diff options
| author | Jimmy Yuen Ho Wong <wyuenho@gmail.com> | 2018-07-10 14:20:09 +0100 |
|---|---|---|
| committer | Jimmy Yuen Ho Wong <wyuenho@gmail.com> | 2018-07-14 17:50:44 +0100 |
| commit | 534a3d5d3a99a6b86a47b3d91840ce8771ee0ae6 (patch) | |
| tree | 6d5b0271e6f248fea43fd434d05d630cda2ebaa1 /lisp/emacs-lisp | |
| parent | 023f4c60e9279b69be1dc7db83f69674ce1e1917 (diff) | |
| download | emacs-534a3d5d3a99a6b86a47b3d91840ce8771ee0ae6.tar.gz emacs-534a3d5d3a99a6b86a47b3d91840ce8771ee0ae6.tar.bz2 emacs-534a3d5d3a99a6b86a47b3d91840ce8771ee0ae6.zip | |
Revamp Network Security manager checks for TLS
* lisp/net/nsm.el (network-security-level, nsm-level,
nsm-new-fingerprint-ok-p): Remove `paranoid' level and related code.
* lisp/net/nsm.el (nsm-tls-checks, nsm-tls-check-version,
nsm-tls-check-compression, nsm-tls-check-renegotiation-info-ext,
nsm-tls-check-verify-cert, nsm-tls-check-same-cert,
nsm-tls-check-null-suite, nsm-tls-check-export-kx,
nsm-tls-check-anon-kx, nsm-tls-check-md5-sig,
nsm-tls-check-rc4-cipher, nsm-tls-check-dhe-prime-kx,
nsm-tls-check-sha1-sig, nsm-tls-check-ecdsa-cbc-cipher
nsm-tls-check-dhe-kx, nsm-tls-check-rsa-kx,
nsm-tls-check-3des-cipher, nsm-tls-check-cbc-cipher,
nsm-save-fingerprint-maybe, nsm-tls-post-check-functions): New
options and functions for checking TLS handshake problems.
* lisp/net/nsm.el (nsm-check-certificate,
network-security-protocol-checks,
nsm-protocol-check--diffie-hellman-prime-bits,
nsm-protocol-check--3des, nsm-protocol-check--rc4,
nsm-protocol-check--signature-sha1,
nsm-protocol-check--intermediate-sha1, nsm-protocol-check--ssl,
nsm-check-protocol): Remove in favor of `nsm-tls-checks' and
`nsm-tls-check-*' functions.
* lisp/net/nsm.el (nsm-verify-connection): Ensure connection is
checked even when `network-security-level' is `low'.
* lisp/net/nsm.el (nsm-check-tls-connection): Batch all problems found
before querying the user.
* lisp/net/nsm.el (nsm--encryption): Renamed to `nsm-cipher-suite'.
* lisp/net/nsm.el (nsm-fingerprint-ok-p): No longer prompt when
certificate fingerprints mismatch. Returns a boolean instead when
the fingerprint of the certificate received matches the saved
fingerprints.
* lisp/net/nsm.el (nsm-query): Change signature. Accepts a list of
problems and a preformatted message instead of just a message format
and the arguments for the message.
* lisp/net/nsm.el (nsm-query-user): Change signature. Accepts a
preformatted message and the peer status of the handshake instead of
a message format, its arguments and the certificate for the host.
* lisp/net/nsm.el (nsm-save-host): Change signature. Accepts a list of
problems after the WHAT parameter. Saves multiple fingerprints for
the same host in case the host load balances a TLS server with more
than one certificates signed with different keys. Makes sure
conditions are not removed when updating a fingerprint.
* lisp/net/nsm.el (nsm-format-certificate): Display the TLS handshake's
renegotiation info extension, compression level, encrypt-then-MAC
extension, and key exchange prime bit length.
* src/gnutls.c (gnutls-peer-status-warning-describe,
gnutls-peer-status): Check for certificate verification problems
introduced since GnuTLS 3.1.
* src/gnutls.c (gnutls-peer-status): `:compression', `:encrypt-then-mac'
and `:safe-renegotiation' are now contained in the peer status
result return value.
Diffstat (limited to 'lisp/emacs-lisp')
0 files changed, 0 insertions, 0 deletions