From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: GnuTLS/TLS proposals for after the release Date: Wed, 20 Jul 2016 14:04:27 +0200 Message-ID: References: <87furnhj3g.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1469016307 6475 80.91.229.3 (20 Jul 2016 12:05:07 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 20 Jul 2016 12:05:07 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jul 20 14:04:56 2016 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bPqFE-0001MQ-IE for ged-emacs-devel@m.gmane.org; Wed, 20 Jul 2016 14:04:56 +0200 Original-Received: from localhost ([::1]:34256 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bPqFD-0006rU-Ie for ged-emacs-devel@m.gmane.org; Wed, 20 Jul 2016 08:04:55 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44633) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bPqF4-0006rB-9h for emacs-devel@gnu.org; Wed, 20 Jul 2016 08:04:50 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bPqF0-0001jD-7s for emacs-devel@gnu.org; Wed, 20 Jul 2016 08:04:46 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:39074) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bPqF0-0001j5-0e for emacs-devel@gnu.org; Wed, 20 Jul 2016 08:04:42 -0400 Original-Received: from cm-84.215.1.64.getinternet.no ([84.215.1.64] helo=stories) by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1bPqEv-0003sL-Lv for emacs-devel@gnu.org; Wed, 20 Jul 2016 14:04:40 +0200 Face: In-Reply-To: <87furnhj3g.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 05 Jul 2016 17:26:43 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:205860 Archived-At: Ted Zlatanov writes: > 1) Proposal: after the 25.1 release, opening a secure network connection > without `gnutls-available-p' should be an annoying warning. The > alternative (tls.el) is less secure and IMHO should be discouraged. I agree. And I think the FSF distribution page for the prebuilt binaries on all platforms should link to binaries that come with a complete set of libraries needed to run Emacs in a secure manner. (Mostly relevant for the Windows distribution.) > 2) I am concerned that SSLv3 is explicitly in the tls.el defaults. See > http://disablessl3.com/ for why, no need to write up all the reasons > here. I propose to cut those lines out. That's fine with me, but if it's deprecated, then it probably doesn't matter much. :-) > I propose a single variable, `gnutls-settings' which can be set per host > regex or globally, and which can contain an alist or plist specifying > each of the settings above as a string/string list or as a function. > Basically a unified view of all GnuTLS-related connectivity settings > instead of scattering them over several variables. I think in Customize > that will look nicer and more friendly, plus the code will be simplified. Yes, this sounds nice. The only slightly worrying thing from a user perspective is that we'd then have two layers of settings/exceptions per host -- one from `gnutls-settings', and one from the Network Security Manager. This may confuse some users, but the extra power `gnutls-settings' would give us might outweigh that slight problem. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no