Don't check for :safe-renegotiation with TLS1.3

* lisp/net/nsm.el (nsm-protocol-check--renegotiation-info-ext): Don't check when using TLS1.3, renegotiation has been removed from TLS. Reported in <https://lists.gnu.org/archive/html/help-gnu-emacs/2019-09/msg00005.html>
2026-02-16 17:24:23 +00:00 · 2019-09-02 14:55:00 +02:00 · 2019-09-02 14:55:00 +02:00 · 95becaaf3b
commit 95becaaf3b
parent a843266113
1 changed files with 7 additions and 5 deletions
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@ -665,17 +665,19 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\",
 If this TLS extension is not used, the connection established is
 vulnerable to an attack in which an impersonator can extract
 sensitive information such as HTTP session ID cookies or login
-passwords.
+passwords.  Renegotiation was removed in TLS1.3, so this is only
+checked for earlier protocol versions.

 Reference:

 E. Rescorla, M. Ray, S. Dispensa, N. Oskov (Feb 2010).  \"Transport
 Layer Security (TLS) Renegotiation Indication Extension\",
 `https://tools.ietf.org/html/rfc5746'"
-  (let ((unsafe-renegotiation (not (plist-get status :safe-renegotiation))))
-    (and unsafe-renegotiation
-         (format-message
-          "safe renegotiation is not supported, connection not protected from impersonators"))))
+  (when (plist-member status :safe-renegotiation)
+    (let ((unsafe-renegotiation (not (plist-get status :safe-renegotiation))))
+      (and unsafe-renegotiation
+           (format-message
+            "safe renegotiation is not supported, connection not protected from impersonators")))))

 ;; Compression checks