Function: nsm-protocol-check--version

nsm-protocol-check--version is a byte-compiled function defined in nsm.el.gz.

Signature

(nsm-protocol-check--version HOST PORT STATUS &optional SETTINGS)

Documentation

Check for SSL/TLS protocol version.

This function guards against the usage of SSL3.0, TLS 1.0, and TLS 1.1.
- SSL 3.0 has been deprecated by RFC7568[1].
- TLS 1.0 has been deprecated by PCI DSS[2], and later by RFC8996[3].
- TLS 1.1 has been deprecated by RFC8996[3].

References:

[1]: Barnes, Thomson, Pironti, Langley (2015). "Deprecating Secure
Sockets Layer Version 3.0", https://tools.ietf.org/html/rfc7568
[2]: PCI Security Standards Council (2016). "Migrating from SSL and
Early TLS" https://docs-prv.pcisecuritystandards.org/Guidance%20Document/SSL%20TLS/Migrating_from_SSL_and_Early_TLS_-v12.pdf
[3]: Moriarty, Farrell (2021). "Deprecating TLS 1.0 and TLS 1.1"
https://tools.ietf.org/html/rfc7568

Source Code

;; Defined in /usr/src/emacs/lisp/net/nsm.el.gz
;; Protocol version checks

(defun nsm-protocol-check--version (_host _port status &optional _settings)
  "Check for SSL/TLS protocol version.

This function guards against the usage of SSL3.0, TLS 1.0, and TLS 1.1.
- SSL 3.0 has been deprecated by RFC7568[1].
- TLS 1.0 has been deprecated by PCI DSS[2], and later by RFC8996[3].
- TLS 1.1 has been deprecated by RFC8996[3].

References:

[1]: Barnes, Thomson, Pironti, Langley (2015).  \"Deprecating Secure
Sockets Layer Version 3.0\", `https://tools.ietf.org/html/rfc7568'
[2]: PCI Security Standards Council (2016).  \"Migrating from SSL and
Early TLS\"
`https://docs-prv.pcisecuritystandards.org/Guidance%20Document/SSL%20TLS/Migrating_from_SSL_and_Early_TLS_-v12.pdf'
[3]: Moriarty, Farrell (2021).  \"Deprecating TLS 1.0 and TLS 1.1\"
`https://tools.ietf.org/html/rfc7568'
"
  (let ((protocol (plist-get status :protocol)))
    (and protocol
         (or (string-match "SSL" protocol)
             (and (string-match "TLS1.\\([0-9]+\\)" protocol)
                  (< (string-to-number (match-string 1 protocol)) 2)))
         (format-message
          "%s protocol is deprecated by standard bodies"
          protocol))))