[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS/TLS proposals for after the release

From: Lars Ingebrigtsen
Subject: Re: GnuTLS/TLS proposals for after the release
Date: Wed, 20 Jul 2016 14:04:27 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)

Ted Zlatanov <address@hidden> writes:

> 1) Proposal: after the 25.1 release, opening a secure network connection
> without `gnutls-available-p' should be an annoying warning. The
> alternative (tls.el) is less secure and IMHO should be discouraged.

I agree.

And I think the FSF distribution page for the prebuilt binaries on all
platforms should link to binaries that come with a complete set of
libraries needed to run Emacs in a secure manner.  (Mostly relevant for
the Windows distribution.)

> 2) I am concerned that SSLv3 is explicitly in the tls.el defaults. See
> http://disablessl3.com/ for why, no need to write up all the reasons
> here. I propose to cut those lines out.

That's fine with me, but if it's deprecated, then it probably doesn't
matter much.  :-)

> I propose a single variable, `gnutls-settings' which can be set per host
> regex or globally, and which can contain an alist or plist specifying
> each of the settings above as a string/string list or as a function.
> Basically a unified view of all GnuTLS-related connectivity settings
> instead of scattering them over several variables. I think in Customize
> that will look nicer and more friendly, plus the code will be simplified.

Yes, this sounds nice.  The only slightly worrying thing from a user
perspective is that we'd then have two layers of settings/exceptions per
host -- one from `gnutls-settings', and one from the Network Security
Manager.  This may confuse some users, but the extra power
`gnutls-settings' would give us might outweigh that slight problem.

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]