From bf3cdc37ce45ffdf0b0623ccd16e98211996b2f4 Mon Sep 17 00:00:00 2001 From: Vu Quoc Huy Date: Tue, 24 Mar 2020 01:29:54 +0100 Subject: [PATCH] Fix & add more security settings --- core/core.el | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/core/core.el b/core/core.el index 30c666ae2..0a9c1875f 100644 --- a/core/core.el +++ b/core/core.el @@ -180,12 +180,21 @@ users).") ;; Emacs is a huge security vulnerability, what with all the dependencies it ;; pulls in from all corners of the globe. Let's at least try to be more ;; discerning. -(setq gnutls-verify-error (getenv "INSECURE") +(setq gnutls-verify-error (not (getenv "INSECURE")) + gnutls-algorithm-priority "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" + ;; `gnutls-min-prime-bits' is set based on recommendations from + ;; https://www.keylength.com/en/4/ + gnutls-min-prime-bits 3072 tls-checktrust gnutls-verify-error - tls-program '("gnutls-cli --x509cafile %t -p %p %h" + ;; Emacs is built with `gnutls' by default, so `tls-program' would not + ;; be used in that case. Otherwiese, people have reasons to not go with + ;; `gnutls', we use `openssl' instead. + ;; For more details, see https://redd.it/8sykl1 + tls-program '("openssl s_client -connect %h:%p -CAfile %t -nbio -no_ssl3 -no_tls1 -no_tls1_1 -ign_eof" + "gnutls-cli -p %p --dh-bits=3072 --ocsp --x509cafile=%t \ +--strict-tofu --priority='SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3' %h" ;; compatibility fallbacks - "gnutls-cli -p %p %h" - "openssl s_client -connect %h:%p -no_ssl2 -no_ssl3 -ign_eof")) + "gnutls-cli -p %p %h")) ;; Emacs stores authinfo in HOME and in plaintext. Let's not do that, mkay? This ;; file usually stores usernames, passwords, and other such treasures for the