Make more TLS checks trigger on the default `medium' level

* doc/emacs/misc.texi (Network Security): Update the doc to say what's on the different levels. * lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Check intermediary certificates for SHA1. (nsm-protocol-check--3des): Check for 3DES ciphers. (network-security-protocol-checks): Put most of the checks on `medium'.
author: Lars Ingebrigtsen 2018-06-24 22:57:27 +0200
committer: Lars Ingebrigtsen 2018-06-24 22:57:27 +0200
commit: 5a285a4db97d88cfd7a2320e33542a0afe695665 (patch)
tree: 11de5284a3d79f070db4ab797b995ae74a737448 /lisp
parent: fea8c7d181babe6de7daedfef07b291f8dda2322 (diff)
download: emacs-5a285a4db97d88cfd7a2320e33542a0afe695665.tar.gz
emacs-5a285a4db97d88cfd7a2320e33542a0afe695665.zip
1 files changed, 28 insertions, 4 deletions
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 97bfc7d62f1..2c4f8bf5ed5 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -182,10 +182,12 @@ unencrypted."
          process))))))
 (defvar network-security-protocol-checks
-  '((diffie-hellman-prime-bits high 1024)
+  '((diffie-hellman-prime-bits medium 1024)
-    (rc4 high)
+    (rc4 medium)
-    (signature-sha1 high)
+    (signature-sha1 medium)
-    (ssl high))
+    (intermediary-sha1 medium)
+    (3des high)
+    (ssl medium))
  "This variable specifies what TLS connection checks to perform.
 It's an alist where the first element is the name of the check,
 the second is the security level where the check kicks in, and the
@@ -230,6 +232,13 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
         "The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)."
         prime-bits host port bits))))
+(defun nsm-protocol-check--3des (host port status _)
+  (or (not (string-match "\\b3DES\\b" (plist-get status :cipher)))
+      (nsm-query
+       host port status :rc4
+       "The connection to %s:%s uses the 3DES cipher (%s), which is believed to be unsafe."
+       host port (plist-get status :cipher))))
 (defun nsm-protocol-check--rc4 (host port status _)
  (or (not (string-match "\\bRC4\\b" (nsm--encryption status)))
      (nsm-query
@@ -246,6 +255,21 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
         "The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
         host port signature-algorithm))))
+(defun nsm-protocol-check--intermediary-sha1 (host port status _)
+  ;; We want to check all intermediary certificates, so we skip the
+  ;; first, reverse the list and then skip the first again, so we miss
+  ;; the first and final certificates in the chain.
+  (cl-loop for certificate in (cdr (reverse
+                                    (cdr (plist-get status :certificates))))
+           for algo = (plist-get certificate :signature-algorithm)
+           when (and (string-match "\\bSHA1\\b" algo)
+                     (not (nsm-query
+                           host port status :signature-sha1
+                           "An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
+                           host port algo)))
+           do (cl-return nil)
+           finally (cl-return t)))
 (defun nsm-protocol-check--ssl (host port status _)
  (let ((protocol (plist-get status :protocol)))
    (or (not protocol)
author	Lars Ingebrigtsen	2018-06-24 22:57:27 +0200
committer	Lars Ingebrigtsen	2018-06-24 22:57:27 +0200
commit	5a285a4db97d88cfd7a2320e33542a0afe695665 (patch)
tree	11de5284a3d79f070db4ab797b995ae74a737448 /lisp
parent	fea8c7d181babe6de7daedfef07b291f8dda2322 (diff)
download	emacs-5a285a4db97d88cfd7a2320e33542a0afe695665.tar.gz emacs-5a285a4db97d88cfd7a2320e33542a0afe695665.zip

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 97bfc7d62f1..2c4f8bf5ed5 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el
@@ -182,10 +182,12 @@ unencrypted."
182	process))))))	182	process))))))
183		183
184	(defvar network-security-protocol-checks	184	(defvar network-security-protocol-checks
185	'((diffie-hellman-prime-bits high 1024)	185	'((diffie-hellman-prime-bits medium 1024)
186	(rc4 high)	186	(rc4 medium)
187	(signature-sha1 high)	187	(signature-sha1 medium)
188	(ssl high))	188	(intermediary-sha1 medium)
		189	(3des high)
		190	(ssl medium))
189	"This variable specifies what TLS connection checks to perform.	191	"This variable specifies what TLS connection checks to perform.
190	It's an alist where the first element is the name of the check,	192	It's an alist where the first element is the name of the check,
191	the second is the security level where the check kicks in, and the	193	the second is the security level where the check kicks in, and the
@@ -230,6 +232,13 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
230	"The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)."	232	"The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)."
231	prime-bits host port bits))))	233	prime-bits host port bits))))
232		234
		235	(defun nsm-protocol-check--3des (host port status _)
		236	(or (not (string-match "\\b3DES\\b" (plist-get status :cipher)))
		237	(nsm-query
		238	host port status :rc4
		239	"The connection to %s:%s uses the 3DES cipher (%s), which is believed to be unsafe."
		240	host port (plist-get status :cipher))))
		241
233	(defun nsm-protocol-check--rc4 (host port status _)	242	(defun nsm-protocol-check--rc4 (host port status _)
234	(or (not (string-match "\\bRC4\\b" (nsm--encryption status)))	243	(or (not (string-match "\\bRC4\\b" (nsm--encryption status)))
235	(nsm-query	244	(nsm-query
@@ -246,6 +255,21 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
246	"The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."	255	"The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
247	host port signature-algorithm))))	256	host port signature-algorithm))))
248		257
		258	(defun nsm-protocol-check--intermediary-sha1 (host port status _)
		259	;; We want to check all intermediary certificates, so we skip the
		260	;; first, reverse the list and then skip the first again, so we miss
		261	;; the first and final certificates in the chain.
		262	(cl-loop for certificate in (cdr (reverse
		263	(cdr (plist-get status :certificates))))
		264	for algo = (plist-get certificate :signature-algorithm)
		265	when (and (string-match "\\bSHA1\\b" algo)
		266	(not (nsm-query
		267	host port status :signature-sha1
		268	"An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
		269	host port algo)))
		270	do (cl-return nil)
		271	finally (cl-return t)))
		272
249	(defun nsm-protocol-check--ssl (host port status _)	273	(defun nsm-protocol-check--ssl (host port status _)
250	(let ((protocol (plist-get status :protocol)))	274	(let ((protocol (plist-get status :protocol)))
251	(or (not protocol)	275	(or (not protocol)