[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Emacs-diffs] master 3e7692f: Make the intermediary-sha1 check work
From: |
Lars Ingebrigtsen |
Subject: |
[Emacs-diffs] master 3e7692f: Make the intermediary-sha1 check work |
Date: |
Sun, 24 Jun 2018 20:40:34 -0400 (EDT) |
branch: master
commit 3e7692f07d9e90f495ff4104cf1320954398c9fa
Author: Lars Ingebrigtsen <address@hidden>
Commit: Lars Ingebrigtsen <address@hidden>
Make the intermediary-sha1 check work
* lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Make
the "skip the root cert" logic work (suggested by Noam Postavsky).
---
lisp/net/nsm.el | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 2c4f8bf..146d0d5 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -256,13 +256,14 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
host port signature-algorithm))))
(defun nsm-protocol-check--intermediary-sha1 (host port status _)
- ;; We want to check all intermediary certificates, so we skip the
- ;; first, reverse the list and then skip the first again, so we miss
- ;; the first and final certificates in the chain.
- (cl-loop for certificate in (cdr (reverse
- (cdr (plist-get status :certificates))))
+ ;; Skip the first certificate, because that's the host certificate.
+ (cl-loop for certificate in (cdr (plist-get status :certificates))
for algo = (plist-get certificate :signature-algorithm)
- when (and (string-match "\\bSHA1\\b" algo)
+ ;; Don't check root certificates -- SHA1 isn't dangerous
+ ;; there.
+ when (and (not (equal (plist-get certificate :issuer)
+ (plist-get certificate :subject)))
+ (string-match "\\bSHA1\\b" algo)
(not (nsm-query
host port status :signature-sha1
"An intermediary certificate used to verify the
connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be
unsafe."
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Emacs-diffs] master 3e7692f: Make the intermediary-sha1 check work,
Lars Ingebrigtsen <=