[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Lars Ingebrigtsen |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Mon, 25 Jun 2018 02:04:11 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Jimmy Yuen Ho Wong <address@hidden> writes:
> The sha1-intermediate test still fails on 'medium.
Hm! I thought the problem was with SHA1 for intermediate certificates,
not root certificates? But this is the certificate chain from
https://sha1-intermediate.badssl.com/
((:version 3 :serial-number
"00:be:00:42:69:d7:58:79:57:10:3c:04:e7:aa:4e:d8:b2" :issuer "C=GB,ST=Greater
Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA" :valid-from
"2017-04-13" :valid-to "2020-05-30" :subject "OU=Domain Control
Validated,OU=COMODO SSL Wildcard,CN=*.badssl.com" :public-key-algorithm "RSA"
:certificate-security-level "Medium" :signature-algorithm "RSA-SHA256")
(:version 3 :serial-number "6e:ba:f0:8f:79:83:fa:9d:e1:b2:6f:96:fc:6e:98:bf"
:issuer "C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust
External CA Root" :valid-from "2011-08-23" :valid-to "2020-05-30" :subject
"C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA"
:public-key-algorithm "RSA" :certificate-security-level "Medium"
:signature-algorithm "RSA-SHA1"))
So the SHA1 is in the last certificate there, but it's the
intermediary...
Here's the one from eternal-september:
((:version 3 :serial-number
"03:6f:ea:f0:ef:6e:57:9c:11:94:8c:1d:0e:9e:5a:a5:a7:8d" :issuer "C=US,O=Let's
Encrypt,CN=Let's Encrypt Authority X3" :valid-from "2018-05-07" :valid-to
"2018-08-05" :subject "CN=news.eternal-september.org" :public-key-algorithm
"RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA256")
(:version 3 :serial-number "0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08"
:issuer "O=Digital Signature Trust Co.,CN=DST Root CA X3" :valid-from
"2016-03-17" :valid-to "2021-03-17" :subject "C=US,O=Let's Encrypt,CN=Let's
Encrypt Authority X3" :public-key-algorithm "RSA" :certificate-security-level
"Medium" :signature-algorithm "RSA-SHA256")
(:version 3 :serial-number "44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b"
:issuer "O=Digital Signature Trust Co.,CN=DST Root CA X3" :valid-from
"2000-09-30" :valid-to "2021-09-30" :subject "O=Digital Signature Trust
Co.,CN=DST Root CA X3" :public-key-algorithm "RSA" :certificate-security-level
"Medium" :signature-algorithm "RSA-SHA1"))
The third certificate here also has SHA1... but that's the root
certificate?
*google* Oh, I see. Some servers include the root certificate
(redundantly), and some don't. How do I determine whether a certificate
is a root certificate, then? There must be a way... I tried googling
but didn't immediately find anything.
> Also, shouldn't `network-security-protocol-checks' be a defcustom?
Possibly, but editing alists in customize isn't very pleasant.
> Lastly, are the dh-small-subgroup and dh-composite tests possible to
> check in LISP?
I wondered about that, too. I couldn't find anything in the gnutls API,
but it's pretty big and I could well have missed something.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security,
Lars Ingebrigtsen <=
- Re: A couple of questions and concerns about Emacs network security, Noam Postavsky, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security, Noam Postavsky, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/24
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/30