1.0
anymore unless explicitly requested (and someone should update the
settings on lists.gnu.org).
Perhaps this warrants a NEWS entry as well, let me know.
Regards
Robert
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Remove-TLS1.0-from-default-gnutls-connection-paramet.patch --]
[-- Type: text/x-diff, Size: 2294 bytes --]
From e0526d6ac7a2622a1b8781be4825fbef985a5ed3 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim@gmail.com>
Date: Wed, 12 Jul 2017 14:59:35 +0200
Subject: [PATCH] Remove TLS1.0 from default gnutls connection parameters
* lisp/net/gnutls.el (gnutls-boot-parameters): Remove TLS1.0
from default parameters.
* src/gnutls.c (Fgnutls_boot): Likewise.
---
lisp/net/gnutls.el | 4 ++--
src/gnutls.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 5db87329c3..3386dc5efc 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -264,11 +264,11 @@ gnutls-log-level
(priority-string (or priority-string
(cond
((eq type 'gnutls-anon)
- "NORMAL:+ANON-DH:!ARCFOUR-128")
+ "NORMAL:+ANON-DH:!ARCFOUR-128:-VERS-TLS1.0")
((eq type 'gnutls-x509pki)
(if gnutls-algorithm-priority
(upcase gnutls-algorithm-priority)
- "NORMAL")))))
+ "NORMAL:-VERS-TLS1.0")))))
(verify-error (or verify-error
;; this uses the value of `gnutls-verify-error'
(cond
diff --git a/src/gnutls.c b/src/gnutls.c
index 2078ad88f2..c3d7f54b73 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1333,7 +1333,7 @@ PROPLIST is a property list with the following keys:
:hostname is a string naming the remote host.
-:priority is a GnuTLS priority string, defaults to "NORMAL".
+:priority is a GnuTLS priority string, defaults to "NORMAL:-VERS-TLS1.0".
:trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
@@ -1389,7 +1389,7 @@ one trustfile (usually a CA bundle). */)
gnutls_certificate_credentials_t x509_cred = NULL;
gnutls_anon_client_credentials_t anon_cred = NULL;
Lisp_Object global_init;
- char const *priority_string_ptr = "NORMAL"; /* default priority string. */
+ char const *priority_string_ptr = "NORMAL:-VERS-TLS1.0"; /* default priority string. */
char *c_hostname;
/* Placeholders for the property list elements. */
--
2.13.0.rc0
next reply other threads:[~2017-07-12 13:03 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 13:03 Robert Pluim [this message]
2017-07-12 13:48 ` Deprecate TLS1.0 support in emacs Lars Ingebrigtsen
2017-07-12 14:30 ` Robert Pluim
2017-07-12 14:36 ` Andreas Schwab
2017-07-12 14:39 ` Robert Pluim
2017-07-12 14:55 ` Andreas Schwab
2017-07-12 15:59 ` Robert Pluim
2017-07-12 14:44 ` Lars Ingebrigtsen
2017-07-12 16:10 ` Robert Pluim
2017-07-12 19:05 ` Lars Ingebrigtsen
2017-07-13 8:45 ` Robert Pluim
2017-07-13 12:25 ` Richard Stallman
2017-07-13 13:29 ` Robert Pluim
2017-08-01 12:02 ` Robert Pluim
2017-08-01 12:38 ` Lars Ingebrigtsen
2017-08-01 13:01 ` Robert Pluim
2017-08-01 14:45 ` Paul Eggert
2017-08-01 14:53 ` Lars Ingebrigtsen
2017-08-01 15:12 ` Robert Pluim
2017-08-01 17:56 ` Stefan Monnier
2017-08-03 11:48 ` Lars Ingebrigtsen
2017-08-03 15:52 ` Stefan Monnier
2017-08-03 19:30 ` Ted Zlatanov
2017-08-04 5:40 ` Eli Zaretskii
2017-08-04 13:13 ` Ted Zlatanov
2017-08-04 14:51 ` Eli Zaretskii
2017-08-04 17:26 ` Stefan Monnier
2017-08-04 19:50 ` Ted Zlatanov
2017-08-04 21:21 ` Stefan Monnier
2017-08-04 23:09 ` Ted Zlatanov
2017-08-05 7:21 ` Michael Albinus
2017-08-06 19:17 ` common Emacs notifications and alert.el (John W.) package (was: Deprecate TLS1.0 support in emacs) Ted Zlatanov
2017-08-07 1:42 ` common Emacs notifications and alert.el (John W.) package John Wiegley
2017-08-11 13:55 ` Ted Zlatanov
2017-08-15 17:06 ` common Emacs notifications and alert.el (John W.) package (was: Deprecate TLS1.0 support in emacs) Eli Zaretskii
2017-08-15 17:13 ` common Emacs notifications and alert.el (John W.) package John Wiegley
2017-08-04 14:59 ` Deprecate TLS1.0 support in emacs Michael Albinus
2017-08-03 19:39 ` Lars Ingebrigtsen
2017-08-04 21:35 ` Richard Stallman
2017-08-03 19:32 ` Ted Zlatanov
2017-08-04 3:17 ` Stefan Monnier
2017-08-04 13:09 ` Ted Zlatanov
2017-08-04 15:02 ` Lars Ingebrigtsen
2017-08-04 17:29 ` Stefan Monnier
2017-08-07 9:54 ` Robert Pluim
2017-08-10 15:33 ` Ted Zlatanov
2017-08-11 3:15 ` Paul Eggert
2017-08-11 13:53 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o9sp7qok.fsf@gmail.com \
--to=rpluim@gmail.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).