From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Andreas Schwab <schwab@suse.de>
Newsgroups: gmane.emacs.devel
Subject: Re: Deprecate TLS1.0 support in emacs
Date: Wed, 12 Jul 2017 16:55:55 +0200
Message-ID: <mvm4luh901w.fsf@suse.de>
References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse>
	<87fue17mo5.fsf@gmail.com> <mvm8tjt90yf.fsf@suse.de>
	<87bmop7m8p.fsf@gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1499871399 22016 195.159.176.226 (12 Jul 2017 14:56:39 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 12 Jul 2017 14:56:39 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jul 12 16:56:35 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dVJ40-00057t-EN
	for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 16:56:28 +0200
Original-Received: from localhost ([::1]:53964 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dVJ46-0004FU-1S
	for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 10:56:34 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41258)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <schwab@suse.de>) id 1dVJ3Y-0004FM-NX
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:56:01 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <schwab@suse.de>) id 1dVJ3V-0006PY-Gi
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:56:00 -0400
Original-Received: from mx2.suse.de ([195.135.220.15]:44980 helo=mx1.suse.de)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <schwab@suse.de>) id 1dVJ3V-0006OM-9N
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:55:57 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Original-Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id DA334ABD9
	for <emacs-devel@gnu.org>; Wed, 12 Jul 2017 14:55:55 +0000 (UTC)
X-Yow: ..  Do you like ``TENDER VITTLES?''?
In-Reply-To: <87bmop7m8p.fsf@gmail.com> (Robert Pluim's message of "Wed, 12
	Jul 2017 16:39:34 +0200")
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no
	timestamps) [generic] [fuzzy]
X-Received-From: 195.135.220.15
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:216542
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/216542>

On Jul 12 2017, Robert Pluim <rpluim@gmail.com> wrote:

> Andreas Schwab <schwab@suse.de> writes:
>
>> On Jul 12 2017, Robert Pluim <rpluim@gmail.com> wrote:
>>
>>> @@ -231,6 +231,27 @@ nsm-check-protocol
>>>  	     host port protocol)))
>>>        (delete-process process)
>>>        nil)
>>> +     ((and protocol
>>> +	   (string-match "TLS1.0" protocol)
>>> +	   (not (memq :tls1.0 (plist-get settings :conditions)))
>>> +	   (not
>>> +	    (nsm-query
>>> +	     host port status :tls1.0
>>> +	     "The connection to %s:%s uses the %s protocol, which is unsafe."
>>> +	     host port protocol)))
>>> +      (delete-process process)
>>> +      nil)
>>> +     ((and protocol
>>> +           (eq network-security-level 'paranoid)
>>> +	   (string-match "TLS1.1" protocol)
>>
>> Why string-match?
>
> It's what the surrounding code uses to check for ssl. You'd prefer
> string-equal ?

Is TLS1.10 or TLS101 unsafe?

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."