Merge pull request #2763 from vqhuy/security

Use TLS by default and add more security settings
2020-03-27 01:55:31 -04:00 · 2020-03-27 01:55:31 -04:00 · f094d70e64
commit f094d70e64
parent 83fe7e5029 bf3cdc37ce
1 changed files with 13 additions and 4 deletions
--- a/core/core.el
+++ b/core/core.el
@ -180,12 +180,21 @@ users).")
 ;; Emacs is a huge security vulnerability, what with all the dependencies it
 ;; pulls in from all corners of the globe. Let's at least try to be more
 ;; discerning.
-(setq gnutls-verify-error (getenv "INSECURE")
+(setq gnutls-verify-error (not (getenv "INSECURE"))
+      gnutls-algorithm-priority "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
+      ;; `gnutls-min-prime-bits' is set based on recommendations from
+      ;; https://www.keylength.com/en/4/
+      gnutls-min-prime-bits 3072
      tls-checktrust gnutls-verify-error
-      tls-program '("gnutls-cli --x509cafile %t -p %p %h"
+      ;; Emacs is built with `gnutls' by default, so `tls-program' would not
+      ;; be used in that case. Otherwiese, people have reasons to not go with
+      ;; `gnutls', we use `openssl' instead.
+      ;; For more details, see https://redd.it/8sykl1
+      tls-program '("openssl s_client -connect %h:%p -CAfile %t -nbio -no_ssl3 -no_tls1 -no_tls1_1 -ign_eof"
+                    "gnutls-cli -p %p --dh-bits=3072 --ocsp --x509cafile=%t \
+--strict-tofu --priority='SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3' %h"
                    ;; compatibility fallbacks
-                    "gnutls-cli -p %p %h"
-                    "openssl s_client -connect %h:%p -no_ssl2 -no_ssl3 -ign_eof"))
+                    "gnutls-cli -p %p %h"))

 ;; Emacs stores authinfo in HOME and in plaintext. Let's not do that, mkay? This
 ;; file usually stores usernames, passwords, and other such treasures for the