aboutsummaryrefslogtreecommitdiffstats
path: root/lisp
diff options
context:
space:
mode:
authorLars Ingebrigtsen2018-06-24 22:57:27 +0200
committerLars Ingebrigtsen2018-06-24 22:57:27 +0200
commit5a285a4db97d88cfd7a2320e33542a0afe695665 (patch)
tree11de5284a3d79f070db4ab797b995ae74a737448 /lisp
parentfea8c7d181babe6de7daedfef07b291f8dda2322 (diff)
downloademacs-5a285a4db97d88cfd7a2320e33542a0afe695665.tar.gz
emacs-5a285a4db97d88cfd7a2320e33542a0afe695665.zip
Make more TLS checks trigger on the default `medium' level
* doc/emacs/misc.texi (Network Security): Update the doc to say what's on the different levels. * lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Check intermediary certificates for SHA1. (nsm-protocol-check--3des): Check for 3DES ciphers. (network-security-protocol-checks): Put most of the checks on `medium'.
Diffstat (limited to 'lisp')
-rw-r--r--lisp/net/nsm.el32
1 files changed, 28 insertions, 4 deletions
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 97bfc7d62f1..2c4f8bf5ed5 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -182,10 +182,12 @@ unencrypted."
182 process)))))) 182 process))))))
183 183
184(defvar network-security-protocol-checks 184(defvar network-security-protocol-checks
185 '((diffie-hellman-prime-bits high 1024) 185 '((diffie-hellman-prime-bits medium 1024)
186 (rc4 high) 186 (rc4 medium)
187 (signature-sha1 high) 187 (signature-sha1 medium)
188 (ssl high)) 188 (intermediary-sha1 medium)
189 (3des high)
190 (ssl medium))
189 "This variable specifies what TLS connection checks to perform. 191 "This variable specifies what TLS connection checks to perform.
190It's an alist where the first element is the name of the check, 192It's an alist where the first element is the name of the check,
191the second is the security level where the check kicks in, and the 193the second is the security level where the check kicks in, and the
@@ -230,6 +232,13 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
230 "The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)." 232 "The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)."
231 prime-bits host port bits)))) 233 prime-bits host port bits))))
232 234
235(defun nsm-protocol-check--3des (host port status _)
236 (or (not (string-match "\\b3DES\\b" (plist-get status :cipher)))
237 (nsm-query
238 host port status :rc4
239 "The connection to %s:%s uses the 3DES cipher (%s), which is believed to be unsafe."
240 host port (plist-get status :cipher))))
241
233(defun nsm-protocol-check--rc4 (host port status _) 242(defun nsm-protocol-check--rc4 (host port status _)
234 (or (not (string-match "\\bRC4\\b" (nsm--encryption status))) 243 (or (not (string-match "\\bRC4\\b" (nsm--encryption status)))
235 (nsm-query 244 (nsm-query
@@ -246,6 +255,21 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
246 "The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe." 255 "The certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
247 host port signature-algorithm)))) 256 host port signature-algorithm))))
248 257
258(defun nsm-protocol-check--intermediary-sha1 (host port status _)
259 ;; We want to check all intermediary certificates, so we skip the
260 ;; first, reverse the list and then skip the first again, so we miss
261 ;; the first and final certificates in the chain.
262 (cl-loop for certificate in (cdr (reverse
263 (cdr (plist-get status :certificates))))
264 for algo = (plist-get certificate :signature-algorithm)
265 when (and (string-match "\\bSHA1\\b" algo)
266 (not (nsm-query
267 host port status :signature-sha1
268 "An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
269 host port algo)))
270 do (cl-return nil)
271 finally (cl-return t)))
272
249(defun nsm-protocol-check--ssl (host port status _) 273(defun nsm-protocol-check--ssl (host port status _)
250 (let ((protocol (plist-get status :protocol))) 274 (let ((protocol (plist-get status :protocol)))
251 (or (not protocol) 275 (or (not protocol)