diff options
| author | Eli Zaretskii <eliz@gnu.org> | 2018-07-08 17:46:32 +0300 |
|---|---|---|
| committer | Eli Zaretskii <eliz@gnu.org> | 2018-07-08 17:46:32 +0300 |
| commit | 9c985a3d7a84bdfad17e11a12f671605bb31b3be (patch) | |
| tree | bc5dc83a15b01b031538fba8668e625ff66f7183 | |
| parent | c6de1f1592745d98e58f06332ad35efc72160787 (diff) | |
| download | emacs-9c985a3d7a84bdfad17e11a12f671605bb31b3be.tar.gz | |
Minor improvements in recent NSM documentation changes
* doc/emacs/misc.texi (Network Security): Improve wording and
markup of last change.
* src/gnutls.c (Fgnutls_peer_status): Doc fix.
* etc/NEWS: Improve wording of last change.
| -rw-r--r-- | doc/emacs/misc.texi | 23 | ||||
| -rw-r--r-- | etc/NEWS | 15 | ||||
| -rw-r--r-- | src/gnutls.c | 2 |
3 files changed, 22 insertions, 18 deletions
diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi index 96651381962..3d3441401dd 100644 --- a/doc/emacs/misc.texi +++ b/doc/emacs/misc.texi @@ -315,26 +315,27 @@ unverified connection, a temporary exception, or refuse the connection entirely. @vindex network-security-protocol-checks -In addition to the basic certificate corrections checks, -several @acronym{TLS} algorithm checks are available. Some encryption +In addition to the basic certificate correctness checks, several +@acronym{TLS} algorithm checks are available. Some encryption technologies that were previously thought to be secure have shown -themselves to be fragile, and Emacs will (by default) warn the users -about some of these problems. +themselves to be fragile, so Emacs (by default) warns you about some +of these problems. The protocol network checks is controlled via the @code{network-security-protocol-checks} variable. -It's an alist where the first element is the name of the check, -the second is the security level where the check kicks in, and the -optional third element is a parameter supplied to the check. +It's an alist where the first element of each association is the name +of the check, the second element is the security level where the check +should be used, and the optional third element is a parameter supplied +to the check. An element like @code{(rc4 medium)} will result in the function @code{nsm-protocol-check--rc4} being called like thus: -@code{(nsm-protocol-check--rc4 host port status optional-parameter)}. +@w{@code{(nsm-protocol-check--rc4 host port status optional-parameter)}}. The function should return non-@code{nil} if the connection should proceed and @code{nil} otherwise. -Below is a list of the checks done on the @code{medium} level. +Below is a list of the checks done on the default @code{medium} level. @table @asis @@ -374,8 +375,8 @@ connection to be encrypted. If the connection isn't encrypted, @item Diffie-Hellman low prime bits When doing the public key exchange, the number of prime bits should be -high to ensure that the channel can't be eavesdropped on by third -parties. If this number is too low, you will be warned. (This is the +high enough to ensure that the channel can't be eavesdropped on by third +parties. If this number is too low, Emacs will warn you. (This is the @code{diffie-hellman-prime-bits} check in @code{network-security-protocol-checks}). @@ -136,12 +136,15 @@ of what checks to run via the `network-security-protocol-checks' variable. +++ -** Most of the checks for outdated, believed-to-be-weak TLS algorithms -and ciphers are now switched on by default. To get the old behaviour -back (where certificates are checked for validity, but no warnings -about weak cryptography are issued), you can either set -`network-security-protocol-checks' to nil, or adjust the elements in -that variable to only happen on the `high' security level. +** TLS connections have their security tightened by default. +Most of the checks for outdated, believed-to-be-weak TLS algorithms +and ciphers are now switched on by default. By default, the NSM will +flag connections using these weak algorithms and ask users whether to +allow them. To get the old behavior back (where certificates are +checked for validity, but no warnings about weak cryptography are +issued), you can either set 'network-security-protocol-checks' to nil, +or adjust the elements in that variable to only happen on the 'high' +security level (assuming you use the 'medium' level). +++ ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'. diff --git a/src/gnutls.c b/src/gnutls.c index dfbbecfc870..d7a4ee474f7 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -1217,7 +1217,7 @@ The return value is a property list with top-level keys :warnings and The :warnings entry is a list of symbols you can get a description of with `gnutls-peer-status-warning-describe', and :certificates is the certificate chain for the connection, with the host certificate -first, and intermediary certificates (if any) follow. +first, and intermediary certificates (if any) following it. In addition, for backwards compatibility, the host certificate is also returned as the :certificate entry. */) |