Minor improvements in recent NSM documentation changes
* doc/emacs/misc.texi (Network Security): Improve wording and markup of last change. * src/gnutls.c (Fgnutls_peer_status): Doc fix. * etc/NEWS: Improve wording of last change.
This commit is contained in:
Eli Zaretskii
parent
c6de1f1592
commit
9c985a3d7a
3 changed files with 22 additions and 18 deletions
|
|
@ -315,26 +315,27 @@ unverified connection, a temporary exception, or refuse the connection
|
|||
entirely.
|
||||
|
||||
@vindex network-security-protocol-checks
|
||||
In addition to the basic certificate corrections checks,
|
||||
several @acronym{TLS} algorithm checks are available. Some encryption
|
||||
In addition to the basic certificate correctness checks, several
|
||||
@acronym{TLS} algorithm checks are available. Some encryption
|
||||
technologies that were previously thought to be secure have shown
|
||||
themselves to be fragile, and Emacs will (by default) warn the users
|
||||
about some of these problems.
|
||||
themselves to be fragile, so Emacs (by default) warns you about some
|
||||
of these problems.
|
||||
|
||||
The protocol network checks is controlled via the
|
||||
@code{network-security-protocol-checks} variable.
|
||||
|
||||
It's an alist where the first element is the name of the check,
|
||||
the second is the security level where the check kicks in, and the
|
||||
optional third element is a parameter supplied to the check.
|
||||
It's an alist where the first element of each association is the name
|
||||
of the check, the second element is the security level where the check
|
||||
should be used, and the optional third element is a parameter supplied
|
||||
to the check.
|
||||
|
||||
An element like @code{(rc4 medium)} will result in the function
|
||||
@code{nsm-protocol-check--rc4} being called like thus:
|
||||
@code{(nsm-protocol-check--rc4 host port status optional-parameter)}.
|
||||
@w{@code{(nsm-protocol-check--rc4 host port status optional-parameter)}}.
|
||||
The function should return non-@code{nil} if the connection should
|
||||
proceed and @code{nil} otherwise.
|
||||
|
||||
Below is a list of the checks done on the @code{medium} level.
|
||||
Below is a list of the checks done on the default @code{medium} level.
|
||||
|
||||
@table @asis
|
||||
|
||||
|
|
@ -374,8 +375,8 @@ connection to be encrypted. If the connection isn't encrypted,
|
|||
|
||||
@item Diffie-Hellman low prime bits
|
||||
When doing the public key exchange, the number of prime bits should be
|
||||
high to ensure that the channel can't be eavesdropped on by third
|
||||
parties. If this number is too low, you will be warned. (This is the
|
||||
high enough to ensure that the channel can't be eavesdropped on by third
|
||||
parties. If this number is too low, Emacs will warn you. (This is the
|
||||
@code{diffie-hellman-prime-bits} check in
|
||||
@code{network-security-protocol-checks}).
|
||||
|
||||
|
|
|
|||
15
etc/NEWS
15
etc/NEWS
|
|
@ -136,12 +136,15 @@ of what checks to run via the `network-security-protocol-checks'
|
|||
variable.
|
||||
|
||||
+++
|
||||
** Most of the checks for outdated, believed-to-be-weak TLS algorithms
|
||||
and ciphers are now switched on by default. To get the old behaviour
|
||||
back (where certificates are checked for validity, but no warnings
|
||||
about weak cryptography are issued), you can either set
|
||||
`network-security-protocol-checks' to nil, or adjust the elements in
|
||||
that variable to only happen on the `high' security level.
|
||||
** TLS connections have their security tightened by default.
|
||||
Most of the checks for outdated, believed-to-be-weak TLS algorithms
|
||||
and ciphers are now switched on by default. By default, the NSM will
|
||||
flag connections using these weak algorithms and ask users whether to
|
||||
allow them. To get the old behavior back (where certificates are
|
||||
checked for validity, but no warnings about weak cryptography are
|
||||
issued), you can either set 'network-security-protocol-checks' to nil,
|
||||
or adjust the elements in that variable to only happen on the 'high'
|
||||
security level (assuming you use the 'medium' level).
|
||||
|
||||
+++
|
||||
** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.
|
||||
|
|
|
|||
|
|
@ -1217,7 +1217,7 @@ The return value is a property list with top-level keys :warnings and
|
|||
The :warnings entry is a list of symbols you can get a description of
|
||||
with `gnutls-peer-status-warning-describe', and :certificates is the
|
||||
certificate chain for the connection, with the host certificate
|
||||
first, and intermediary certificates (if any) follow.
|
||||
first, and intermediary certificates (if any) following it.
|
||||
|
||||
In addition, for backwards compatibility, the host certificate is also
|
||||
returned as the :certificate entry. */)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue