Make NSM warn on `high' for older protocols, and document

* doc/emacs/misc.texi (Network Security): Mention the new protocol-level
`high' NSM checks.

(nsm-check-protocol): Also warn if using SSL3 or older.

2 files changed, 13 insertions, 1 deletions

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index c109bc7cab6..2669e07cd15 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -3,6 +3,7 @@
         * net/nsm.el (nsm-check-protocol): Test for RC4 on `high'.
         (nsm-format-certificate): Include more data about the connection.
         (nsm-query): Fill the text to that it looks nicer.
+        (nsm-check-protocol): Also warn if using SSL3 or older.
 
 2014-12-08  Stefan Monnier  <monnier@iro.umontreal.ca>
 
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index d1de1288ca6..2306894cde3 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -181,7 +181,8 @@ unencrypted."
         (encryption (format "%s-%s-%s"
                             (plist-get status :key-exchange)
                             (plist-get status :cipher)
-                            (plist-get status :mac))))
+                            (plist-get status :mac)))
+        (protocol (plist-get status :protocol)))
     (cond
      ((and prime-bits
            (< prime-bits 1024)
@@ -203,6 +204,16 @@ unencrypted."
              host port encryption)))
       (delete-process process)
       nil)
+     ((and protocol
+           (string-match "SSL" protocol)
+           (not (memq :ssl (plist-get settings :conditions)))
+           (not
+            (nsm-query
+             host port status :ssl
+             "The connection to %s:%s uses the %s protocol, which is believed to be unsafe."
+             host port protocol)))
+      (delete-process process)
+      nil)
      (t
       process))))