From unknown Sun Aug 10 11:49:15 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#11267 <11267@debbugs.gnu.org>
To: bug#11267 <11267@debbugs.gnu.org>
Subject: Status: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The
 Diffie-Hellman prime sent by the server is not acceptable (not long
 enough).
Reply-To: bug#11267 <11267@debbugs.gnu.org>
Date: Sun, 10 Aug 2025 18:49:15 +0000

retitle 11267 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellma=
n prime sent by the server is not acceptable (not long enough).
reassign 11267 emacs
submitter 11267 "Roland Winkler" <winkler@gnu.org>
severity 11267 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 17 17:15:51 2012
Received: (at submit) by debbugs.gnu.org; 17 Apr 2012 21:15:51 +0000
Received: from localhost ([127.0.0.1]:38768 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKFkY-000878-QK
	for submit@debbugs.gnu.org; Tue, 17 Apr 2012 17:15:51 -0400
Received: from eggs.gnu.org ([208.118.235.92]:37737)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <rwinkler@niu.edu>) id 1SKFkS-00086s-Kd
	for submit@debbugs.gnu.org; Tue, 17 Apr 2012 17:15:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rwinkler@niu.edu>) id 1SKFk7-00082C-Tm
	for submit@debbugs.gnu.org; Tue, 17 Apr 2012 17:15:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.2
Received: from lists.gnu.org ([208.118.235.17]:52237)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rwinkler@niu.edu>) id 1SKFk7-000828-Qj
	for submit@debbugs.gnu.org; Tue, 17 Apr 2012 17:15:19 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60125)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rwinkler@niu.edu>) id 1SKFk1-0008Dk-LA
	for bug-gnu-emacs@gnu.org; Tue, 17 Apr 2012 17:15:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rwinkler@niu.edu>) id 1SKFjt-0007aT-Fh
	for bug-gnu-emacs@gnu.org; Tue, 17 Apr 2012 17:15:13 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:34349)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rwinkler@niu.edu>) id 1SKFjt-0007Zy-DL
	for bug-gnu-emacs@gnu.org; Tue, 17 Apr 2012 17:15:05 -0400
Received: from [147.231.18.30] (port=47526 helo=regnitz)
	by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <rwinkler@niu.edu>) id 1SKFjs-0000g0-HE
	for bug-gnu-emacs@gnu.org; Tue, 17 Apr 2012 17:15:04 -0400
Date: Tue, 17 Apr 2012 16:14:59 -0500
Message-Id: <874nsi12ng.fsf@niu.edu>
From: "Roland Winkler" <winkler@gnu.org>
To: bug-gnu-emacs@gnu.org
Subject: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 208.118.235.17
X-Spam-Score: -6.1 (------)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.1 (------)

Today I switched for the first time to a new SMTP server I'll have
to use in the future.  It gives me the error messages

gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
gnutls.el: (err=[-63] The Diffie-Hellman prime sent by the server is not acceptable (not long enough).) boot: (:priority NORMAL :hostname foo.bar.com :loglevel 0 :min-prime-bits nil :trustfiles (/etc/ssl/certs/ca-certificates.crt) :crlfiles nil :keylist nil :verify-flags nil :verify-error nil :verify-hostname-error nil :callbacks nil)

Despite these error messages, Emacs is sending the mails I want to
send. In that sense, I cannot tell how relevant these error messages are.
For a nonexpert like myself, they are certainly irritating.


In GNU Emacs 24.0.95.1 (x86_64-unknown-linux-gnu, GTK+ Version 2.20.1)
 of 2012-04-04 on regnitz
Windowing system distributor `The X.Org Foundation', version 11.0.10706000

Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: C
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: en_GB.utf8
  value of $LANG: en_US.ISO-8859-15
  value of $XMODIFIERS: nil
  locale-coding-system: iso-latin-9-unix
  default enable-multibyte-characters: t




From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 18 12:48:36 2012
Received: (at 11267) by debbugs.gnu.org; 18 Apr 2012 16:48:36 +0000
Received: from localhost ([127.0.0.1]:40089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKY3T-0008Bw-Bp
	for submit@debbugs.gnu.org; Wed, 18 Apr 2012 12:48:35 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:51662 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <rgm@gnu.org>) id 1SKY3O-0008Bm-1Q
	for 11267@debbugs.gnu.org; Wed, 18 Apr 2012 12:48:30 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
	(envelope-from <rgm@gnu.org>)
	id 1SKY37-0003QS-8t; Wed, 18 Apr 2012 12:48:09 -0400
From: Glenn Morris <rgm@gnu.org>
To: "Roland Winkler" <winkler@gnu.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
References: <874nsi12ng.fsf@niu.edu>
X-Spook: DRM genetic IMF NSA New World Order Uzbekistan InfoSec
X-Ran: 1N$<;NR[7x0g^]P?)TnK<;ug)FUzH47Y?M~8r+IvTjK@@j&wSR>n={l80LiM?a^i~e'ON*
X-Hue: black
X-Attribution: GM
Date: Wed, 18 Apr 2012 12:48:09 -0400
In-Reply-To: <874nsi12ng.fsf@niu.edu> (Roland Winkler's message of "Tue, 17
	Apr 2012 16:14:59 -0500")
Message-ID: <6mwr5d6l6e.fsf@fencepost.gnu.org>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

"Roland Winkler" wrote:

> gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
> gnutls.el: (err=[-63] The Diffie-Hellman prime sent by the server is not acceptable (not long enough).) boot: (:priority NORMAL :hostname foo.bar.com :loglevel 0 :min-prime-bits nil :trustfiles (/etc/ssl/certs/ca-certificates.crt) :crlfiles nil :keylist nil :verify-flags nil :verify-error nil :verify-hostname-error nil :callbacks nil)
>
> Despite these error messages, Emacs is sending the mails I want to
> send. In that sense, I cannot tell how relevant these error messages are.

Me neither. I think it means it is falling back to a non-encrypted
connection. You can try setting gnutls-min-prime-bits.

If that is so, the error message should probably say something along
those lines.




From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 19 07:04:40 2012
Received: (at 11267) by debbugs.gnu.org; 19 Apr 2012 11:04:40 +0000
Received: from localhost ([127.0.0.1]:40954 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKpAF-0003Ff-K6
	for submit@debbugs.gnu.org; Thu, 19 Apr 2012 07:04:40 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:50374 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <winkler@gnu.org>) id 1SKpAD-0003FW-1y
	for 11267@debbugs.gnu.org; Thu, 19 Apr 2012 07:04:37 -0400
Received: from dhcp096221.uni-regensburg.de ([132.199.96.221]:55271
	helo=regnitz)
	by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <winkler@gnu.org>)
	id 1SKp9s-0001Sx-O2; Thu, 19 Apr 2012 07:04:17 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20367.61741.640831.184941@gargle.gargle.HOWL>
Date: Thu, 19 Apr 2012 06:04:13 -0500
From: "Roland Winkler" <winkler@gnu.org>
To: Glenn Morris <rgm@gnu.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
In-Reply-To: <6mwr5d6l6e.fsf@fencepost.gnu.org>
References: <874nsi12ng.fsf@niu.edu>
	<6mwr5d6l6e.fsf@fencepost.gnu.org>
X-Mailer: VM 8.2 trial under 24.0.95.1 (x86_64-unknown-linux-gnu)
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

On Wed Apr 18 2012 Glenn Morris wrote:
> > Despite these error messages, Emacs is sending the mails I want to
> > send. In that sense, I cannot tell how relevant these error messages are.
> 
> Me neither. I think it means it is falling back to a non-encrypted
> connection. You can try setting gnutls-min-prime-bits.
> 
> If that is so, the error message should probably say something along
> those lines.

You are right. The "fatal error" disappears if I set
gnutls-min-prime-bits to 256. Yet this choice was just a guess based
on the custom declaration of this variable that suggests a value of
512.

I would appreciate if someone more knowledgable could review the
error messages that I have seen such that they become more helpful
for a nonexpert. Also it would be great if the docstring of
gnutls-min-prime-bits was more precise.

- What is the default value used for min-prime-bits if
  gnutls-min-prime-bits is nil?

- What are reasonable values for this variable such that a safe
  client-server handshake remains possible, if one needs to customize
  this variable? (Or the other way round: if a server wants to use a
  prime that is too small, it might really be the better solution to
  contact its sysadmin. Yet I couldn't tell when a prime falls below
  such a threshold.)

Thanks,

Roland




From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 19 12:19:57 2012
Received: (at 11267) by debbugs.gnu.org; 19 Apr 2012 16:19:58 +0000
Received: from localhost ([127.0.0.1]:42029 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKu5N-0003N0-L5
	for submit@debbugs.gnu.org; Thu, 19 Apr 2012 12:19:57 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:58832 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <rgm@gnu.org>) id 1SKu5M-0003Ms-AM
	for 11267@debbugs.gnu.org; Thu, 19 Apr 2012 12:19:56 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
	(envelope-from <rgm@gnu.org>)
	id 1SKu4z-0006UE-WF; Thu, 19 Apr 2012 12:19:34 -0400
From: Glenn Morris <rgm@gnu.org>
To: "Roland Winkler" <winkler@gnu.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
X-Spook: global 22nd SAS warfare encryption morse Axis of Evil
X-Ran: v=zbgDtY=`S'7j^t8MwMOOrC?J{]BbWWj#6CB+{FR/Ab7d}]BK1?ahvy!xu&"z(h:#$}jD
X-Hue: green
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Thu, 19 Apr 2012 12:19:33 -0400
In-Reply-To: <20367.61741.640831.184941@gargle.gargle.HOWL> (Roland Winkler's
	message of "Thu, 19 Apr 2012 06:04:13 -0500")
Message-ID: <jffwbzsnhm.fsf@fencepost.gnu.org>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

"Roland Winkler" wrote:

> - What are reasonable values for this variable such that a safe
>   client-server handshake remains possible, if one needs to customize
>   this variable? (Or the other way round: if a server wants to use a
>   prime that is too small, it might really be the better solution to
>   contact its sysadmin. Yet I couldn't tell when a prime falls below
>   such a threshold.)

I also wonder how it can be safer to fall back to no encryption at all,
rather than using weak encryption (if that is indeed what is happening).
Maybe it's to prevent a false sense of security, or something.




From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 19 12:26:52 2012
Received: (at 11267) by debbugs.gnu.org; 19 Apr 2012 16:26:52 +0000
Received: from localhost ([127.0.0.1]:42038 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKuBz-0003XN-FJ
	for submit@debbugs.gnu.org; Thu, 19 Apr 2012 12:26:51 -0400
Received: from hermes.netfonds.no ([80.91.224.195]:47224)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <larsi@gnus.org>) id 1SKuBt-0003XC-Hn
	for 11267@debbugs.gnu.org; Thu, 19 Apr 2012 12:26:46 -0400
Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58]
	helo=stories.gnus.org)
	by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <larsi@gnus.org>)
	id 1SKuBL-0007Md-FO; Thu, 19 Apr 2012 18:26:07 +0200
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
To: Glenn Morris <rgm@gnu.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEWWj5yopa+Ef4UmJSHh
	5N+9usHJzclZW1u3/KEkAAACYElEQVQ4jW2TMXPbMAyFISU5raIaxatL1ebqBJdqbk7ibOUO8trk
	KM022YR/vyBNub2cES/BZ+ABDzRI5a8GAMgrwUCurwGpQHCUXAe5lPxJ9cpDdy30PMH8JSbiGISA
	mupB/B+hb55LWP7NLtmzDGQJxBRc8peKGLCM9xWIUlwIg5qEML0Qvy7SZ1AT1dSbkfohjHnWClOF
	uakn03e66+sA8uAS78ExMtC9NpooElgAcU7rTmtutuxBNLEL3Cb+BTfyuAxQimTUNFTOAqxjxSBo
	Hmczd0ZPZi6wzdcsw2DlN5zrZmOMNl2DCDYCKvCoOcmAT2FusGWF2KpyO82pmfOmM5V3R8nyXFG5
	Z25h5jlg01iHqdXKPXMyANYYsPX4VOZhwRV+jLM+X5a+ISpsq9BqUFhzykQ28VCe5+KKoTy5Yxfa
	d6GEASYgb5v2XkfE4BBBMLFSt7hbRRBa7V0AbEldHKy301IxCZcqSB5a792W14s2bhy2DUoHQjYB
	fMzngafviNsGXQsEvvWt+pOGmlbrux7R8s0DsMVHerr0up1/4xNrDKV1vnE/E6iKY944bg4iZ+BU
	qpga75F/aLwiVaCsU59n8HZePOxOBLlFlVq98YCtdwsocKmY7MOwR3xiDaI7UTm1SeKb8YGNtzac
	dvsC3tXx+xNthtK5BO5eVKvG9K42fJ3GWc8LlvCufBFfHD/JU1kwCOJin5XqKEUAfM1TeYNxZBCv
	Wa5OVtZjeJJiB2kTEA/7Sn16n/GrEH79+A/cv1cqa/1JrEXhj4+K7Yga2Y+XvazY4FXwyO8WS/4C
	UooQncimkZIAAAAASUVORK5CYII=
X-Now-Playing: Cabaret Voltaire's _Radiation_: "I Want You"
Date: Thu, 19 Apr 2012 18:26:06 +0200
In-Reply-To: <jffwbzsnhm.fsf@fencepost.gnu.org> (Glenn Morris's message of
	"Thu, 19 Apr 2012 12:19:33 -0400")
Message-ID: <m3vckv663l.fsf@stories.gnus.org>
User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-MailScanner-ID: 1SKuBL-0007Md-FO
X-Netfonds-MailScanner: Found to be clean
X-Netfonds-MailScanner-From: larsi@gnus.org
MailScanner-NULL-Check: 1335457567.73096@l+wttLMIBj8YQNhAoCN3uQ
X-Spam-Status: No
X-Spam-Score: -1.9 (-)
X-Debbugs-Envelope-To: 11267
Cc: Roland Winkler <winkler@gnu.org>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -1.9 (-)

Glenn Morris <rgm@gnu.org> writes:

> I also wonder how it can be safer to fall back to no encryption at all,
> rather than using weak encryption (if that is indeed what is happening).
> Maybe it's to prevent a false sense of security, or something.

Are you sure that it's falling back to no encryption?  If it really does
that, then that's pretty crappy behaviour, in my opinion.

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/




From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 19 12:32:11 2012
Received: (at 11267) by debbugs.gnu.org; 19 Apr 2012 16:32:11 +0000
Received: from localhost ([127.0.0.1]:42047 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKuHC-0003gb-Pn
	for submit@debbugs.gnu.org; Thu, 19 Apr 2012 12:32:11 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:59059 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <rgm@gnu.org>) id 1SKuHB-0003gV-KT
	for 11267@debbugs.gnu.org; Thu, 19 Apr 2012 12:32:10 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
	(envelope-from <rgm@gnu.org>)
	id 1SKuGp-00004s-Up; Thu, 19 Apr 2012 12:31:48 -0400
From: Glenn Morris <rgm@gnu.org>
To: Lars Magne Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
X-Spook: ASIO assassination counter intelligence M-14 Lon Horiuchi
X-Ran: 06S}OHv$I\Hq5Mm_qI^'>$Y_)wq5Mhs9?-+-a\8?Wp$PgkbBf~a9=_3t85kk!1\d#4o)Db
X-Hue: magenta
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Thu, 19 Apr 2012 12:31:47 -0400
In-Reply-To: <m3vckv663l.fsf@stories.gnus.org> (Lars Magne Ingebrigtsen's
	message of "Thu, 19 Apr 2012 18:26:06 +0200")
Message-ID: <fx7gxbsmx8.fsf@fencepost.gnu.org>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: Roland Winkler <winkler@gnu.org>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

Lars Magne Ingebrigtsen wrote:

> Are you sure that it's falling back to no encryption? 

I'm not in the slightest bit sure! :)
A "fatal error" makes me think that's what happened.




From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 19 12:42:17 2012
Received: (at 11267) by debbugs.gnu.org; 19 Apr 2012 16:42:18 +0000
Received: from localhost ([127.0.0.1]:42062 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SKuQv-0003xH-LR
	for submit@debbugs.gnu.org; Thu, 19 Apr 2012 12:42:17 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:59286 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <winkler@gnu.org>) id 1SKuQn-0003wy-7P
	for 11267@debbugs.gnu.org; Thu, 19 Apr 2012 12:42:09 -0400
Received: from dhcp096221.uni-regensburg.de ([132.199.96.221]:56412
	helo=regnitz)
	by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <winkler@gnu.org>)
	id 1SKuQS-0000r8-7l; Thu, 19 Apr 2012 12:41:44 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20368.16452.379860.520133@gargle.gargle.HOWL>
Date: Thu, 19 Apr 2012 11:41:40 -0500
From: "Roland Winkler" <winkler@gnu.org>
To: Lars Magne Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
In-Reply-To: <m3vckv663l.fsf@stories.gnus.org>
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org>
	<m3vckv663l.fsf@stories.gnus.org>
X-Mailer: VM 8.2 trial under 24.0.95.1 (x86_64-unknown-linux-gnu)
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: Glenn Morris <rgm@gnu.org>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

On Thu Apr 19 2012 Lars Magne Ingebrigtsen wrote:
> Glenn Morris <rgm@gnu.org> writes:
> > I also wonder how it can be safer to fall back to no encryption at all,
> > rather than using weak encryption (if that is indeed what is happening).
> > Maybe it's to prevent a false sense of security, or something.
> 
> Are you sure that it's falling back to no encryption?  If it really does
> that, then that's pretty crappy behaviour, in my opinion.

If the error message was more verbose, say by mentioning the
fallback the code uses, this could help nonexpert users like us to
understand the situation.




From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 20 04:12:09 2012
Received: (at control) by debbugs.gnu.org; 20 Apr 2012 08:12:09 +0000
Received: from localhost ([127.0.0.1]:43459 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SL8wq-0005gd-UM
	for submit@debbugs.gnu.org; Fri, 20 Apr 2012 04:12:09 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:50434 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <cyd@gnu.org>) id 1SL8wp-0005gU-Rg
	for control@debbugs.gnu.org; Fri, 20 Apr 2012 04:12:08 -0400
Received: from [155.69.18.143] (port=50514 helo=ulysses)
	by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <cyd@gnu.org>) id 1SL8wR-0002IQ-5O
	for control@debbugs.gnu.org; Fri, 20 Apr 2012 04:11:43 -0400
From: Chong Yidong <cyd@gnu.org>
To: control@debbugs.gnu.org
Subject: severity 11267 important
Date: Fri, 20 Apr 2012 16:11:37 +0800
Message-ID: <87y5pq4ybq.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

severity 11267 important
thanks




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 24 08:46:43 2012
Received: (at 11267) by debbugs.gnu.org; 24 Apr 2012 12:46:43 +0000
Received: from localhost ([127.0.0.1]:50289 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SMf8j-0004hM-So
	for submit@debbugs.gnu.org; Tue, 24 Apr 2012 08:46:42 -0400
Received: from z.lifelogs.com ([173.255.230.239]:45004)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <tzz@lifelogs.com>) id 1SMf8h-0004hF-6a
	for 11267@debbugs.gnu.org; Tue, 24 Apr 2012 08:46:40 -0400
Received: from heechee (c-76-28-40-19.hsd1.vt.comcast.net [76.28.40.19])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested) (Authenticated sender: tzz)
	by z.lifelogs.com (Postfix) with ESMTPSA id 0152662738;
	Tue, 24 Apr 2012 12:45:49 +0000 (UTC)
From: Ted Zlatanov <tzz@lifelogs.com>
To: "Roland Winkler" <winkler@gnu.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
	<20368.16452.379860.520133@gargle.gargle.HOWL>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Tue, 24 Apr 2012 08:45:48 -0400
In-Reply-To: <20368.16452.379860.520133@gargle.gargle.HOWL> (Roland Winkler's
	message of "Thu, 19 Apr 2012 11:41:40 -0500")
Message-ID: <87k4152t8j.fsf@lifelogs.com>
User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -1.9 (-)
X-Debbugs-Envelope-To: 11267
Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -1.9 (-)

On Thu, 19 Apr 2012 11:41:40 -0500 "Roland Winkler" <winkler@gnu.org> wrote: 

RW> On Thu Apr 19 2012 Lars Magne Ingebrigtsen wrote:
>> Glenn Morris <rgm@gnu.org> writes:
>> > I also wonder how it can be safer to fall back to no encryption at all,
>> > rather than using weak encryption (if that is indeed what is happening).
>> > Maybe it's to prevent a false sense of security, or something.
>> 
>> Are you sure that it's falling back to no encryption?  If it really does
>> that, then that's pretty crappy behaviour, in my opinion.

RW> If the error message was more verbose, say by mentioning the
RW> fallback the code uses, this could help nonexpert users like us to
RW> understand the situation.

The error is coming straight from GnuTLS.  We can probably add a
Emacs-specific clarification to it, mentioning `gnutls-min-prime-bits'.
Would that be more helpful?  Or should I add a FAQ section to
emacs-gnutls.texi?

Usually this means the server should increase the size of the prime,
e.g. here are similar reports for msmtp and Sendmail:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461802
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344

Dropping down to fewer bits in the DH prime is AFAIK not a serious
concern: you're not exposing your communications, only making the
exchange of the secret key slightly less secure.  So you're slightly
more vulnerable to a man-in-the-middle attack, but the connection itself
will be encrypted.  You can only turn off encryption by changing the
priority string.

ted




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 24 16:05:59 2012
Received: (at 11267) by debbugs.gnu.org; 24 Apr 2012 20:05:59 +0000
Received: from localhost ([127.0.0.1]:51140 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SMlzo-0006Za-7B
	for submit@debbugs.gnu.org; Tue, 24 Apr 2012 16:05:58 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:35170 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <winkler@gnu.org>) id 1SMlzl-0006ZT-BN
	for 11267@debbugs.gnu.org; Tue, 24 Apr 2012 16:05:54 -0400
Received: from pd956c1ea.dip0.t-ipconnect.de ([217.86.193.234]:33543
	helo=regnitz)
	by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <winkler@gnu.org>)
	id 1SMlyw-0002ca-Ac; Tue, 24 Apr 2012 16:05:02 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20375.1898.39520.582160@gargle.gargle.HOWL>
Date: Tue, 24 Apr 2012 15:04:58 -0500
From: "Roland Winkler" <winkler@gnu.org>
To: Ted Zlatanov <tzz@lifelogs.com>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
In-Reply-To: <87k4152t8j.fsf@lifelogs.com>
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org>
	<m3vckv663l.fsf@stories.gnus.org>
	<20368.16452.379860.520133@gargle.gargle.HOWL>
	<87k4152t8j.fsf@lifelogs.com>
X-Mailer: VM 8.2 trial under 24.0.95.1 (x86_64-unknown-linux-gnu)
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

On Tue Apr 24 2012 Ted Zlatanov wrote:
> The error is coming straight from GnuTLS.  We can probably add a
> Emacs-specific clarification to it, mentioning `gnutls-min-prime-bits'.
> Would that be more helpful?  Or should I add a FAQ section to
> emacs-gnutls.texi?

In my opinion (a user who does not know much about the internals of
gnutls) mentioning `gnutls-min-prime-bits' by itself does not solve
the problem because I find that the doc string of this variable is
useful only for experts (see below).

Kind of related: "fatal error" sounds rather frightening, in
particular if one can only speculate how emacs worked around this
error. This could be clarified.

> Dropping down to fewer bits in the DH prime is AFAIK not a serious
> concern: you're not exposing your communications, only making the
> exchange of the secret key slightly less secure.  So you're slightly
> more vulnerable to a man-in-the-middle attack, but the connection itself
> will be encrypted.  You can only turn off encryption by changing the
> priority string.

If these details would be explained in the doc string of
`gnutls-min-prime-bits' and / or emacs-gnutls.texi would be helpful.

Also, it would be good (though I don't know whether a generic answer
is possible) to give some guidance on "reasonable" values for
`gnutls-min-prime-bits' as compared to cases where it would be
better to contact the sysadmin of the server requesting a change in
the setup of the server.

Roland




From debbugs-submit-bounces@debbugs.gnu.org Sun May 13 15:04:53 2012
Received: (at 11267) by debbugs.gnu.org; 13 May 2012 19:04:53 +0000
Received: from localhost ([127.0.0.1]:51731 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1STe68-0003rg-Qy
	for submit@debbugs.gnu.org; Sun, 13 May 2012 15:04:53 -0400
Received: from hermes.netfonds.no ([80.91.224.195]:45786)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <larsi@gnus.org>) id 1STe66-0003rY-Gg
	for 11267@debbugs.gnu.org; Sun, 13 May 2012 15:04:51 -0400
Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58]
	helo=stories.gnus.org)
	by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <larsi@gnus.org>)
	id 1STe5q-0000VV-MH; Sun, 13 May 2012 21:04:34 +0200
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
To: "Roland Winkler" <winkler@gnu.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
	<20368.16452.379860.520133@gargle.gargle.HOWL>
	<87k4152t8j.fsf@lifelogs.com>
	<20375.1898.39520.582160@gargle.gargle.HOWL>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAMFBMVEUzIR7r33mNQ3OTdk11
	p3v4+PDi2orVxFJ3XFL////+//5cU1VHDBxwNTDk5N3W1LvhHu9UAAAA3UlEQVQ4jWPYF/cOG4hj
	4JuJHTDw45SY9e/dv5VYJPhmvXs1C5sOvpmrsKgH6/j3D+iKSCwS/9+/xG4UGKAaN2vmSiz+mPo9
	ZeNmJSwS85Sr2XkvYZFYh0uCdB2kS2DaMQuLjikdCNCPLDHv/f8zMHAe1aj5DDDAjyZhbHsXAq6h
	Sswrh4EyYiVcYMCfdhJKMKCP5o+7MHCfWIndMLCfSAmE5RAAl5gKzkgP4QGDFrUTcUlMN4YBNInJ
	0MjivYAmMRsej0gSs4BZYf5/MACGGO7sPDgl9mErlJ7GvQMATTRmgWi/OPMAAAAASUVORK5CYII=
X-Now-Playing: Pet Shop Boys's _Format (1)_: "Hit and miss"
Date: Sun, 13 May 2012 21:04:24 +0200
In-Reply-To: <20375.1898.39520.582160@gargle.gargle.HOWL> (Roland Winkler's
	message of "Tue, 24 Apr 2012 15:04:58 -0500")
Message-ID: <m3mx5bhphj.fsf@stories.gnus.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-MailScanner-ID: 1STe5q-0000VV-MH
X-Netfonds-MailScanner: Found to be clean
X-Netfonds-MailScanner-From: larsi@gnus.org
MailScanner-NULL-Check: 1337540674.88193@5LjVpbeQYAwdsBU6dLJi9g
X-Spam-Status: No
X-Spam-Score: -1.9 (-)
X-Debbugs-Envelope-To: 11267
Cc: Ted Zlatanov <tzz@lifelogs.com>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -1.9 (-)

"Roland Winkler" <winkler@gnu.org> writes:

> Also, it would be good (though I don't know whether a generic answer
> is possible) to give some guidance on "reasonable" values for
> `gnutls-min-prime-bits' as compared to cases where it would be
> better to contact the sysadmin of the server requesting a change in
> the setup of the server.

Yeah.  And I think `gnutls-min-prime-bits' should default to whatever
that "reasonable" is, because there's apparently quite a few servers out
there that has less bits than whatever the GnuTLS default is.  Which
isn't a very good user experience.

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/




From debbugs-submit-bounces@debbugs.gnu.org Tue May 15 04:25:11 2012
Received: (at 11267) by debbugs.gnu.org; 15 May 2012 08:25:11 +0000
Received: from localhost ([127.0.0.1]:55208 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SUD46-00025z-To
	for submit@debbugs.gnu.org; Tue, 15 May 2012 04:25:11 -0400
Received: from z.lifelogs.com ([173.255.230.239]:56826)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <tzz@lifelogs.com>) id 1SUD41-00025X-3x
	for 11267@debbugs.gnu.org; Tue, 15 May 2012 04:25:05 -0400
Received: from heechee (c-76-28-40-19.hsd1.vt.comcast.net [76.28.40.19])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested) (Authenticated sender: tzz)
	by z.lifelogs.com (Postfix) with ESMTPSA id 60B0362C9A;
	Tue, 15 May 2012 08:24:57 +0000 (UTC)
From: Ted Zlatanov <tzz@lifelogs.com>
To: Lars Magne Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
	<20368.16452.379860.520133@gargle.gargle.HOWL>
	<87k4152t8j.fsf@lifelogs.com>
	<20375.1898.39520.582160@gargle.gargle.HOWL>
	<m3mx5bhphj.fsf@stories.gnus.org>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Date: Tue, 15 May 2012 04:24:56 -0400
In-Reply-To: <m3mx5bhphj.fsf@stories.gnus.org> (Lars Magne Ingebrigtsen's
	message of "Sun, 13 May 2012 21:04:24 +0200")
Message-ID: <87aa19g8br.fsf@lifelogs.com>
User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -1.9 (-)
X-Debbugs-Envelope-To: 11267
Cc: Roland Winkler <winkler@gnu.org>, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -1.9 (-)

On Sun, 13 May 2012 21:04:24 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> "Roland Winkler" <winkler@gnu.org> writes:
>> Also, it would be good (though I don't know whether a generic answer
>> is possible) to give some guidance on "reasonable" values for
>> `gnutls-min-prime-bits' as compared to cases where it would be
>> better to contact the sysadmin of the server requesting a change in
>> the setup of the server.

LMI> Yeah.  And I think `gnutls-min-prime-bits' should default to whatever
LMI> that "reasonable" is, because there's apparently quite a few servers out
LMI> there that has less bits than whatever the GnuTLS default is.  Which
LMI> isn't a very good user experience.

I'm OK with lowering it to 256.

Ted




From debbugs-submit-bounces@debbugs.gnu.org Tue May 15 11:16:41 2012
Received: (at 11267) by debbugs.gnu.org; 15 May 2012 15:16:41 +0000
Received: from localhost ([127.0.0.1]:56200 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SUJUO-0005bT-Ty
	for submit@debbugs.gnu.org; Tue, 15 May 2012 11:16:41 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:56837 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <cyd@gnu.org>) id 1SUJUM-0005bL-9r
	for 11267@debbugs.gnu.org; Tue, 15 May 2012 11:16:39 -0400
Received: from cm162.gamma80.maxonline.com.sg ([202.156.80.162]:47608
	helo=ulysses)
	by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <cyd@gnu.org>)
	id 1SUJUC-0000Zp-GO; Tue, 15 May 2012 11:16:29 -0400
From: Chong Yidong <cyd@gnu.org>
To: Ted Zlatanov <tzz@lifelogs.com>
Subject: Re: bug#11267: 24.0.95;
	gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
	the server is not acceptable (not long enough).
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
	<20367.61741.640831.184941@gargle.gargle.HOWL>
	<jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
	<20368.16452.379860.520133@gargle.gargle.HOWL>
	<87k4152t8j.fsf@lifelogs.com>
	<20375.1898.39520.582160@gargle.gargle.HOWL>
	<m3mx5bhphj.fsf@stories.gnus.org> <87aa19g8br.fsf@lifelogs.com>
Date: Tue, 15 May 2012 23:16:20 +0800
In-Reply-To: <87aa19g8br.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 15
	May 2012 04:24:56 -0400")
Message-ID: <87obpp79vf.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.96 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11267
Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, Roland Winkler <winkler@gnu.org>,
	11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

Ted Zlatanov <tzz@lifelogs.com> writes:

> LMI> Yeah.  And I think `gnutls-min-prime-bits' should default to whatever
> LMI> that "reasonable" is, because there's apparently quite a few servers out
> LMI> there that has less bits than whatever the GnuTLS default is.  Which
> LMI> isn't a very good user experience.
>
> I'm OK with lowering it to 256.

Done.




From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 03 13:27:21 2013
Received: (at control) by debbugs.gnu.org; 3 Jan 2013 18:27:21 +0000
Received: from localhost ([127.0.0.1]:41874 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1TqpVg-0001N7-Fl
	for submit@debbugs.gnu.org; Thu, 03 Jan 2013 13:27:20 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:54984)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <rgm@gnu.org>) id 1TqpVf-0001N1-G1
	for control@debbugs.gnu.org; Thu, 03 Jan 2013 13:27:19 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
	(envelope-from <rgm@gnu.org>) id 1TqpVc-0003cc-Ny
	for control@debbugs.gnu.org; Thu, 03 Jan 2013 13:27:16 -0500
Date: Thu, 03 Jan 2013 13:27:16 -0500
Message-Id: <E1TqpVc-0003cc-Ny@fencepost.gnu.org>
Subject: control message for bug 11267
To: <control@debbugs.gnu.org>
X-Mailer: mail (GNU Mailutils 2.1)
From: Glenn Morris <rgm@gnu.org>
X-Spam-Score: -4.2 (----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -4.2 (----)

severity 11267 normal




From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 01 04:02:22 2014
Received: (at control) by debbugs.gnu.org; 1 Feb 2014 09:02:22 +0000
Received: from localhost ([127.0.0.1]:43930 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1W9WT0-0003HI-JW
	for submit@debbugs.gnu.org; Sat, 01 Feb 2014 04:02:22 -0500
Received: from hermes.netfonds.no ([80.91.224.195]:59607)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <larsi@gnus.org>) id 1W9WSy-0003HA-EM
 for control@debbugs.gnu.org; Sat, 01 Feb 2014 04:02:21 -0500
Received: from [204.14.154.233] (helo=building.gnus.org)
 by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.72) (envelope-from <larsi@gnus.org>) id 1W9WSk-0003Ga-70
 for control@debbugs.gnu.org; Sat, 01 Feb 2014 10:02:06 +0100
Date: Sat, 01 Feb 2014 01:01:14 -0800
Message-Id: <87zjmbky05.fsf@building.gnus.org>
To: control@debbugs.gnu.org
From: Lars Ingebrigtsen <larsi@gnus.org>
Subject: control message for bug #11267
X-MailScanner-ID: 1W9WSk-0003Ga-70
X-Netfonds-MailScanner: Found to be clean
X-Netfonds-MailScanner-From: larsi@gnus.org
MailScanner-NULL-Check: 1391850127.1866@tSEpB6rb7Ukh6AHjLEjAeg
X-Spam-Status: No
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

close 11267 24.4




From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 09 21:39:30 2014
Received: (at 11267) by debbugs.gnu.org; 10 Feb 2014 02:39:30 +0000
Received: from localhost ([127.0.0.1]:33020 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WCgmM-0002lo-RU
	for submit@debbugs.gnu.org; Sun, 09 Feb 2014 21:39:30 -0500
Received: from mail-qa0-f54.google.com ([209.85.216.54]:33611)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <tzz@lifelogs.com>) id 1WCgmI-0002lV-Ai
 for 11267@debbugs.gnu.org; Sun, 09 Feb 2014 21:39:25 -0500
Received: by mail-qa0-f54.google.com with SMTP id i13so8791295qae.27
 for <11267@debbugs.gnu.org>; Sun, 09 Feb 2014 18:39:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
 h=from:to:cc:subject:organization:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:user-agent
 :mime-version:content-type;
 bh=guskNnvG7QbVxhUlCbBOpTPfT9PRYqzmedC8RBZ/PtY=;
 b=a8F5zT317lmkVqXh3Nex7fTsdWsMLyG44Gp2alJt8MeH3tK6wmtcbm00BcXCgGsGl0
 EAJCiUaC06nHsXvl0q+zoakQdqsgCbUnPeyEYICq9/Bli9LHVMHkIGIuPToujcls19uB
 Ou0iwIVvz5JZFkQAO2mBsx0KJzj2NIuQYsAGg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:organization:references
 :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
 :user-agent:mime-version:content-type;
 bh=guskNnvG7QbVxhUlCbBOpTPfT9PRYqzmedC8RBZ/PtY=;
 b=HyG9zyghT6SymQ7LksAVS5DwICpDIQPS2ui38UCdkQrOzo+BZuhFjCJV7USejqZ1O9
 PchTybPYceM7CIL4Wj9H843zaLOGc4Pntqf81MGfq20X342QOF391oOr9DSHbj69jjdH
 38aCLlYqlbcPO9k6rOUeG77Yin+05ebrBu6w/lyQ8JmrYmgQPqBOEL6oHTkHnc8fgHbd
 gxdqQt/YexLiB3+mjmDeXjjwx4EwCqoG9ArNONttllQopAHN71H+VlzdJo0EIJWJDJ7v
 I+cChVIK9eB5WOP9BIpk2VPSE2Xabp3sLchuRVPlZy3Ornj2TDCbmkTmL7qk/WdHijhR
 vrZQ==
X-Gm-Message-State: ALoCoQkU5bUrqZn+NLrdAj4493r3MPNEkCL88TGU+U3O3oDLkSyp3z3uQWF8paC+a+buCDo09mfc
X-Received: by 10.140.22.39 with SMTP id 36mr31802110qgm.59.1391999961913;
 Sun, 09 Feb 2014 18:39:21 -0800 (PST)
Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72])
 by mx.google.com with ESMTPSA id w9sm38570203qax.3.2014.02.09.18.39.20
 for <multiple recipients>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Sun, 09 Feb 2014 18:39:20 -0800 (PST)
From: Ted Zlatanov <tzz@lifelogs.com>
To: n.mavrogiannopoulos@gmail.com, winkler@gnu.org
Subject: Re: bug#11267: 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
 the server is not acceptable (not long enough).
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
 d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
 D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Sun, 09 Feb 2014 21:39:28 -0500
In-Reply-To: <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 (n. mavrogiannopoulos's message of "Fri, 18 May 2012 04:38:01 -0700
 (PDT)")
Message-ID: <87ob2f8zdr.fsf@lifelogs.com>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Fri, 18 May 2012 04:38:01 -0700 (PDT) n.mavrogiannopoulos@gmail.com wrote: 

nm> On Tuesday, May 15, 2012 10:24:56 AM UTC+2, Ted Zlatanov wrote:
>> On Sun, 13 May 2012 21:04:24 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 
>> 
LMI> "Roland Winkler" <winkler@gnu.org> writes:
>> >> Also, it would be good (though I don't know whether a generic answer
>> >> is possible) to give some guidance on "reasonable" values for
>> >> `gnutls-min-prime-bits' as compared to cases where it would be
>> >> better to contact the sysadmin of the server requesting a change in
>> >> the setup of the server.
>> 
LMI> Yeah.  And I think `gnutls-min-prime-bits' should default to whatever
LMI> that "reasonable" is, because there's apparently quite a few servers out
LMI> there that has less bits than whatever the GnuTLS default is.  Which
LMI> isn't a very good user experience.
>> 
>> I'm OK with lowering it to 256.

nm> Note that Diffie-Hellman group of 256-bits means that the communication can be
nm> decrypted by someone that stored the session. The default minimum
nm> accepted value in gnutls is already weak according to [0] (727 bits)
nm> but a good balance between security and compatibility. (other
nm> implementations like NSS have similar limits).

nm> If you need to support weaker servers you could warn your users of the consequences.

nm> [0]. http://www.keylength.com/en/3/

Hi Nikos,

We've continued the discussion in bug#15057 (about the min prime bits)
and bug#16253 (about the logging).  I've copied all three bug trackers
on this e-mail.  I hope that helps connect them for searches and when we
close them.

Roland, if you are satisfied with the direction taken in those bugs, we
can probably close this one.

Thanks
Ted




From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 09 22:06:46 2014
Received: (at 11267) by debbugs.gnu.org; 10 Feb 2014 03:06:46 +0000
Received: from localhost ([127.0.0.1]:33088 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WChCn-0004hj-NK
	for submit@debbugs.gnu.org; Sun, 09 Feb 2014 22:06:46 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:35548)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <winkler@gnu.org>)
 id 1WChCk-0004hL-A4; Sun, 09 Feb 2014 22:06:42 -0500
Received: from 162-229-45-114.lightspeed.cicril.sbcglobal.net
 ([162.229.45.114]:53714 helo=regnitz)
 by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <winkler@gnu.org>)
 id 1WChCj-0003So-Ak; Sun, 09 Feb 2014 22:06:41 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21240.16957.410641.502622@gargle.gargle.HOWL>
Date: Sun, 9 Feb 2014 21:06:37 -0600
From: "Roland Winkler" <winkler@gnu.org>
To: Ted Zlatanov <tzz@lifelogs.com>
Subject: Re: bug#11267: 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by
 the server is not acceptable (not long enough).
In-Reply-To: <87ob2f8zdr.fsf@lifelogs.com>
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org>
 <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
X-Mailer: VM 8.2 trial under 24.3.1 (x86_64-unknown-linux-gnu)
X-Spam-Score: -5.6 (-----)
X-Debbugs-Envelope-To: 11267
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, n.mavrogiannopoulos@gmail.com,
 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.6 (-----)

On Sun Feb 9 2014 Ted Zlatanov wrote:
> Roland, if you are satisfied with the direction taken in those
> bugs, we can probably close this one.

I am still a bit confused concerning a "reasonable minimal value"
for gnutls-min-prime-bits.  Is 256 a value that I can feel
comfortable about?

Since this was made the default, I did not see again any error
messages.  But I cannot judge whether this means "all is OK".

Part of the problem is certainly that most users do not even know
that there is such a customizable user variable.  So one can only
hope that the default *is* reasonable.




From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 10 03:31:40 2014
Received: (at 11267) by debbugs.gnu.org; 10 Feb 2014 08:31:40 +0000
Received: from localhost ([127.0.0.1]:39075 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WCmHA-0001GC-KO
	for submit@debbugs.gnu.org; Mon, 10 Feb 2014 03:31:39 -0500
Received: from mail-qc0-f175.google.com ([209.85.216.175]:34505)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <n.mavrogiannopoulos@gmail.com>)
 id 1WCmDu-0000cD-Qg; Mon, 10 Feb 2014 03:28:16 -0500
Received: by mail-qc0-f175.google.com with SMTP id x13so10090595qcv.34
 for <multiple recipients>; Mon, 10 Feb 2014 00:28:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=mX1hM+/23+HWh1IO7PtQYC2toaOyoilG3lZe/ZOnmro=;
 b=nQ45SZDJuHPUGLqMZn6IWyg4bG9F2/dj3qM1DBmW9kqmksifZW7GscrP+7/JmQKiny
 c4l/mEh47v+DdJdJOwj0w2m0KzDribK96RYmCBOgyO7YbQLuuq470onXVcjEEZLDKF35
 sAgti9C/H1SvXMV9ZS2A+yYX75GxSoa/tVhroYRHAYLBGK8SNLaUOIXm3YhVLLLlr9vA
 2R4zyID0eP9TycFBeIbHCtZ9gTrQpMQsXl4y1T2B/vFHJAYqoOV7iSOcKm2ou5oO0EpX
 oK4hdwyeLlVDqe5P1BMYGcgfeLPqv77GCGAmbEVSLyEEczvhvQEp2gheZQqvoBTd0cU+
 zV+A==
MIME-Version: 1.0
X-Received: by 10.224.62.14 with SMTP id v14mr6679002qah.79.1392020889385;
 Mon, 10 Feb 2014 00:28:09 -0800 (PST)
Received: by 10.229.58.137 with HTTP; Mon, 10 Feb 2014 00:28:09 -0800 (PST)
In-Reply-To: <21240.16957.410641.502622@gargle.gargle.HOWL>
References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org>
 <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
Date: Mon, 10 Feb 2014 09:28:09 +0100
Message-ID: <CAJU7za+18SPwc1zDF0nfpUbbkhFKKfDUoW+a27Wz051r4-ivqg@mail.gmail.com>
Subject: Re: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The
 Diffie-Hellman prime sent by the server is not acceptable (not long enough).
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
To: Roland Winkler <winkler@gnu.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
X-Mailman-Approved-At: Mon, 10 Feb 2014 03:31:32 -0500
Cc: 15057@debbugs.gnu.org, Ted Zlatanov <tzz@lifelogs.com>,
 16253@debbugs.gnu.org, 11267@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Mon, Feb 10, 2014 at 4:06 AM, Roland Winkler <winkler@gnu.org> wrote:
> On Sun Feb 9 2014 Ted Zlatanov wrote:
>> Roland, if you are satisfied with the direction taken in those
>> bugs, we can probably close this one.
> I am still a bit confused concerning a "reasonable minimal value"
> for gnutls-min-prime-bits.  Is 256 a value that I can feel
> comfortable about?

No. 256-bit DH is a bit harder than rot13 as encryption. I'd suggest
not to set the minimum acceptable size and let gnutls decide instead.
For broken servers that use very small sizes, you could disable the
DHE ciphersuites as described in the previous mails.

regards,
Nikos




From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 10 05:52:28 2014
Received: (at 11267) by debbugs.gnu.org; 10 Feb 2014 10:52:28 +0000
Received: from localhost ([127.0.0.1]:39194 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WCoTT-0006mZ-VO
	for submit@debbugs.gnu.org; Mon, 10 Feb 2014 05:52:28 -0500
Received: from mail-qa0-f47.google.com ([209.85.216.47]:45644)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <tzz@lifelogs.com>) id 1WCoTN-0006lu-Na
 for 11267@debbugs.gnu.org; Mon, 10 Feb 2014 05:52:25 -0500
Received: by mail-qa0-f47.google.com with SMTP id j5so9089495qaq.6
 for <11267@debbugs.gnu.org>; Mon, 10 Feb 2014 02:52:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
 h=from:to:cc:subject:organization:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:user-agent
 :mime-version:content-type;
 bh=D8pTzJK38fxWd09M1Y8I9T/aHD98fh5Bh6eNV7qTQyI=;
 b=EijRegSnY/dRD3eWqFNWqmfjxXSTGtZR5js2aSAt558fhW2MgtJkDxZHVdnWD0UN4R
 tYRGWhMjQo/R6xc1Zk+a6zoD78KJ3Hu6bwbMEsO65ucpB3kod1cth7Q8cr9pc36/4U50
 Ox/vVuq+iIbAybX3PRo6JWhcDB2oRnIBIk0uA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:organization:references
 :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
 :user-agent:mime-version:content-type;
 bh=D8pTzJK38fxWd09M1Y8I9T/aHD98fh5Bh6eNV7qTQyI=;
 b=BnhNiWskhthCrBAfqqkHjV1PCaiWCgG876qcr4PbTaR12qZHSQELxSVqbUEm7YiRh9
 SLkKhZRLH/PkZ6Q6+K4coadhjtEIobRtwOgs+A/CJ2W8/dhKkWWLvdY34vPDBDQdT7Zk
 C2oyAQIS1lT4D8qA2a3jfxJPXE43pmjjJFNSxzOShkmTvPO8WOgz42BB4YGZdodbj+qW
 kSHgXUUnLhncCAwPFNWbKvZDuKVcNRQMl6TyDT39llfORM15mzFMpoJVpJOKrwE6zlrg
 R/EFikb0+MUUGAmuPHY1zMqSCc9fQ2XIdJ3sNL0VThx9Lj/xC3BlrEF5/gfiqgGXrXkJ
 12bQ==
X-Gm-Message-State: ALoCoQmzAk6tTMyRQ+ZBS179ANkVwb383mZQfDnJgXe4vZF1F4ri1hrcmuRoDQ9iAlFikBDmR0dy
X-Received: by 10.224.167.19 with SMTP id o19mr35269484qay.77.1392029536177;
 Mon, 10 Feb 2014 02:52:16 -0800 (PST)
Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72])
 by mx.google.com with ESMTPSA id 67sm23199898qgr.15.2014.02.10.02.52.15
 for <multiple recipients>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Mon, 10 Feb 2014 02:52:15 -0800 (PST)
From: Ted Zlatanov <tzz@lifelogs.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <m3a9koouzh.fsf@stories.gnus.org> <87li24zpg1.fsf@flea.lifelogs.com>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
 d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
 D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Mon, 10 Feb 2014 05:52:23 -0500
In-Reply-To: <87ppmvwu5h.fsf@building.gnus.org> (Lars Ingebrigtsen's message
 of "Sun, 09 Feb 2014 18:58:34 -0800, Mon, 10 Feb 2014 09:28:09 +0100")
Message-ID: <87d2iv8ck8.fsf@lifelogs.com>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>,
 Roland Winkler <winkler@gnu.org>, 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 11267@debbugs.gnu.org, Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Mon, 10 Feb 2014 09:28:09 +0100 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> wrote: 

NM> On Mon, Feb 10, 2014 at 4:06 AM, Roland Winkler <winkler@gnu.org> wrote:

>> I am still a bit confused concerning a "reasonable minimal value"
>> for gnutls-min-prime-bits.  Is 256 a value that I can feel
>> comfortable about?

NM> No. 256-bit DH is a bit harder than rot13 as encryption. I'd suggest
NM> not to set the minimum acceptable size and let gnutls decide instead.
NM> For broken servers that use very small sizes, you could disable the
NM> DHE ciphersuites as described in the previous mails.

On Sun, 09 Feb 2014 18:58:34 -0800 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> See http://thread.gmane.org/gmane.network.gnutls.general/3181/focus=3299
>> 
>> Try, first of all, appending `!DHE-RSA:!DHE-DSS' to your GnuTLS priority
>> string to disable DHE.  ECDHE will not have the minimum bits message,
>> ever, IIUC.

LI> But aren't there lots of (or some) servers that only supports DHE and
LI> not ECDHE?

There's no way to know until you connect, that's the heart of the
problem.  So IIUC you'd have to either be potentially insecure all the
time (DHE enabled) or potentially fail connecting to some servers.

I think the latter is the better option as a default, as long as we make
it clear (not in a *GnuTLS log* buffer but with `message' so it shows up
in the echo region and in STDERR in batch mode) that

* the connection was rejected because the remote requires a lower level
of security

* how to try allowing the less-secure connection (perhaps a simple
command to automate this, or even a clickable button, would be nicer
than asking the user to `customize-variable').  The original discussion
sort of settled on magically reopening the connection with less security
but I think that might be a disservice to the users.

* why it's smarter to ask the server admin to upgrade their TLS
implementation

Fitting all of that in a short readable message might be a challenge,
hence the button suggestion, but that's not ideal either.

Ted




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 00:11:03 2014
Received: (at 11267) by debbugs.gnu.org; 11 Feb 2014 05:11:03 +0000
Received: from localhost ([127.0.0.1]:42335 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WD5cd-0004rY-9N
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 00:11:03 -0500
Received: from hermes.netfonds.no ([80.91.224.195]:33876)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <larsi@gnus.org>)
 id 1WD5cX-0004qy-6i; Tue, 11 Feb 2014 00:11:01 -0500
Received: from [204.14.154.233] (helo=building.gnus.org)
 by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.72) (envelope-from <larsi@gnus.org>)
 id 1WD5cH-0006E7-MJ; Tue, 11 Feb 2014 06:10:42 +0100
From: Lars Ingebrigtsen <larsi@gnus.org>
To: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Subject: Re: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <m3a9koouzh.fsf@stories.gnus.org> <87li24zpg1.fsf@flea.lifelogs.com>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
Date: Mon, 10 Feb 2014 21:09:25 -0800
In-Reply-To: <87d2iv8ck8.fsf@lifelogs.com> (Ted Zlatanov's message of "Mon, 10
 Feb 2014 05:52:23 -0500")
Message-ID: <87ppmup75m.fsf@building.gnus.org>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-MailScanner-ID: 1WD5cH-0006E7-MJ
X-Netfonds-MailScanner: Found to be clean
X-Netfonds-MailScanner-From: larsi@gnus.org
MailScanner-NULL-Check: 1392700242.5987@nRN+9mreSxIwvY8/BRkaBw
X-Spam-Status: No
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 11267
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 Roland Winkler <winkler@gnu.org>, 11267@debbugs.gnu.org,
 Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Ted Zlatanov <tzz@lifelogs.com> writes:

> LI> But aren't there lots of (or some) servers that only supports DHE and
> LI> not ECDHE?
>
> There's no way to know until you connect, that's the heart of the
> problem.  So IIUC you'd have to either be potentially insecure all the
> time (DHE enabled) or potentially fail connecting to some servers.

I thought TLS worked like this:

1) You connect to a server.
2) A server says what encryption methods it supports
3) You choose one, and start talking in that method.

So things like browsers have a pre-defined list of methods, in
descending order of what they consider "more safe", so that ECDHE is
used if available, etc.

> I think the latter is the better option as a default, as long as we make
> it clear (not in a *GnuTLS log* buffer but with `message' so it shows up
> in the echo region and in STDERR in batch mode) that
>
> * the connection was rejected because the remote requires a lower level
> of security

I've basically never ever seen Firefox say "you can't talk to this
server, because the TLS is too weak".  Neither should Emacs.

(Emacs, being Emacs, might offer as an option a way to restrict all TLS
connections to a smaller set of algorithms/levels, but that should not
be the default.)

> * how to try allowing the less-secure connection (perhaps a simple
> command to automate this, or even a clickable button, would be nicer
> than asking the user to `customize-variable').  The original discussion
> sort of settled on magically reopening the connection with less security
> but I think that might be a disservice to the users.

We would always try to get the most secure TLS connection possible, so I
don't quite understand "reconnect"...

> * why it's smarter to ask the server admin to upgrade their TLS
> implementation
>
> Fitting all of that in a short readable message might be a challenge,
> hence the button suggestion, but that's not ideal either.

If the user has explicitly said "don't talk unless it has teh haxors
leet mode", then that's not necessary, I would have thought.

But I might be misunderstanding the problem completely.  >"?

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 05:35:42 2014
Received: (at 11267) by debbugs.gnu.org; 11 Feb 2014 10:35:43 +0000
Received: from localhost ([127.0.0.1]:45768 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDAgk-00053W-QX
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 05:35:42 -0500
Received: from mail-qa0-f45.google.com ([209.85.216.45]:44320)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <n.mavrogiannopoulos@gmail.com>)
 id 1WDAge-00052s-SK; Tue, 11 Feb 2014 05:35:36 -0500
Received: by mail-qa0-f45.google.com with SMTP id ii20so11304727qab.18
 for <multiple recipients>; Tue, 11 Feb 2014 02:35:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=WKGmOGwyUBlnzQRX2+iXQWHZDk1OFGvxzxoUj9Xp19o=;
 b=C28shBYYdJTepHilZ2gaR/E/O5FXQKF4iRfYg/2yqrVeqC4vghc5li47ymFSV0EiA9
 Mem1pdhBDKhRButENvrSazj4x+FjZxXPkas4H4r0shxcWKk8b9thETOEAkL6pemmVEzx
 Kafjd18d+9citgdBVF1wfdcDIqr1sWQKnBtga2fvVYJYFFVNu01ucyFsMLjRxWKY0HJq
 dKrAnq7hXkyPaKWlJ2KgTpJvYE1pIiyTHMz1b4jDRYVO5Il6HfPZ4IQ4EozFkhJg6kbC
 5hXkcJKxjmw0MTY7xd5A4g1M+gG5dn4v9MOd5qGsHAUqNyu2fSv1GVPdcoAStQxdGDSf
 GmHg==
MIME-Version: 1.0
X-Received: by 10.224.46.130 with SMTP id j2mr55450881qaf.7.1392114927241;
 Tue, 11 Feb 2014 02:35:27 -0800 (PST)
Received: by 10.229.58.137 with HTTP; Tue, 11 Feb 2014 02:35:27 -0800 (PST)
In-Reply-To: <87ppmup75m.fsf@building.gnus.org>
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <m3a9koouzh.fsf@stories.gnus.org>
 <87li24zpg1.fsf@flea.lifelogs.com>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org>
 <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org>
Date: Tue, 11 Feb 2014 11:35:27 +0100
Message-ID: <CAJU7zaKnOOXicxnjd0XiXwb171aVYdr9mpBEm9eGK2WDp_ZZAg@mail.gmail.com>
Subject: Re: bug#15057: 24.3.50; TLS error with reasonably high
 gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error:
 The Diffie-Hellman prime sent by the server is not acceptable (not long
 enough).
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 Roland Winkler <winkler@gnu.org>, 11267@debbugs.gnu.org,
 Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Tue, Feb 11, 2014 at 6:09 AM, Lars Ingebrigtsen <larsi@gnus.org> wrote:
> Ted Zlatanov <tzz@lifelogs.com> writes:
>> LI> But aren't there lots of (or some) servers that only supports DHE and
>> LI> not ECDHE?
>> There's no way to know until you connect, that's the heart of the
>> problem.  So IIUC you'd have to either be potentially insecure all the
>> time (DHE enabled) or potentially fail connecting to some servers.
> I thought TLS worked like this:
> 1) You connect to a server.
> 2) A server says what encryption methods it supports
> 3) You choose one, and start talking in that method.

(let's suppose that the chosen method is DHE)

4) The server presents its DHE parameters and you realize that they
are not acceptable.
5) Cannot do anything except abort the session, disable support for
DHE and go to (1).

>> I think the latter is the better option as a default, as long as we make
>> it clear (not in a *GnuTLS log* buffer but with `message' so it shows up
>> in the echo region and in STDERR in batch mode) that
>> * the connection was rejected because the remote requires a lower level
>> of security
> I've basically never ever seen Firefox say "you can't talk to this
> server, because the TLS is too weak".  Neither should Emacs.

Firefox in the past would happily connect to a server offering weak parameters.
This is changing now:
https://bugzilla.mozilla.org/show_bug.cgi?id=587234

So instead of emacs replicating what the insecure versions of firefox
did, it could provide security by default.

regards,
Nikos




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 09:22:13 2014
Received: (at 11267) by debbugs.gnu.org; 11 Feb 2014 14:22:13 +0000
Received: from localhost ([127.0.0.1]:46073 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDEDx-0001Ou-84
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 09:22:12 -0500
Received: from mail-qa0-f50.google.com ([209.85.216.50]:51608)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <tzz@lifelogs.com>) id 1WDEDj-0001Nn-EM
 for 11267@debbugs.gnu.org; Tue, 11 Feb 2014 09:22:04 -0500
Received: by mail-qa0-f50.google.com with SMTP id cm18so11919699qab.9
 for <11267@debbugs.gnu.org>; Tue, 11 Feb 2014 06:21:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
 h=from:to:cc:subject:organization:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:user-agent
 :mime-version:content-type;
 bh=6Vm7HcEWYE9bypWOgxlLIqMT9QOLbjGfkGh21mHiECo=;
 b=VDZ2OUZq5ue/+pJx6WWqxqBJ+4Lgu5V8/2w13PPSwG6xA8HUbCeFuEn/UFOvJWTNjZ
 pifcEnoIyyanTW5lZR52E2i4B7MIUM/DRP5sAoQYI7t5ZFYNqhvyPis1Le1t32s+G+Vn
 XfbLUPq8BESwhOiOWMCAIwDeH2mOligCfFiHg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:organization:references
 :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
 :user-agent:mime-version:content-type;
 bh=6Vm7HcEWYE9bypWOgxlLIqMT9QOLbjGfkGh21mHiECo=;
 b=dBPHcc7HdlbQqunwGVZpqZAqZnrMxl8EaiyMiYnRJb+wLU8ScKf3RdJ2LXkKVPOvhX
 7mS6oYPTWI4pEryNPTPOiwVtBKoqVn6n5NWjjopiTsVvqJGpt8ShS7Uc021PAmO1Kmp+
 y5LZnsDyZ9dbrYZHfX8tdvXf1OBpxOV9VfFMS+egMgLYZj7exqPM08xIrfrrg7mzNGhd
 SLZI2VOlo0pEWLLvcA30QnuiwRzPhFXDW5pigwj64HBO56RA2Rk7L+OLdPx21KdvZlyj
 gtjLBlavGh3Pu+u3p899E21o+GknLTRPaZSy3RbymKVChWVURKQaLlX6jKWeXoBycr5Z
 4Gyw==
X-Gm-Message-State: ALoCoQnTJ+YXCyXptABVseNo5fkquURuYPvO3t15KQplc352bOgzMgf110ohndNNUQEF5MqHlf1+
X-Received: by 10.224.167.19 with SMTP id o19mr46890414qay.77.1392128509928;
 Tue, 11 Feb 2014 06:21:49 -0800 (PST)
Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72])
 by mx.google.com with ESMTPSA id a5sm53271625qae.2.2014.02.11.06.21.48
 for <multiple recipients>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Tue, 11 Feb 2014 06:21:49 -0800 (PST)
From: Ted Zlatanov <tzz@lifelogs.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#11267: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <m3a9koouzh.fsf@stories.gnus.org> <87li24zpg1.fsf@flea.lifelogs.com>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
 d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
 D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Tue, 11 Feb 2014 09:21:58 -0500
In-Reply-To: <87ppmup75m.fsf@building.gnus.org> (Lars Ingebrigtsen's message
 of "Mon, 10 Feb 2014 21:09:25 -0800")
Message-ID: <87mwhx686x.fsf@lifelogs.com>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>,
 Roland Winkler <winkler@gnu.org>, 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 11267@debbugs.gnu.org, Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Mon, 10 Feb 2014 21:09:25 -0800 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> (Emacs, being Emacs, might offer as an option a way to restrict all TLS
LI> connections to a smaller set of algorithms/levels, but that should not
LI> be the default.)

I think it should, as long as we make it easy to drop down the security,
as I described:

>> * how to try allowing the less-secure connection (perhaps a simple
>> command to automate this, or even a clickable button, would be nicer
>> than asking the user to `customize-variable').  The original discussion
>> sort of settled on magically reopening the connection with less security
>> but I think that might be a disservice to the users.

LI> We would always try to get the most secure TLS connection possible, so I
LI> don't quite understand "reconnect"...

So my proposal is simply to provide two buttons "allow host X to connect
with lower DHE security [temporarily] [permanently]" and when the button
is clicked, customize `gnutls-algorithm-priority' to allow DHE to that
specific host.

`gnutls-negotiate' has to be changed slightly and the connection
rejection from insecure hosts will need to be handled in gnutls.c and
gnutls.el.

I think that's as seamless as we can make it, especially noting that
`gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see
http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits).

If we provide that simple UI, plus some help messaging, I think we can
disable DHE by default.  Based on Nikos' explanation, it seems to be the
best way forward.

Ted




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 17:49:14 2014
Received: (at 11267) by debbugs.gnu.org; 11 Feb 2014 22:49:14 +0000
Received: from localhost ([127.0.0.1]:47951 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDM8f-00054E-C4
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 17:49:13 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:55277 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <winkler@gnu.org>)
 id 1WDM8d-00053z-0n; Tue, 11 Feb 2014 17:49:11 -0500
Received: from 162-229-45-114.lightspeed.cicril.sbcglobal.net
 ([162.229.45.114]:55799 helo=regnitz)
 by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <winkler@gnu.org>)
 id 1WDM8b-0003sP-0V; Tue, 11 Feb 2014 17:49:09 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21242.43234.861627.965636@gargle.gargle.HOWL>
Date: Tue, 11 Feb 2014 16:49:06 -0600
From: "Roland Winkler" <winkler@gnu.org>
To: Ted Zlatanov <tzz@lifelogs.com>
Subject: Re: bug#11267: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
In-Reply-To: <87mwhx686x.fsf@lifelogs.com>
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <m3a9koouzh.fsf@stories.gnus.org>
 <87li24zpg1.fsf@flea.lifelogs.com>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org>
 <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com>
X-Mailer: VM 8.2 trial under 24.3.1 (x86_64-unknown-linux-gnu)
X-Spam-Score: -5.7 (-----)
X-Debbugs-Envelope-To: 11267
Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>,
 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org,
 Tassilo Horn <tsdh@gnu.org>, Lars Ingebrigtsen <larsi@gnus.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.7 (-----)

On Tue Feb 11 2014 Ted Zlatanov wrote:
> So my proposal is simply to provide two buttons "allow host X to
> connect with lower DHE security [temporarily] [permanently]" and
> when the button is clicked, customize `gnutls-algorithm-priority'
> to allow DHE to that specific host.
> 
> `gnutls-negotiate' has to be changed slightly and the connection
> rejection from insecure hosts will need to be handled in gnutls.c
> and gnutls.el.
> 
> I think that's as seamless as we can make it, especially noting
> that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see
> http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits).
> 
> If we provide that simple UI, plus some help messaging, I think we
> can disable DHE by default.  Based on Nikos' explanation, it seems
> to be the best way forward.

Whatever customizability will be provided (permanently or
temporarily on the fly), I'd find it most important to have
documentation that allows the user to put the choices into
perspective. -- Is this feasible?  Certainly, we cannot expect that
the average user who is offered a pop-up menu with choices "allow
host X to connect with lower DHE security [temporarily]
[permanently]" that he can readily understand its implications and
put it into perspective. (DHE security lower than what?  Lower by
how much?  How insecure is that?)

(According to Murphy's law, this selection will probably pop up most
often, when the user is not in the mood to read long info pages...)

Roland




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 18:54:56 2014
Received: (at 11267) by debbugs.gnu.org; 11 Feb 2014 23:54:56 +0000
Received: from localhost ([127.0.0.1]:47980 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDNAF-0006oe-St
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 18:54:56 -0500
Received: from mail-qc0-f174.google.com ([209.85.216.174]:55250)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <tzz@lifelogs.com>) id 1WDNA6-0006o1-Bc
 for 11267@debbugs.gnu.org; Tue, 11 Feb 2014 18:54:51 -0500
Received: by mail-qc0-f174.google.com with SMTP id x13so14003887qcv.5
 for <11267@debbugs.gnu.org>; Tue, 11 Feb 2014 15:54:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
 h=from:to:cc:subject:organization:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:user-agent
 :mime-version:content-type;
 bh=DIluoanrtCxxnAlJT5gJfXWLmxp0Hvu7c4qkl1XJX8s=;
 b=siAQRtXFV/7E8nDW/B0HzftPFpM2pLNcxYC6ZxxxVF679jSogiohmfj4iaKRUKtias
 CdEU8XvDfGy+2KvGZVnejeoppltDAimMIrS87tHgI1YfeAIXW4fAfMO4fvU0JtKAt5DO
 JPdJyhE0poZbSq8fOkD46LT54in92vtuaA/tg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:organization:references
 :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
 :user-agent:mime-version:content-type;
 bh=DIluoanrtCxxnAlJT5gJfXWLmxp0Hvu7c4qkl1XJX8s=;
 b=h5Sae+GwWQ7sqyYsD+joGl1N7hYbuPhOdudARwSyfzFEJ2E13/zXcwlzzz8XGmYQ3I
 L68mK6EDerBYMJWoRBocqMgtw+ug2fgiZqI2IiJBJF0idpqDhdUYfb/18SsYnrg0S2rw
 gc9l8fJypmkkoT/Uu/fgiWVxp6Jm9d1IyJsLTjlp3STtFKJQOCH0Q5jx5npWG7VRbvCY
 fXyGIGzz/r17+YEDCxFV2L7ThNS8wbftXOOhe1suWjrSv7hjt6aC7Ain62/GyHFF1IuV
 39OYNrG0uuBjvQR5dA0wM8bOxCUCuk1mE+owyskPnjLzRaLj+RDkkEKJtqddhJOjrR1q
 2aiw==
X-Gm-Message-State: ALoCoQnR71R+ic6wRClpiPG9dnKZ9pbOOi4+p7F4uYFpJWL3IitLuYgLsfYyKJDCw1xfSiCSqH5d
X-Received: by 10.224.44.8 with SMTP id y8mr62881309qae.44.1392162880666;
 Tue, 11 Feb 2014 15:54:40 -0800 (PST)
Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72])
 by mx.google.com with ESMTPSA id 3sm57437362qan.15.2014.02.11.15.54.39
 for <multiple recipients>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Tue, 11 Feb 2014 15:54:40 -0800 (PST)
From: Ted Zlatanov <tzz@lifelogs.com>
To: "Roland Winkler" <winkler@gnu.org>
Subject: Re: bug#11267: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com>
 <21242.43234.861627.965636@gargle.gargle.HOWL>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
 d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
 D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Tue, 11 Feb 2014 18:54:49 -0500
In-Reply-To: <21242.43234.861627.965636@gargle.gargle.HOWL> (Roland Winkler's
 message of "Tue, 11 Feb 2014 16:49:06 -0600")
Message-ID: <8761ol5ho6.fsf@lifelogs.com>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>,
 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org,
 Tassilo Horn <tsdh@gnu.org>, Lars Ingebrigtsen <larsi@gnus.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Tue, 11 Feb 2014 16:49:06 -0600 "Roland Winkler" <winkler@gnu.org> wrote: 

RW> On Tue Feb 11 2014 Ted Zlatanov wrote:
>> So my proposal is simply to provide two buttons "allow host X to
>> connect with lower DHE security [temporarily] [permanently]" and
>> when the button is clicked, customize `gnutls-algorithm-priority'
>> to allow DHE to that specific host.
>> 
>> `gnutls-negotiate' has to be changed slightly and the connection
>> rejection from insecure hosts will need to be handled in gnutls.c
>> and gnutls.el.
>> 
>> I think that's as seamless as we can make it, especially noting
>> that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see
>> http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits).
>> 
>> If we provide that simple UI, plus some help messaging, I think we
>> can disable DHE by default.  Based on Nikos' explanation, it seems
>> to be the best way forward.

RW> Whatever customizability will be provided (permanently or
RW> temporarily on the fly), I'd find it most important to have
RW> documentation that allows the user to put the choices into
RW> perspective. -- Is this feasible?  Certainly, we cannot expect that
RW> the average user who is offered a pop-up menu with choices "allow
RW> host X to connect with lower DHE security [temporarily]
RW> [permanently]" that he can readily understand its implications and
RW> put it into perspective. (DHE security lower than what?  Lower by
RW> how much?  How insecure is that?)

I'm sure we can come up with more helpful messaging.  Does it have
to fit in 78 chars?  Can we use buttons?  If so, it could be like this,
going over 78 but not too much:

!! remote host X requires lower security [OK once] [OK always] [Cancel] [?]

With the ? taking the user to more details: a help message or even the
relevant section of gnutls.texi

If we can use a multi-line message it becomes easier, certainly.

The buttons could instead be a simple (y,Y,n,?) prompt.  But that could
be confusing to the inexperienced users we're trying to help.

I need some guidance :)  I don't know if this has been implemented in
another part of Emacs or other packages.

Thanks
Ted




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 23:30:47 2014
Received: (at 11267) by debbugs.gnu.org; 12 Feb 2014 04:30:47 +0000
Received: from localhost ([127.0.0.1]:48127 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDRTD-00089N-0v
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 23:30:47 -0500
Received: from hermes.netfonds.no ([80.91.224.195]:60185)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <larsi@gnus.org>)
 id 1WDRTA-000898-Qx; Tue, 11 Feb 2014 23:30:46 -0500
Received: from [204.14.154.233] (helo=building.gnus.org)
 by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.72) (envelope-from <larsi@gnus.org>)
 id 1WDRSv-0008O4-0S; Wed, 12 Feb 2014 05:30:29 +0100
From: Lars Ingebrigtsen <larsi@gnus.org>
To: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Subject: Re: bug#11267: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org>
 <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu>
 <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com>
Date: Tue, 11 Feb 2014 20:29:09 -0800
In-Reply-To: <87mwhx686x.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 11
 Feb 2014 09:21:58 -0500")
Message-ID: <878uth2bu2.fsf@building.gnus.org>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-MailScanner-ID: 1WDRSv-0008O4-0S
X-Netfonds-MailScanner: Found to be clean
X-Netfonds-MailScanner-From: larsi@gnus.org
MailScanner-NULL-Check: 1392784230.10113@Yh5Oe3YALCorsAjMNVXQuA
X-Spam-Status: No
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 11267
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 Roland Winkler <winkler@gnu.org>, 11267@debbugs.gnu.org,
 Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Ted Zlatanov <tzz@lifelogs.com> writes:

> If we provide that simple UI, plus some help messaging, I think we can
> disable DHE by default.  Based on Nikos' explanation, it seems to be the
> best way forward.

But why would we disable DHE?  Prefer ECDHE over DHE, certainly, but I
don't understand disabling...

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/




From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 11 23:32:33 2014
Received: (at 11267) by debbugs.gnu.org; 12 Feb 2014 04:32:33 +0000
Received: from localhost ([127.0.0.1]:48139 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDRUv-0008D7-6O
	for submit@debbugs.gnu.org; Tue, 11 Feb 2014 23:32:33 -0500
Received: from hermes.netfonds.no ([80.91.224.195]:60197)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <larsi@gnus.org>)
 id 1WDRUt-0008Cr-Id; Tue, 11 Feb 2014 23:32:32 -0500
Received: from [204.14.154.233] (helo=building.gnus.org)
 by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.72) (envelope-from <larsi@gnus.org>)
 id 1WDRUf-0008PH-6h; Wed, 12 Feb 2014 05:32:17 +0100
From: Lars Ingebrigtsen <larsi@gnus.org>
To: "Roland Winkler" <winkler@gnu.org>
Subject: Re: bug#11267: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough).
References: <87iozfl001.fsf@thinkpad.tsdh.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com>
 <21242.43234.861627.965636@gargle.gargle.HOWL>
 <8761ol5ho6.fsf@lifelogs.com>
Date: Tue, 11 Feb 2014 20:30:58 -0800
In-Reply-To: <8761ol5ho6.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 11
 Feb 2014 18:54:49 -0500")
Message-ID: <874n452br1.fsf@building.gnus.org>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-MailScanner-ID: 1WDRUf-0008PH-6h
X-Netfonds-MailScanner: Found to be clean
X-Netfonds-MailScanner-From: larsi@gnus.org
MailScanner-NULL-Check: 1392784337.96077@NqBCDeFUHj7AXQwyWTJGrg
X-Spam-Status: No
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 11267
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>, 11267@debbugs.gnu.org,
 Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Ted Zlatanov <tzz@lifelogs.com> writes:

> I'm sure we can come up with more helpful messaging.  Does it have
> to fit in 78 chars?  Can we use buttons?  If so, it could be like this,
> going over 78 but not too much:
>
> !! remote host X requires lower security [OK once] [OK always] [Cancel] [?]

Yeah, that would be nice.  And, remember, somebody (ahem) also has to
write code to handle invalid certificates.  It could be done the same way.

And if the user types "OK always" for this (and for invalid
certificates), it should be stored using the customize functions.

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/




From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 12 12:11:50 2014
Received: (at 11267) by debbugs.gnu.org; 12 Feb 2014 17:11:50 +0000
Received: from localhost ([127.0.0.1]:49188 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WDdLb-00061m-Vm
	for submit@debbugs.gnu.org; Wed, 12 Feb 2014 12:11:50 -0500
Received: from mail-qa0-f47.google.com ([209.85.216.47]:33016)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <tzz@lifelogs.com>) id 1WDdLV-00061N-Jx
 for 11267@debbugs.gnu.org; Wed, 12 Feb 2014 12:11:41 -0500
Received: by mail-qa0-f47.google.com with SMTP id j5so14353748qaq.34
 for <11267@debbugs.gnu.org>; Wed, 12 Feb 2014 09:11:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google;
 h=from:to:cc:subject:organization:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:user-agent
 :mime-version:content-type;
 bh=8JdLPzd2z7pTMLLVmZ1ABbxe+o8xuHTlQ36kxIcOr6I=;
 b=ZSJHazg2rpmFZUWDq39mp5RVcDQ3Aw8DDTiGLgea7PFZKlsSTdtDmpCIDW3WXE6qZn
 LnjK9tPY5GjoeTXmoJps2l9JpPV+D7jGIgkVXqJQPxZDdZ9EDF0V73awyScKXqMcrK1O
 xeMpM89IHV7kYemfQmxEw5fLlaKKCtvo3/cvo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:organization:references
 :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id
 :user-agent:mime-version:content-type;
 bh=8JdLPzd2z7pTMLLVmZ1ABbxe+o8xuHTlQ36kxIcOr6I=;
 b=jpGlwoe5LMO9Ty1RZnfl3WCY9IMY5YYrrNaYgzAjYRYg4rrr/Jcr0gWmm6/lbR7olX
 Wq5RXjLmZbvJpljaQ63ZfoOa6YVWT9/KWkF2cudShM6kiEpN3FlXKUKgDQwJoUPO3D1K
 pzPqpfJtnpe+YN+7D6onWUSV3gOdpj8TKLsuiI8sjlXxOel7O6TGJPdhuf+bg11nzBBh
 VUOBpS+cD/0gc5NRsmBKMjdfsqwL2bfn+fHCSn0KiAmFe+oWbiQcKz813HxgMMN3LABQ
 +ZunXkBEgYiVDpvWAHowyOgnj9aFjzPwyV9XQn6wdCZ6Ipw6ZgbigkOpX4RAH8vCabu7
 Fi1w==
X-Gm-Message-State: ALoCoQlmrriSUhmG2JyQhoofmaVsed2D9TLiiOSs253adohjqmcw3+qW5Q6fqNGtebHX/037EKrW
X-Received: by 10.229.90.199 with SMTP id j7mr52359078qcm.14.1392225092037;
 Wed, 12 Feb 2014 09:11:32 -0800 (PST)
Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72])
 by mx.google.com with ESMTPSA id y71sm34458039qgd.3.2014.02.12.09.11.30
 for <multiple recipients>
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Wed, 12 Feb 2014 09:11:31 -0800 (PST)
From: Ted Zlatanov <tzz@lifelogs.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#15057: 24.3.50;
 TLS error with reasonably high gnutls-min-prime-bits, bug#11267:
 24.0.95;
 gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server
 is not acceptable (not long enough)
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
References: <87iozfl001.fsf@thinkpad.tsdh.org>
 <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com>
 <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org>
 <20367.61741.640831.184941@gargle.gargle.HOWL>
 <jffwbzsnhm.fsf@fencepost.gnu.org> <m3vckv663l.fsf@stories.gnus.org>
 <20368.16452.379860.520133@gargle.gargle.HOWL>
 <87k4152t8j.fsf@lifelogs.com>
 <20375.1898.39520.582160@gargle.gargle.HOWL>
 <m3mx5bhphj.fsf@stories.gnus.org>
 <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
 <b8ed28f0-e25f-457f-b44f-b224b017197b@googlegroups.com>
 <87ob2f8zdr.fsf@lifelogs.com>
 <21240.16957.410641.502622@gargle.gargle.HOWL>
 <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com>
 <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com>
 <874n452br1.fsf@building.gnus.org>
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
 d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
 D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Wed, 12 Feb 2014 12:11:41 -0500
In-Reply-To: <874n452br1.fsf@building.gnus.org> (Lars Ingebrigtsen's message
 of "Tue, 11 Feb 2014 20:30:58 -0800, Tue, 11 Feb 2014 20:29:09 -0800")
Message-ID: <87k3d0gss2.fsf_-_@lifelogs.com>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 11267
Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>,
 Roland Winkler <winkler@gnu.org>, 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
 11267@debbugs.gnu.org, Tassilo Horn <tsdh@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

(I love how mangled the subject line became)

On Tue, 11 Feb 2014 20:30:58 -0800 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I'm sure we can come up with more helpful messaging.  Does it have
>> to fit in 78 chars?  Can we use buttons?  If so, it could be like this,
>> going over 78 but not too much:
>> 
>> !! remote host X requires lower security [OK once] [OK always] [Cancel] [?]

LI> Yeah, that would be nice.  And, remember, somebody (ahem) also has to
LI> write code to handle invalid certificates.  It could be done the
LI> same way.

Yes, it's a similar UI.  After 24.4.  Is that available as a debbugs
tag, "target-version=24.5" or something?

LI> And if the user types "OK always" for this (and for invalid
LI> certificates), it should be stored using the customize functions.

Right.  I feel Customize is the right place to put certificate
exceptions.  The user can set their custom.el file to be
GnuPG-encrypted if they are concerned.

>> If we provide that simple UI, plus some help messaging, I think we can
>> disable DHE by default.  Based on Nikos' explanation, it seems to be the
>> best way forward.

LI> But why would we disable DHE?  Prefer ECDHE over DHE, certainly, but I
LI> don't understand disabling...

Nikos advocates (and I agree) that it's prudent to add
"!DHE-RSA:!DHE-DSS" to the default priority string.  We can make it easy
for the user to remove that exclusion or make a specific exception as
we've discussed.

Ted




From unknown Sun Aug 10 11:49:15 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Thu, 13 Mar 2014 11:24:04 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator