[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Additional network security

From: Ted Zlatanov
Subject: Re: Additional network security
Date: Sun, 07 Dec 2014 11:32:46 -0500
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On Sun, 07 Dec 2014 14:35:30 +0900 "Stephen J. Turnbull" <address@hidden> 

SJT> Stefan Monnier writes:
>> > GnuTLS doesn't really set policy here; that's up to the application.
>> Damn!

SJT> Welcome to the wild world of security.  Can't if you do, damned if you
SJT> don't.

Fortunately, it's not up to the application either. The user can choose
their policy:

gnutls-algorithm-priority is a variable defined in `gnutls.el'.
Its value is nil

If non-nil, this should be a TLS priority string.
For instance, if you want to skip the "dhe-rsa" algorithm,
set this variable to "normal:-dhe-rsa".

Given this precedent, I think it would make sense to offer some
fine-grained control over NSM checks as well, similar to
`gnutls-verify-error' as I mentioned.  We've gone Lispy with the NSM
configuration, but if we were consistent with the GnuTLS approach, the
NSM tuning would be simply a string like "paranoid:-crazy" (paranoid but
not crazy, heh heh).  This is still possible:

* map a symbol to its symbol-name
* parse NSM security levels like GnuTLS priority strings
* allow setting these strings per host regex



reply via email to

[Prev in Thread] Current Thread [Next in Thread]