[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Deprecate TLS1.0 support in emacs
From: |
Robert Pluim |
Subject: |
Deprecate TLS1.0 support in emacs |
Date: |
Wed, 12 Jul 2017 15:03:39 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) |
Hi,
whilst investigating another bug, I noticed that
https://lists.gnu.org/ is still using TLS1.0, which is seriously
deprecated. I propose the following patch to make emacs not use TLS1.0
anymore unless explicitly requested (and someone should update the
settings on lists.gnu.org).
Perhaps this warrants a NEWS entry as well, let me know.
Regards
Robert
>From e0526d6ac7a2622a1b8781be4825fbef985a5ed3 Mon Sep 17 00:00:00 2001
From: Robert Pluim <address@hidden>
Date: Wed, 12 Jul 2017 14:59:35 +0200
Subject: [PATCH] Remove TLS1.0 from default gnutls connection parameters
* lisp/net/gnutls.el (gnutls-boot-parameters): Remove TLS1.0
from default parameters.
* src/gnutls.c (Fgnutls_boot): Likewise.
---
lisp/net/gnutls.el | 4 ++--
src/gnutls.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 5db87329c3..3386dc5efc 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -264,11 +264,11 @@ gnutls-log-level
(priority-string (or priority-string
(cond
((eq type 'gnutls-anon)
- "NORMAL:+ANON-DH:!ARCFOUR-128")
+ "NORMAL:+ANON-DH:!ARCFOUR-128:-VERS-TLS1.0")
((eq type 'gnutls-x509pki)
(if gnutls-algorithm-priority
(upcase gnutls-algorithm-priority)
- "NORMAL")))))
+ "NORMAL:-VERS-TLS1.0")))))
(verify-error (or verify-error
;; this uses the value of `gnutls-verify-error'
(cond
diff --git a/src/gnutls.c b/src/gnutls.c
index 2078ad88f2..c3d7f54b73 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1333,7 +1333,7 @@ PROPLIST is a property list with the following keys:
:hostname is a string naming the remote host.
-:priority is a GnuTLS priority string, defaults to "NORMAL".
+:priority is a GnuTLS priority string, defaults to "NORMAL:-VERS-TLS1.0".
:trustfiles is a list of PEM-encoded trust files for `gnutls-x509pki'.
@@ -1389,7 +1389,7 @@ one trustfile (usually a CA bundle). */)
gnutls_certificate_credentials_t x509_cred = NULL;
gnutls_anon_client_credentials_t anon_cred = NULL;
Lisp_Object global_init;
- char const *priority_string_ptr = "NORMAL"; /* default priority string. */
+ char const *priority_string_ptr = "NORMAL:-VERS-TLS1.0"; /* default priority
string. */
char *c_hostname;
/* Placeholders for the property list elements. */
--
2.13.0.rc0