[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Additional network security
From: |
Ted Zlatanov |
Subject: |
Re: Additional network security |
Date: |
Sun, 07 Dec 2014 11:32:46 -0500 |
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) |
On Sun, 07 Dec 2014 14:35:30 +0900 "Stephen J. Turnbull" <address@hidden>
wrote:
SJT> Stefan Monnier writes:
>> > GnuTLS doesn't really set policy here; that's up to the application.
>>
>> Damn!
SJT> Welcome to the wild world of security. Can't if you do, damned if you
SJT> don't.
Fortunately, it's not up to the application either. The user can choose
their policy:
gnutls-algorithm-priority is a variable defined in `gnutls.el'.
Its value is nil
Documentation:
If non-nil, this should be a TLS priority string.
For instance, if you want to skip the "dhe-rsa" algorithm,
set this variable to "normal:-dhe-rsa".
Given this precedent, I think it would make sense to offer some
fine-grained control over NSM checks as well, similar to
`gnutls-verify-error' as I mentioned. We've gone Lispy with the NSM
configuration, but if we were consistent with the GnuTLS approach, the
NSM tuning would be simply a string like "paranoid:-crazy" (paranoid but
not crazy, heh heh). This is still possible:
* map a symbol to its symbol-name
* parse NSM security levels like GnuTLS priority strings
* allow setting these strings per host regex
* PROFIT
WDYT?
Ted
- Additional network security, Lars Magne Ingebrigtsen, 2014/12/05
- Re: Additional network security, Stefan Monnier, 2014/12/05
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/06
- Re: Additional network security, Stefan Monnier, 2014/12/06
- Re: Additional network security, Stephen J. Turnbull, 2014/12/07
- Re: Additional network security,
Ted Zlatanov <=
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, chad, 2014/12/07
- Re: Additional network security, Reiner Steib, 2014/12/18
- Re: Additional network security, Ted Zlatanov, 2014/12/20
- Re: Additional network security, Stephen J. Turnbull, 2014/12/07
- Re: Additional network security, Richard Stallman, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/08