#11267 - 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

GNU bug report logs - #11267
24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

Package: emacs;

Reported by: "Roland Winkler" <winkler <at> gnu.org>

Date: Tue, 17 Apr 2012 21:16:02 UTC

Severity: normal

Found in version 24.0.95

Fixed in version 24.4

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Message #28 received at 11267 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com> To: "Roland Winkler" <winkler <at> gnu.org> Cc: Lars Magne Ingebrigtsen <larsi <at> gnus.org>, 11267 <at> debbugs.gnu.org Subject: Re: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Date: Tue, 24 Apr 2012 08:45:48 -0400

On Thu, 19 Apr 2012 11:41:40 -0500 "Roland Winkler" <winkler <at> gnu.org> wrote: RW> On Thu Apr 19 2012 Lars Magne Ingebrigtsen wrote: >> Glenn Morris <rgm <at> gnu.org> writes: >> > I also wonder how it can be safer to fall back to no encryption at all, >> > rather than using weak encryption (if that is indeed what is happening). >> > Maybe it's to prevent a false sense of security, or something. >> >> Are you sure that it's falling back to no encryption? If it really does >> that, then that's pretty crappy behaviour, in my opinion. RW> If the error message was more verbose, say by mentioning the RW> fallback the code uses, this could help nonexpert users like us to RW> understand the situation. The error is coming straight from GnuTLS. We can probably add a Emacs-specific clarification to it, mentioning `gnutls-min-prime-bits'. Would that be more helpful? Or should I add a FAQ section to emacs-gnutls.texi? Usually this means the server should increase the size of the prime, e.g. here are similar reports for msmtp and Sendmail: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461802 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 Dropping down to fewer bits in the DH prime is AFAIK not a serious concern: you're not exposing your communications, only making the exchange of the secret key slightly less secure. So you're slightly more vulnerable to a man-in-the-middle attack, but the connection itself will be encrypted. You can only turn off encryption by changing the priority string. ted

This bug report was last modified 11 years and 153 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #11267 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

GNU bug report logs - #11267
24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).