Implement a Network Security Manager

* processes.texi (Network): Mention the new :warn-unless-encrypted parameter to `open-network-stream'. (Network): Mention the Network Security Manager. * net/nsm.el: New file that implements a Network Security Manager. * net/network-stream.el (open-network-stream): Add a new :warn-unless-encrypted parameter. (network-stream-open-plain): Allow warning unless encrypted. (network-stream-open-starttls): Call the Network Security Manager. (network-stream-open-tls): Ditto.
author: Lars Magne Ingebrigtsen 2014-11-23 14:56:43 +0100
committer: Lars Magne Ingebrigtsen 2014-11-23 14:56:43 +0100
commit: 4c298b2a73bda5ad99c1a7c2428b0db91e950820 (patch)
tree: 9cbec90cbac94adbe863a5bab50429dbb513ae4e /doc
parent: a85950469e6fc045de6157f9ad739e28f30ecd8d (diff)
download: emacs-4c298b2a73bda5ad99c1a7c2428b0db91e950820.tar.gz
emacs-4c298b2a73bda5ad99c1a7c2428b0db91e950820.zip
2 files changed, 33 insertions, 0 deletions
diff --git a/doc/lispref/ChangeLog b/doc/lispref/ChangeLog
index 0c8792af81f..5cc85aa60dc 100644
--- a/doc/lispref/ChangeLog
+++ b/doc/lispref/ChangeLog
@@ -1,3 +1,9 @@
+2014-11-23  Lars Magne Ingebrigtsen  <larsi@gnus.org>
+        * processes.texi (Network): Mention the new :warn-unless-encrypted
+        parameter to `open-network-stream'.
+        (Network): Mention the Network Security Manager.
 2014-11-21  Ulf Jasper  <ulf.jasper@web.de>
        * text.texi (Parsing HTML/XML): Document new optional parameter
diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi
index db80f0537e0..48429e6fd93 100644
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@@ -2041,6 +2041,12 @@ Regular expression matching a successful @acronym{STARTTLS} negotiation.
 If non-@code{nil}, do opportunistic @acronym{STARTTLS} upgrades even if Emacs
 doesn't have built-in @acronym{TLS} support.
+@item :warn-unless-encrypted @var{boolean}
+If non-@code{nil}, and @code{:return-value} is also non-@code{nil},
+Emacs will warn if the connection isn't encrypted.  This is useful for
+protocols like @acronym{IMAP} and the like, where most users would
+expect the network traffic to be encrypted.
 @item :client-certificate @var{list-or-t}
 Either a list of the form @code{(@var{key-file} @var{cert-file})},
 naming the certificate key file and certificate file itself, or
@@ -2066,6 +2072,27 @@ The connection type: @samp{plain} or @samp{tls}.
 @end defun
+@cindex Network Security Manager
+After establishing the connection, the connection is then passed on to
+the Network Security Manager (@acronym{NSM}).  If the connection is a
+@acronym{TLS} or @acronym{STARTTLS} connection, the @acronym{NSM} will
+check whether the certificate used to establish the identity of the
+server we're connecting to can be verified.  If this can't be done,
+the @acronym{NSM} will query the user whether to proceed with the
+connection.
+The user is given the choice of registering a permanent security
+exception, a temporary one, or whether to refuse the connection
+entirely.
+If the connection is unencrypted, but it was encrypted in previous
+sessions, the user will also be notified about this.
+@vindex nsm-security-level
+The @code{nsm-security-level} variable determines the security level.
+If this is @code{low}, no security checks are performed.
 @node Network Servers
 @section Network Servers
 @cindex network servers
author	Lars Magne Ingebrigtsen	2014-11-23 14:56:43 +0100
committer	Lars Magne Ingebrigtsen	2014-11-23 14:56:43 +0100
commit	4c298b2a73bda5ad99c1a7c2428b0db91e950820 (patch)
tree	9cbec90cbac94adbe863a5bab50429dbb513ae4e /doc
parent	a85950469e6fc045de6157f9ad739e28f30ecd8d (diff)
download	emacs-4c298b2a73bda5ad99c1a7c2428b0db91e950820.tar.gz emacs-4c298b2a73bda5ad99c1a7c2428b0db91e950820.zip

diff --git a/doc/lispref/ChangeLog b/doc/lispref/ChangeLog index 0c8792af81f..5cc85aa60dc 100644 --- a/doc/lispref/ChangeLog +++ b/doc/lispref/ChangeLog
@@ -1,3 +1,9 @@
		1	2014-11-23 Lars Magne Ingebrigtsen <larsi@gnus.org>
		2
		3	* processes.texi (Network): Mention the new :warn-unless-encrypted
		4	parameter to `open-network-stream'.
		5	(Network): Mention the Network Security Manager.
		6
1	2014-11-21 Ulf Jasper <ulf.jasper@web.de>	7	2014-11-21 Ulf Jasper <ulf.jasper@web.de>
2		8
3	* text.texi (Parsing HTML/XML): Document new optional parameter	9	* text.texi (Parsing HTML/XML): Document new optional parameter


diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index db80f0537e0..48429e6fd93 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi
@@ -2041,6 +2041,12 @@ Regular expression matching a successful @acronym{STARTTLS} negotiation.
2041	If non-@code{nil}, do opportunistic @acronym{STARTTLS} upgrades even if Emacs	2041	If non-@code{nil}, do opportunistic @acronym{STARTTLS} upgrades even if Emacs
2042	doesn't have built-in @acronym{TLS} support.	2042	doesn't have built-in @acronym{TLS} support.
2043		2043
		2044	@item :warn-unless-encrypted @var{boolean}
		2045	If non-@code{nil}, and @code{:return-value} is also non-@code{nil},
		2046	Emacs will warn if the connection isn't encrypted. This is useful for
		2047	protocols like @acronym{IMAP} and the like, where most users would
		2048	expect the network traffic to be encrypted.
		2049
2044	@item :client-certificate @var{list-or-t}	2050	@item :client-certificate @var{list-or-t}
2045	Either a list of the form @code{(@var{key-file} @var{cert-file})},	2051	Either a list of the form @code{(@var{key-file} @var{cert-file})},
2046	naming the certificate key file and certificate file itself, or	2052	naming the certificate key file and certificate file itself, or
@@ -2066,6 +2072,27 @@ The connection type: @samp{plain} or @samp{tls}.
2066		2072
2067	@end defun	2073	@end defun
2068		2074
		2075	@cindex Network Security Manager
		2076	After establishing the connection, the connection is then passed on to
		2077	the Network Security Manager (@acronym{NSM}). If the connection is a
		2078	@acronym{TLS} or @acronym{STARTTLS} connection, the @acronym{NSM} will
		2079	check whether the certificate used to establish the identity of the
		2080	server we're connecting to can be verified. If this can't be done,
		2081	the @acronym{NSM} will query the user whether to proceed with the
		2082	connection.
		2083
		2084	The user is given the choice of registering a permanent security
		2085	exception, a temporary one, or whether to refuse the connection
		2086	entirely.
		2087
		2088	If the connection is unencrypted, but it was encrypted in previous
		2089	sessions, the user will also be notified about this.
		2090
		2091	@vindex nsm-security-level
		2092	The @code{nsm-security-level} variable determines the security level.
		2093	If this is @code{low}, no security checks are performed.
		2094
		2095
2069	@node Network Servers	2096	@node Network Servers
2070	@section Network Servers	2097	@section Network Servers
2071	@cindex network servers	2098	@cindex network servers