From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.devel Subject: Re: Deprecate TLS1.0 support in emacs Date: Wed, 12 Jul 2017 16:30:18 +0200 Organization: not if I can help it Message-ID: <87fue17mo5.fsf@gmail.com> References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1499869874 27490 195.159.176.226 (12 Jul 2017 14:31:14 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 12 Jul 2017 14:31:14 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jul 12 16:31:10 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dVIfW-0006ui-6A for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 16:31:10 +0200 Original-Received: from localhost ([::1]:53727 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVIfb-0005fL-On for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 10:31:15 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56286) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVIf1-0005f3-7s for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:30:43 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVIex-0008NP-5f for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:30:39 -0400 Original-Received: from [195.159.176.226] (port=58282 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dVIex-0008MK-00 for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:30:35 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dVIeh-0004dq-O9 for emacs-devel@gnu.org; Wed, 12 Jul 2017 16:30:19 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 74 Original-X-Complaints-To: usenet@blaine.gmane.org Mail-Copies-To: never Cancel-Lock: sha1:E9pK96idfIVMGSG8I9V9rg5vwkg= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:216536 Archived-At: Lars Ingebrigtsen writes: > Robert Pluim writes: > >> whilst investigating another bug, I noticed that >> https://lists.gnu.org/ is still using TLS1.0, which is seriously >> deprecated. I propose the following patch to make emacs not use TLS1.0 >> anymore unless explicitly requested (and someone should update the >> settings on lists.gnu.org). > > As you point out, removing TLS1.0 support from Emacs will make it > impossible for people to access common resources like > https://lists.gnu.org/ (and many other sites), so I don't think that's a > good idea. TLS1.0 is a seriously insecure protocol. I refrained from doing what I actually wanted to do, which is deprecate TLS1.1 as well. I think it's a disservice to allow TLS1.0 to continue to be used. > It might make sense to warn people about these resources not being > "secure", though. That could be done with nsm, but only if you'll accept setting the default network-security-level to 'high, or adding a specific check for protocol version at 'medium. Option 1 looks something like this: Warn about TLS1.0 and TLS1.1 * lisp/net/nsm.el (network-security-level): Change default to 'high so that we check protocol parameters (nsm-check-protocol): Warn if we detect TLS1.0 at level 'high, and TLS1.1 at level 'paranoid diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 8d3463ef0a..f4d1fbb301 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -35,7 +35,7 @@ nsm :version "25.1" :group 'comm) -(defcustom network-security-level 'medium +(defcustom network-security-level 'high "How secure the network should be. If a potential problem with the security of the network connection is found, the user is asked to give input into how the @@ -231,6 +231,27 @@ nsm-check-protocol host port protocol))) (delete-process process) nil) + ((and protocol + (string-match "TLS1.0" protocol) + (not (memq :tls1.0 (plist-get settings :conditions))) + (not + (nsm-query + host port status :tls1.0 + "The connection to %s:%s uses the %s protocol, which is unsafe." + host port protocol))) + (delete-process process) + nil) + ((and protocol + (eq network-security-level 'paranoid) + (string-match "TLS1.1" protocol) + (not (memq :tls1.0 (plist-get settings :conditions))) + (not + (nsm-query + host port status :tls1.1 + "The connection to %s:%s uses the %s protocol, which is unsafe." + host port protocol))) + (delete-process process) + nil) (t process))))