[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Robert Pluim
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Mon, 09 Jul 2018 15:09:29 +0200

Jimmy Yuen Ho Wong <address@hidden> writes:

>> Is your work on a git branch somewhere?
> It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks
> Diff to master:
> https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks
> You can just fork my fork and send over a PR.
> There's still a couple of things I need to do:
> 1. Implement `nsm-trust-local-network`
> 2. Remove that change in src/gnutls.h not needed for bug#31946 (this
> is from my OCSP stash still sitting on my machine)

It needs either removing or making it work with earlier versions of GnuTLS:

gnutls.c: In function ‘Fgnutls_peer_status’:
gnutls.c:1353:22: error: ‘GNUTLS_CERT_MISSING_OCSP_STATUS’ undeclared (first 
use in this function)

I have:

pkg-config --modversion gnutls 

I think the OCSP stuff is 3.6.something.

> 3. Write some ert tests, but this should affect the doc effort
> 4. I might throw in a few more checks to detech DHE-DSS key exchange
> and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do
> browsers, but I haven't been able to find much information about them
> other than they are not used. There's a claim made that DSS key
> exchange is just as bad as static RSA, but DHE-DSS is not that same as
> DSS...

I see youʼre checking for TLS < 1.1. TLS 1.1 has its fair share of
reported issues as well, perhaps we should check for < 1.2 (or we
could put that on 'high).



reply via email to

[Prev in Thread] Current Thread [Next in Thread]