Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

I have just been looking at how to add OCSP as well, I noticed
`gnutls-boot` already accepts `:crlfiles`, I have a `gnutls.el` patch
that'll supply it to `gnutls-boot-parameters`. I'm testing it now, but
I'm haven't a bit of trouble generating a CRL in PEM. Anyway, do you
think it's worth it as a quick win to include in either master to 26.2
if it works?


On 24/06/2018 17:57, Lars Ingebrigtsen wrote:
> Eli Zaretskii <address@hidden> writes:
>
>> When the changes are pushed to master, we could look at them and
>> consider whether they (or some of their parts) are safe enough for
>> emacs-26.
> Yup.
>
> I'm going through the current recommendations for TLS security, and most
> of them are straightforward and require just some added NSM checks.
> However, the check for intermediary sha1 certificates checks requires a
> C-level change: gnutls.c doesn't expose to Lisp the certificate chain,
> so I'll have to add that, too.
>
> It's not a complicated addition, but it's C level, so you'll have to
> decide whether something that has the potential for crashing Emacs is
> worth the risk for Emacs 26.2.  But I guess we'll see once I've
> implemented this (hopefully next week).
>