Re: The netsec thread

[Robert Pluim]

>>>>> On Tue, 3 Sep 2019 06:30:25 -0700, Paul Eggert <address@hidden> said:

    Paul> Robert Pluim wrote:
    >> In a similar vein: TLS1.3 removed support for renegotiation, so should
    >> the following in gnutls-peer-status be made conditional on TLS1.3
    >> having not been negotiated?
    >> /* Renegotiation Indication */
    >> result = nconc2
    >> (result, list2 (intern (":safe-renegotiation"),
    >> gnutls_safe_renegotiation_status (state) ? Qt : Qnil));

    Paul> If the Lisp code doesn't care or need it and if it's easy to suppress,
    Paul> it'd make sense to do that, yes. I don't have an opinion since I don't
    Paul> know GnuTLS that well.

The only code that cares is NSM, which can be fixed, and itʼs easy
enough to remove as well. The GNUTLS_TLS1_3 define was added in GnuTLS
3.6.3, so we can check for the version if you prefer.

Robert

diff --git a/src/gnutls.c b/src/gnutls.c
index 042f43e291..9336f1e382 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1519,10 +1519,13 @@ DEFUN ("gnutls-peer-status", Fgnutls_peer_status, 
Sgnutls_peer_status, 1, 1, 0,
                    gnutls_session_etm_status (state) ? Qt : Qnil));
 #endif
 
-  /* Renegotiation Indication */
-  result = nconc2
-    (result, list2 (intern (":safe-renegotiation"),
-                    gnutls_safe_renegotiation_status (state) ? Qt : Qnil));
+  /* Renegotiation Indication.  Only for TLS protocol version < 1.3.   */
+#ifdef GNUTLS_TLS1_3
+  if (gnutls_protocol_get_version (state) < GNUTLS_TLS1_3)
+#endif
+    result = nconc2
+      (result, list2 (intern (":safe-renegotiation"),
+                      gnutls_safe_renegotiation_status (state) ? Qt : Qnil));
 
   return result;
 }