diff options
| author | Lawrence Mitchell <[email protected]> | 2011-07-15 19:41:24 +0200 |
|---|---|---|
| committer | Lars Magne Ingebrigtsen <[email protected]> | 2011-07-15 19:41:24 +0200 |
| commit | 87e86684426cfc7c4676dc90e44a623921f7186e (patch) | |
| tree | 7e768fa2fdc3871c5b3049f7064f41097c349a7e /lisp | |
| parent | d6066239555e3ef3fcda8481ce9f9288676b1bd8 (diff) | |
Allow controlling how many prime bits to use during TLS negotiation
Diffstat (limited to 'lisp')
| -rw-r--r-- | lisp/ChangeLog | 5 | ||||
| -rw-r--r-- | lisp/net/gnutls.el | 22 |
2 files changed, 25 insertions, 2 deletions
diff --git a/lisp/ChangeLog b/lisp/ChangeLog index 87f5cc9d70..6bfdb61330 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -1,3 +1,8 @@ +2011-07-09 Lawrence Mitchell <[email protected]> + + * net/gnutls.el (gnutls-min-prime-bits): New variable. + (gnutls-negotiate): Use it. + 2011-07-15 Lars Magne Ingebrigtsen <[email protected]> * net/gnutls.el (gnutls-negotiate): Upcase diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 14d4a2f28e..edbf9a54af 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -54,6 +54,19 @@ set this variable to \"normal:-dhe-rsa\"." :type '(choice (const nil) string)) +;;;###autoload +(defcustom gnutls-min-prime-bits nil + "The minimum number of bits to be used in Diffie-Hellman key exchange. + +This sets the minimum accepted size of the key to be used in a +client-server handshake. If the server sends a prime with fewer than +the specified number of bits the handshake will fail. + +A value of nil says to use the default gnutls value." + :type '(choice (const :tag "Use default value" nil) + (integer :tag "Number of bits" 512)) + :group 'gnutls) + (defun open-gnutls-stream (name buffer host service) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. @@ -97,8 +110,8 @@ trust and key files, and priority string." (defun* gnutls-negotiate (&rest spec &key process type hostname priority-string - trustfiles crlfiles keylist verify-flags - verify-error verify-hostname-error + trustfiles crlfiles keylist min-prime-bits + verify-flags verify-error verify-hostname-error &allow-other-keys) "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error. @@ -111,6 +124,9 @@ PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\". TRUSTFILES is a list of CA bundles. CRLFILES is a list of CRL files. KEYLIST is an alist of (client key file, client cert file) pairs. +MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys +\(see `gnutls-min-prime-bits' for more information). Use nil for the +default. When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised when the hostname does not match the presented certificate's host @@ -155,9 +171,11 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." (if gnutls-algorithm-priority (upcase gnutls-algorithm-priority) "NORMAL"))))) + (min-prime-bits (or min-prime-bits gnutls-min-prime-bits)) (params `(:priority ,priority-string :hostname ,hostname :loglevel ,gnutls-log-level + :min-prime-bits ,min-prime-bits :trustfiles ,trustfiles :crlfiles ,crlfiles :keylist ,keylist |