Add SHA1 warnings for high network security settings

* nsm.el (nsm-check-protocol): When using high security, warn
about SHA1 certificates, which are now believed to be open to
spoofing.

1 files changed, 12 insertions, 1 deletions

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 31f2b32792f..dadf0b9d212 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -183,7 +183,9 @@ unencrypted."
 
 (defun nsm-check-protocol (process host port status settings)
   (let ((prime-bits (plist-get status :diffie-hellman-prime-bits))
-        (encryption (format "%s-%s-%s"
+        (signature-algorithm
+         (plist-get (plist-get status :certificate) :signature-algorithm))
+        (encryption (format "%s-%s-%s"
                             (plist-get status :key-exchange)
                             (plist-get status :cipher)
                             (plist-get status :mac)))
@@ -209,6 +211,15 @@ unencrypted."
              host port encryption)))
       (delete-process process)
       nil)
+     ((and (string-match "\\bSHA1\\b" signature-algorithm)
+           (not (memq :signature-sha1 (plist-get settings :conditions)))
+           (not
+            (nsm-query
+             host port status :signature-sha1
+             "The certificate used to verify the connectio to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
+             host port signature-algorithm)))
+      (delete-process process)
+      nil)
      ((and protocol
            (string-match "SSL" protocol)
            (not (memq :ssl (plist-get settings :conditions)))