emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Jimmy Yuen Ho Wong
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sat, 23 Jun 2018 12:55:03 +0100


On Sat, Jun 23, 2018 at 12:32 PM, Lars Ingebrigtsen <address@hidden> wrote:
Jimmy Yuen Ho Wong <address@hidden> writes:

> There are more problems with NSM than just these tests. One other
> thing I can think of is, if I've set `gnutls-min-prime-bits` to 2048,
> and presented with a cert with 1536 bits, NSM does nothing for me.

It's not supposed to -- the connection is stopped at the gnutls level.
Which is why that variable defaults to 256, so that the NSM can handle
the problem.

How about moving the min-prime-bits knob over to NSM so it can warn instead of silently bypassing it by fiddling options directly related to GnuTLS? I also notice there's a `nsm-noninteractive`  var, it's only used in 1 place so far. Can we defcustom it and sprinkle a check for this var strategically such that people who are using Emacs in a script can still do it without fiddling with the GnuTLS options? In fact, what if we merged all the NSM and GnuTLS options into NSM so various modules can rely on it as a central point of control? 
reply via email to
[Prev in Thread] Current Thread [Next in Thread]