#11267 - 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

GNU bug report logs - #11267
24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

Package: emacs;

Reported by: "Roland Winkler" <winkler <at> gnu.org>

Date: Tue, 17 Apr 2012 21:16:02 UTC

Severity: normal

Found in version 24.0.95

Fixed in version 24.4

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Message #65 received at 11267 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com> To: Lars Ingebrigtsen <larsi <at> gnus.org> Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com>, Roland Winkler <winkler <at> gnu.org>, 15057 <at> debbugs.gnu.org, 16253 <at> debbugs.gnu.org, 11267 <at> debbugs.gnu.org, Tassilo Horn <tsdh <at> gnu.org> Subject: Re: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Date: Tue, 11 Feb 2014 09:21:58 -0500

On Mon, 10 Feb 2014 21:09:25 -0800 Lars Ingebrigtsen <larsi <at> gnus.org> wrote: LI> (Emacs, being Emacs, might offer as an option a way to restrict all TLS LI> connections to a smaller set of algorithms/levels, but that should not LI> be the default.) I think it should, as long as we make it easy to drop down the security, as I described: >> * how to try allowing the less-secure connection (perhaps a simple >> command to automate this, or even a clickable button, would be nicer >> than asking the user to `customize-variable'). The original discussion >> sort of settled on magically reopening the connection with less security >> but I think that might be a disservice to the users. LI> We would always try to get the most secure TLS connection possible, so I LI> don't quite understand "reconnect"... So my proposal is simply to provide two buttons "allow host X to connect with lower DHE security [temporarily] [permanently]" and when the button is clicked, customize `gnutls-algorithm-priority' to allow DHE to that specific host. `gnutls-negotiate' has to be changed slightly and the connection rejection from insecure hosts will need to be handled in gnutls.c and gnutls.el. I think that's as seamless as we can make it, especially noting that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits). If we provide that simple UI, plus some help messaging, I think we can disable DHE by default. Based on Nikos' explanation, it seems to be the best way forward. Ted

This bug report was last modified 11 years and 155 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #11267 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

GNU bug report logs - #11267
24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).