diff options
| -rw-r--r-- | lisp/net/nsm.el | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 2c4f8bf5ed5..146d0d55254 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el | |||
| @@ -256,13 +256,14 @@ HOST PORT STATUS OPTIONAL-PARAMETER.") | |||
| 256 | host port signature-algorithm)))) | 256 | host port signature-algorithm)))) |
| 257 | 257 | ||
| 258 | (defun nsm-protocol-check--intermediary-sha1 (host port status _) | 258 | (defun nsm-protocol-check--intermediary-sha1 (host port status _) |
| 259 | ;; We want to check all intermediary certificates, so we skip the | 259 | ;; Skip the first certificate, because that's the host certificate. |
| 260 | ;; first, reverse the list and then skip the first again, so we miss | 260 | (cl-loop for certificate in (cdr (plist-get status :certificates)) |
| 261 | ;; the first and final certificates in the chain. | ||
| 262 | (cl-loop for certificate in (cdr (reverse | ||
| 263 | (cdr (plist-get status :certificates)))) | ||
| 264 | for algo = (plist-get certificate :signature-algorithm) | 261 | for algo = (plist-get certificate :signature-algorithm) |
| 265 | when (and (string-match "\\bSHA1\\b" algo) | 262 | ;; Don't check root certificates -- SHA1 isn't dangerous |
| 263 | ;; there. | ||
| 264 | when (and (not (equal (plist-get certificate :issuer) | ||
| 265 | (plist-get certificate :subject))) | ||
| 266 | (string-match "\\bSHA1\\b" algo) | ||
| 266 | (not (nsm-query | 267 | (not (nsm-query |
| 267 | host port status :signature-sha1 | 268 | host port status :signature-sha1 |
| 268 | "An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe." | 269 | "An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe." |