[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GnuTLS/TLS proposals for after the release

From: Ted Zlatanov
Subject: GnuTLS/TLS proposals for after the release
Date: Tue, 05 Jul 2016 17:26:43 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)

Here are some thoughts about the near future of gnutls.el and friends
(none urgently needed for the release):

1) Proposal: after the 25.1 release, opening a secure network connection
without `gnutls-available-p' should be an annoying warning. The
alternative (tls.el) is less secure and IMHO should be discouraged.

2) I am concerned that SSLv3 is explicitly in the tls.el defaults. See
http://disablessl3.com/ for why, no need to write up all the reasons
here. I propose to cut those lines out.

3) refactor gnutls.el a bit to support per-host settings more easily:
`gnutls-algorithm-priority', `gnutls-verify-error', `gnutls-trustfiles',
and `gnutls-min-prime-bits' all have different kinds of customizations.
For instance `gnutls-verify-error' can be global or per host regex,
while `gnutls-trustfiles' can be a function. This mish-mash reflects the
staggered work on that library over the years.

I propose a single variable, `gnutls-settings' which can be set per host
regex or globally, and which can contain an alist or plist specifying
each of the settings above as a string/string list or as a function.
Basically a unified view of all GnuTLS-related connectivity settings
instead of scattering them over several variables. I think in Customize
that will look nicer and more friendly, plus the code will be simplified.

If proposal 3 is accepted, the old variables will be accepted for some
time, deprecated later, and finally killed off. It won't be a sudden


reply via email to

[Prev in Thread] Current Thread [Next in Thread]