diff options
| author | Lars Magne Ingebrigtsen <larsi@gnus.org> | 2014-12-08 22:51:54 +0100 |
|---|---|---|
| committer | Lars Magne Ingebrigtsen <larsi@gnus.org> | 2014-12-08 22:51:54 +0100 |
| commit | e9aaf969661d134fa7e1548817fc9a05fa6b1bfb (patch) | |
| tree | cfb992af0e59242250b2d328224006249216f86f | |
| parent | be6767d59b9f984ee28d444aada0ecdd0245ec6e (diff) | |
| download | emacs-e9aaf969661d134fa7e1548817fc9a05fa6b1bfb.tar.gz | |
Make NSM warn on `high' for older protocols, and document
* doc/emacs/misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.
(nsm-check-protocol): Also warn if using SSL3 or older.
| -rw-r--r-- | doc/emacs/ChangeLog | 5 | ||||
| -rw-r--r-- | doc/emacs/misc.texi | 14 | ||||
| -rw-r--r-- | lisp/ChangeLog | 1 | ||||
| -rw-r--r-- | lisp/net/nsm.el | 13 |
4 files changed, 32 insertions, 1 deletions
diff --git a/doc/emacs/ChangeLog b/doc/emacs/ChangeLog index 458a4782ffe..d969b8e2b07 100644 --- a/doc/emacs/ChangeLog +++ b/doc/emacs/ChangeLog @@ -1,3 +1,8 @@ +2014-12-08 Lars Magne Ingebrigtsen <larsi@gnus.org> + + * misc.texi (Network Security): Mention the new protocol-level + `high' NSM checks. + 2014-12-08 Eric S. Raymond <esr@snark.thyrsus.com> * maintaining.texi: Suopport fo Arch has been moved to obolte, diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi index 39632cbe077..39433056f15 100644 --- a/doc/emacs/misc.texi +++ b/doc/emacs/misc.texi @@ -329,6 +329,20 @@ to be concerned about. However, if you are worried that your network connections are being hijacked by agencies who have access to pliable Certificate Authorities which issue new certificates for third-party services, you may want to keep track of these changes. + +@item Diffie-Hellman low prime bits +When doing the public key exchange, the number of ``prime bits'' +should be high to ensure that the channel can't be eavesdropped on by +third parties. If this number is too low, you will be warned. + +@item @acronym{RC4} stream cipher +The @acronym{RC4} stream cipher is believed to be of low quality and +may allow eavesdropping by third parties. + +@item @acronym{SSL1}, @acronym{SSL2} and @acronym{SSL3} +The protocols older than @acronym{TLS1.0} are believed to be +vulnerable to a variety of attacks, and you may want to avoid using +these if what you're doing requires higher security. @end table Finally, if @code{network-security-level} is @code{paranoid}, you will diff --git a/lisp/ChangeLog b/lisp/ChangeLog index c109bc7cab6..2669e07cd15 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -3,6 +3,7 @@ * net/nsm.el (nsm-check-protocol): Test for RC4 on `high'. (nsm-format-certificate): Include more data about the connection. (nsm-query): Fill the text to that it looks nicer. + (nsm-check-protocol): Also warn if using SSL3 or older. 2014-12-08 Stefan Monnier <monnier@iro.umontreal.ca> diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index d1de1288ca6..2306894cde3 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -181,7 +181,8 @@ unencrypted." (encryption (format "%s-%s-%s" (plist-get status :key-exchange) (plist-get status :cipher) - (plist-get status :mac)))) + (plist-get status :mac))) + (protocol (plist-get status :protocol))) (cond ((and prime-bits (< prime-bits 1024) @@ -203,6 +204,16 @@ unencrypted." host port encryption))) (delete-process process) nil) + ((and protocol + (string-match "SSL" protocol) + (not (memq :ssl (plist-get settings :conditions))) + (not + (nsm-query + host port status :ssl + "The connection to %s:%s uses the %s protocol, which is believed to be unsafe." + host port protocol))) + (delete-process process) + nil) (t process)))) |