Add SHA1 warnings for high network security settings

* nsm.el (nsm-check-protocol): When using high security, warn about SHA1 certificates, which are now believed to be open to spoofing.
2016-01-03 10:41:51 +01:00 · 2016-01-03 10:41:51 +01:00 · 1da116f8ec
commit 1da116f8ec
parent e48bacd9d1
1 changed files with 12 additions and 1 deletions
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@ -183,7 +183,9 @@ unencrypted."

 (defun nsm-check-protocol (process host port status settings)
  (let ((prime-bits (plist-get status :diffie-hellman-prime-bits))
-	(encryption (format "%s-%s-%s"
+        (signature-algorithm
+         (plist-get (plist-get status :certificate) :signature-algorithm))
+        (encryption (format "%s-%s-%s"
 			    (plist-get status :key-exchange)
 			    (plist-get status :cipher)
 			    (plist-get status :mac)))
@ -209,6 +211,15 @@ unencrypted."
 	     host port encryption)))
      (delete-process process)
      nil)
+     ((and (string-match "\\bSHA1\\b" signature-algorithm)
+	   (not (memq :signature-sha1 (plist-get settings :conditions)))
+	   (not
+	    (nsm-query
+	     host port status :signature-sha1
+	     "The certificate used to verify the connectio to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."
+	     host port signature-algorithm)))
+      (delete-process process)
+      nil)
     ((and protocol
 	   (string-match "SSL" protocol)
 	   (not (memq :ssl (plist-get settings :conditions)))