[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Jimmy Yuen Ho Wong
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Mon, 9 Jul 2018 14:33:17 +0100

On Mon, Jul 9, 2018 at 2:09 PM Robert Pluim <address@hidden> wrote:
> Jimmy Yuen Ho Wong <address@hidden> writes:
> >> Is your work on a git branch somewhere?
> >
> > It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks
> >
> > Diff to master:
> > https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks
> >
> > You can just fork my fork and send over a PR.
> >
> > There's still a couple of things I need to do:
> >
> > 1. Implement `nsm-trust-local-network`
> > 2. Remove that change in src/gnutls.h not needed for bug#31946 (this
> > is from my OCSP stash still sitting on my machine)
> It needs either removing or making it work with earlier versions of GnuTLS:
> gnutls.c: In function ‘Fgnutls_peer_status’:
> gnutls.c:1353:22: error: ‘GNUTLS_CERT_MISSING_OCSP_STATUS’ undeclared (first 
> use in this function)
> I have:
> pkg-config --modversion gnutls
> 3.4.10
> I think the OCSP stuff is 3.6.something.

Ah! Thank you! It's >= 3.5.1. I just pushed a change to fix this.

> > 3. Write some ert tests, but this should affect the doc effort
> > 4. I might throw in a few more checks to detech DHE-DSS key exchange
> > and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do
> > browsers, but I haven't been able to find much information about them
> > other than they are not used. There's a claim made that DSS key
> > exchange is just as bad as static RSA, but DHE-DSS is not that same as
> > DSS...
> I see youʼre checking for TLS < 1.1. TLS 1.1 has its fair share of
> reported issues as well, perhaps we should check for < 1.2 (or we
> could put that on 'high).

I thought about this, but there's no standard that bans TLS 1.1, nor
TLS client implementations that disabled it by default. Besides, all
the problems TLS 1.1 has is already checked by the other checks. This
reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the
problems it has is already checked by other checks too. So maybe even
checking for 1.0 is already too strict, but PCI DSS does ban it, so...

reply via email to

[Prev in Thread] Current Thread [Next in Thread]