procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make NSM warn for TLS 1.1

Browse source 
* lisp/net/nsm.el (nsm-protocol-check--version): Warn also for
TLS 1.1.  Update docstring.
This commit is contained in:
Stefan Kangas 2025-01-17 12:19:21 +01:00
parent f7ff5f1ba4
commit 965e50e3ae
2 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
etc/NEWS
View file

@ -90,7 +90,12 @@ If you have been using these variables in Lisp code (for example, in
font-lock rules), simply quote the symbol, to use the face directly
instead of its now-obsolete variable.
** Network Security Manager now warns about DHE key exchange by default.
** Network Security Manager (NSM) is now more strict.
*** NSM warns about TLS 1.1 by default.
It has been deprecated by RFC8996, published in 2021.
*** NSM warns about DHE key exchange by default.
Emacs now warns about ephemeral Diffie-Hellman key exchanges also when
'network-security-level' is customized to its default 'medium' value.

14
lisp/net/nsm.el
View file

@ -700,9 +700,10 @@ Security (DTLS)\", `https://tools.ietf.org/html/rfc7525'"
(defun nsm-protocol-check--version (_host _port status &optional _settings)
"Check for SSL/TLS protocol version.
This function guards against the usage of SSL3.0, which has been
deprecated by RFC7568[1], and TLS 1.0, which has been deprecated
by PCI DSS[2].
This function guards against the usage of SSL3.0, TLS 1.0, and TLS 1.1.
- SSL 3.0 has been deprecated by RFC7568[1].
- TLS 1.0 has been deprecated by PCI DSS[2], and later by RFC8996[3].
- TLS 1.1 has been deprecated by RFC8996[3].
References:
@ -710,12 +711,15 @@ References:
Sockets Layer Version 3.0\", `https://tools.ietf.org/html/rfc7568'
[2]: PCI Security Standards Council (2016). \"Migrating from SSL and
Early TLS\"
`https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf'"
`https://docs-prv.pcisecuritystandards.org/Guidance%20Document/SSL%20TLS/Migrating_from_SSL_and_Early_TLS_-v12.pdf'
[3]: Moriarty, Farrell (2021). \"Deprecating TLS 1.0 and TLS 1.1\"
`https://tools.ietf.org/html/rfc7568'
"
(let ((protocol (plist-get status :protocol)))
(and protocol
(or (string-match "SSL" protocol)
(and (string-match "TLS1.\\([0-9]+\\)" protocol)
(< (string-to-number (match-string 1 protocol)) 1)))
(< (string-to-number (match-string 1 protocol)) 2)))
(format-message
"%s protocol is deprecated by standard bodies"
protocol))))