From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.devel Subject: Re: Deprecate TLS1.0 support in emacs Date: Thu, 13 Jul 2017 15:29:28 +0200 Organization: not if I can help it Message-ID: <87shi0tqh3.fsf@gmail.com> References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse> <87fue17mo5.fsf@gmail.com> <87tw2hvhob.fsf@mouse> <8760ex63hi.fsf@gmail.com> <87fue1v5lr.fsf@mouse> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1499953010 2286 195.159.176.226 (13 Jul 2017 13:36:50 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 13 Jul 2017 13:36:50 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jul 13 15:36:45 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dVeIN-0008Nb-D9 for ged-emacs-devel@m.gmane.org; Thu, 13 Jul 2017 15:36:43 +0200 Original-Received: from localhost ([::1]:60109 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVeIM-0007kX-KP for ged-emacs-devel@m.gmane.org; Thu, 13 Jul 2017 09:36:42 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59709) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVeBr-0001jG-Ct for emacs-devel@gnu.org; Thu, 13 Jul 2017 09:30:00 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVeBm-00029A-KG for emacs-devel@gnu.org; Thu, 13 Jul 2017 09:29:59 -0400 Original-Received: from [195.159.176.226] (port=57578 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dVeBm-00027W-88 for emacs-devel@gnu.org; Thu, 13 Jul 2017 09:29:54 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dVeBQ-0005Bz-Vm for emacs-devel@gnu.org; Thu, 13 Jul 2017 15:29:32 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 153 Original-X-Complaints-To: usenet@blaine.gmane.org Cancel-Lock: sha1:X+87P8bp+c6lBPFwBCNhOJvIhzc= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:216580 Archived-At: --=-=-= Content-Type: text/plain Richard Stallman writes: > > It is a refusal to access a resource because somebody has determined > > that a specific protocol (HTTP + TLS1.0) is something that our users > > shouldn't be able to use. > > I agree -- our software should not absolutely refuse to communicate > a way that we judge risky. We should explain the situation and state > how to enable that method (perhaps with a user option). > OK. NSM provides the requisite infrastructure for that already, we just have to enable some more checking. Here's an initial patch, we can now decide exactly which checks we should do at medium security level, and update the manuals. Personally I feel we should warn for ssl, tls1.0, tls1.1, RC4, and SHA1. Diffie-Hellman I'm not too sure about, although I'll note that Google Chrome switched to 1024 bits two years ago. Regards Robert --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-Check-for-SSL-TLS1.0-and-TLS1.1-and-warn-user.patch >From 6587993f682544fa2314a0d41101274a1c004ab5 Mon Sep 17 00:00:00 2001 From: Robert Pluim Date: Thu, 13 Jul 2017 15:06:07 +0200 Subject: [PATCH] Check for SSL, TLS1.0 and TLS1.1 and warn user * lisp/net/nsm.el (nsm-check-tls-connection): Check protocol parameters at the default `medium' security level (nsm-check-for-deprecated-protocols): New function. Abstract protocol version checks out of nsm-check-protocols and check for TLS1.0 and TLS1.1 (nsm-check-protocol): Use it * etc/NEWS (libraries): Document the change in tls connection behaviour --- etc/NEWS | 7 +++++++ lisp/net/nsm.el | 40 +++++++++++++++++++++++++++------------- 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/etc/NEWS b/etc/NEWS index a00760c2f8..1880847048 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -459,6 +459,13 @@ Linum mode and all similar packages are henceforth becoming obsolete. Users and developers are encouraged to switch to this new feature instead. +** Network connections which use ssl, tls1.0 or tls1.1 will now be +warned about by the network security manager. The user will be +prompted to allow/disallow the connection on a per-connection/per-host +basis. These 3 protocols have myriad proven exploits against them and +should be avoided whenever possible. Set network-security-level to +'low' to disable these new checks. + * Editing Changes in Emacs 26.1 diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 8d3463ef0a..03670957a5 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -120,8 +120,8 @@ nsm-verify-connection (defun nsm-check-tls-connection (process host port status settings) (let ((process (nsm-check-certificate process host port status settings))) (if (and process - (>= (nsm-level network-security-level) (nsm-level 'high))) - ;; Do further protocol-level checks if the security is high. + (>= (nsm-level network-security-level) (nsm-level 'medium))) + ;; Do further protocol-level checks if the security is medium. (nsm-check-protocol process host port status settings) process))) @@ -199,7 +199,7 @@ nsm-check-protocol (not (nsm-query host port status :diffie-hellman-prime-bits - "The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)." + "The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s). Accept at your own risk." prime-bits host port 1024))) (delete-process process) nil) @@ -208,7 +208,7 @@ nsm-check-protocol (not (nsm-query host port status :rc4 - "The connection to %s:%s uses the RC4 algorithm (%s), which is believed to be unsafe." + "The connection to %s:%s uses the RC4 algorithm (%s), which is unsafe. Accept at your own risk." host port encryption))) (delete-process process) nil) @@ -217,23 +217,37 @@ nsm-check-protocol (not (nsm-query host port status :signature-sha1 - "The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe." + "The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is unsafe. Accept at your own risk." host port signature-algorithm))) (delete-process process) nil) - ((and protocol - (string-match "SSL" protocol) - (not (memq :ssl (plist-get settings :conditions))) - (not - (nsm-query - host port status :ssl - "The connection to %s:%s uses the %s protocol, which is believed to be unsafe." - host port protocol))) + ((let ((what (nsm-check-for-deprecated-protocols protocol settings))) + (and protocol + what + (not + (nsm-query + host port status what + "The connection to %s:%s uses the %s protocol, which is unsafe. Accept at your own risk." + host port protocol)))) (delete-process process) nil) (t process)))) +(defun nsm-check-for-deprecated-protocols (protocol settings) + (cond + ((and (string-match "SSL" protocol) + (not (memq :ssl (plist-get settings :conditions)))) + :ssl) + ((and (string-equal "TLS1.0" protocol) + (not (memq :tls1.0 (plist-get settings :conditions)))) + :tls1.0) + ((and (string-equal "TLS1.1" protocol) + (not (memq :tls1.1 (plist-get settings :conditions)))) + :tls1.1) + (t + nil))) + (defun nsm-fingerprint (status) (plist-get (plist-get status :certificate) :public-key-id)) -- 2.13.0.rc0 --=-=-=--