From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Tassilo Horn Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 09 Aug 2013 08:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 15057 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 15057@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.13760383675205 (code B ref -1); Fri, 09 Aug 2013 08:53:01 +0000 Received: (at submit) by debbugs.gnu.org; 9 Aug 2013 08:52:47 +0000 Received: from localhost ([127.0.0.1]:48916 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1V7iRB-0001Lr-8d for submit@debbugs.gnu.org; Fri, 09 Aug 2013 04:52:46 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60067) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1V7iR6-0001Lc-UW for submit@debbugs.gnu.org; Fri, 09 Aug 2013 04:52:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1V7iQu-0004ZS-Ic for submit@debbugs.gnu.org; Fri, 09 Aug 2013 04:52:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-99.2 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD, T_DKIM_INVALID,USER_IN_WHITELIST autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:57761) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V7iQu-0004ZO-Fl for submit@debbugs.gnu.org; Fri, 09 Aug 2013 04:52:28 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33507) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V7iQo-00015Q-TC for bug-gnu-emacs@gnu.org; Fri, 09 Aug 2013 04:52:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1V7iQj-0004Wp-9b for bug-gnu-emacs@gnu.org; Fri, 09 Aug 2013 04:52:22 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:49197) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V7iQj-0004Wf-1R for bug-gnu-emacs@gnu.org; Fri, 09 Aug 2013 04:52:17 -0400 Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 85FA220A7A for ; Fri, 9 Aug 2013 04:52:16 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute2.internal (MEProxy); Fri, 09 Aug 2013 04:52:16 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=from:to:subject:date:message-id :mime-version:content-type; s=smtpout; bh=dsB1ztZCOPpSQHgqDpbkdQ SzIzo=; b=FdIIcpj96xF7IopEx/wDw7hK9CqLR443YVaTb0D40z+jR06pVMOXHM LJ6JOiMVwii/jYVTIbnk4rZBz3jlLVvibbCuvNAeJN6Brq9mWF24HhJN7Sm+0zcN Ke4qcVulCtFwLSSiQ1JAjtCntzFqrofHtLDWytgtz0wrGFNcUMCXM= X-Sasl-enc: tv05exQunxZwr8WM2l5yOtJVOr+OmmQHCxglxzAsveHT 1376038335 Received: from thinkpad.tsdh.org (unknown [91.67.164.26]) by mail.messagingengine.com (Postfix) with ESMTPA id B951C680096 for ; Fri, 9 Aug 2013 04:52:15 -0400 (EDT) From: Tassilo Horn Date: Fri, 09 Aug 2013 10:52:14 +0200 Message-ID: <87iozfl001.fsf@thinkpad.tsdh.org> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.3 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) When TLS support landed and Gnus used it, I frequently had messages like "the Diffie-Hellman prime has been lowered to XXX bits" for XXX being 256(?) or something like that. Then I've set (setq gnutls-min-prime-bits 2048) and everything worked smoothly, I got no warning messages, and I felt more secure. Well, until today. When I fired up Gnus today, I got this error for my Fastmail IMAP account: --8<---------------cut here---------------start------------->8--- 20130809T100721.075> Opening connection to mail.messagingengine.com via tls... gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). gnutls.el: (err=[-63] The Diffie-Hellman prime sent by the server is not acceptable (not long enough).) boot: (:priority NORMAL :hostname mail.messagingengine.com :loglevel 0 :min-prime-bits 2048 :trustfiles (/etc/ssl/certs/ca-certificates.crt) :crlfiles nil :keylist nil :verify-flags nil :verify-error nil :verify-hostname-error nil :callbacks nil) 20130809T100721.380> Unable to open server nnimap+Fastmail due to: GnuTLS error: #>, -63 gnutls.c: [0] (Emacs) fatal error: An unexpected TLS handshake packet was received. [100 times] --8<---------------cut here---------------end--------------->8--- All other accounts still worked just fine. Lowering `gnutls-min-prime-bits' to 1024 makes the Fastmail account work again, too. So apparently Fastmail doesn't support 2048 bit sized DH primes anymore (or maybe just today/now) for whatever reason. Would it be possible to have a new variable `gnutls-preferred-prime-bits' which is tried first for every connection? If the server doesn't want to, you'd get a warning and the number of bits would be lowered, but never below `gnutls-min-prime-bits' which would still be the hard limit where you get an error. That way, I could have (setq gnutls-min-prime-bits 1024 gnutls-preferred-prime-bits 2048) which would successfully use 2048 for all my IMAP connections except for the Fastmail one today. In GNU Emacs 24.3.50.1 (x86_64-pc-linux-gnu, GTK+ Version 3.8.2) of 2013-08-09 on thinkpad Bzr revision: monnier@iro.umontreal.ca-20130809011942-ekqcyfmqaf1xicqa Windowing system distributor `The X.Org Foundation', version 11.0.11402901 System Description: NAME=Gentoo Configured using: `configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-silent-rules --disable-dependency-tracking --program-suffix=-emacs-24-vcs --program-transform-name=s/^(emacs)-[0-9].*-././ --infodir=/usr/share/info/emacs-24-vcs --enable-locallisppath=/etc/emacs:/usr/share/emacs/site-lisp --with-gameuser=games --without-compress-info --with-file-notification=inotify --disable-acl --with-dbus --with-gnutls --with-gpm --without-hesiod --without-kerberos --without-kerberos5 --with-xml2 --without-selinux --without-wide-int --with-sound --with-x --without-ns --without-gconf --with-gsettings --with-toolkit-scroll-bars --with-gif --with-jpeg --with-png --with-rsvg --with-tiff --with-xpm --with-imagemagick --with-xft --with-libotf --with-m17n-flt --with-x-toolkit=gtk3 GENTOO_PACKAGE=app-editors/emacs-vcs-24.3.9999 EBZR_BRANCH=trunk EBZR_REVNO=113772 CFLAGS='-march=native -pipe -g3 -ggdb' LDFLAGS='-Wl,-O1 -Wl,--as-needed'' Important settings: value of $LC_COLLATE: C value of $LC_MONETARY: de_DE.utf8 value of $LC_NUMERIC: de_DE.utf8 value of $LC_TIME: de_DE.utf8 value of $LANG: en_US.UTF-8 locale-coding-system: utf-8-unix default enable-multibyte-characters: t Major mode: Message Minor modes in effect: gnus-message-citation-mode: t diff-auto-refine-mode: t mml-mode: t global-edit-server-edit-mode: t yas-minor-mode: t recentf-mode: t shell-dirtrack-mode: t global-subword-mode: t subword-mode: t savehist-mode: t show-paren-mode: t ido-everywhere: t minibuffer-depth-indicate-mode: t tooltip-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t column-number-mode: t line-number-mode: t auto-fill-function: message-do-auto-fill transient-mark-mode: t Recent input: l s - m i M-/ . M-q M-q b SPC SPC S o SPC a p p a r e n t l y SPC F a s t m a i l SPC d o e s n ' t SPC s u p p o r t SPC 2 0 4 8 SPC b i t SPC s i z e d SPC p r i m e s SPC a n y m o r e SPC f o r SPC w h a t e v e r SPC r i e a s o n . SPC ( o r SPC m a y b e SPC j u s t SPC t o d a y / n o w ) M-q M-q f i r s t SPC f o r SPC e v e r y SPC s e r v e r M-q ? M-q M-x r e p o Recent messages: Type C-x 1 to delete the help window. Auto-saving...done Mark set Quit Auto-saving...done No expansion found [2 times] Using try-expand-dabbrev [yas] snippet expanded. [yas] Snippet 2 exited. Auto-saving...done Load-path shadows: ~/Repos/el/magit/.dir-locals hides ~/Repos/el/highlight-symbol.el/.dir-locals ~/Repos/el/magit/.dir-locals hides ~/Repos/el/gnus/lisp/.dir-locals ~/Repos/el/auctex/lpath hides ~/Repos/el/gnus/lisp/lpath ~/Repos/el/gnus/lisp/hex-util hides /usr/share/emacs/24.3.50/lisp/hex-util ~/Repos/el/gnus/lisp/color hides /usr/share/emacs/24.3.50/lisp/color ~/Repos/el/gnus/lisp/format-spec hides /usr/share/emacs/24.3.50/lisp/format-spec ~/Repos/el/gnus/lisp/password-cache hides /usr/share/emacs/24.3.50/lisp/password-cache ~/Repos/el/gnus/lisp/md4 hides /usr/share/emacs/24.3.50/lisp/md4 ~/Repos/el/gnus/lisp/dns-mode hides /usr/share/emacs/24.3.50/lisp/textmodes/dns-mode ~/Repos/el/gnus/lisp/hmac-def hides /usr/share/emacs/24.3.50/lisp/net/hmac-def ~/Repos/el/gnus/lisp/sasl hides /usr/share/emacs/24.3.50/lisp/net/sasl ~/Repos/el/gnus/lisp/dns hides /usr/share/emacs/24.3.50/lisp/net/dns ~/Repos/el/gnus/lisp/ntlm hides /usr/share/emacs/24.3.50/lisp/net/ntlm ~/Repos/el/gnus/lisp/sasl-digest hides /usr/share/emacs/24.3.50/lisp/net/sasl-digest ~/Repos/el/gnus/lisp/dig hides /usr/share/emacs/24.3.50/lisp/net/dig ~/Repos/el/gnus/lisp/hmac-md5 hides /usr/share/emacs/24.3.50/lisp/net/hmac-md5 ~/Repos/el/gnus/lisp/tls hides /usr/share/emacs/24.3.50/lisp/net/tls ~/Repos/el/gnus/lisp/sasl-cram hides /usr/share/emacs/24.3.50/lisp/net/sasl-cram ~/Repos/el/gnus/lisp/sasl-ntlm hides /usr/share/emacs/24.3.50/lisp/net/sasl-ntlm ~/Repos/el/gnus/lisp/netrc hides /usr/share/emacs/24.3.50/lisp/net/netrc ~/Repos/el/gnus/lisp/binhex hides /usr/share/emacs/24.3.50/lisp/mail/binhex ~/Repos/el/gnus/lisp/hashcash hides /usr/share/emacs/24.3.50/lisp/mail/hashcash ~/Repos/el/gnus/lisp/uudecode hides /usr/share/emacs/24.3.50/lisp/mail/uudecode ~/Repos/el/gnus/lisp/gnus-undo hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-undo ~/Repos/el/gnus/lisp/qp hides /usr/share/emacs/24.3.50/lisp/gnus/qp ~/Repos/el/gnus/lisp/nnmail hides /usr/share/emacs/24.3.50/lisp/gnus/nnmail ~/Repos/el/gnus/lisp/gnus-srvr hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-srvr ~/Repos/el/gnus/lisp/smiley hides /usr/share/emacs/24.3.50/lisp/gnus/smiley ~/Repos/el/gnus/lisp/mm-encode hides /usr/share/emacs/24.3.50/lisp/gnus/mm-encode ~/Repos/el/gnus/lisp/spam-stat hides /usr/share/emacs/24.3.50/lisp/gnus/spam-stat ~/Repos/el/gnus/lisp/gnus-cite hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-cite ~/Repos/el/gnus/lisp/nnnil hides /usr/share/emacs/24.3.50/lisp/gnus/nnnil ~/Repos/el/gnus/lisp/mm-bodies hides /usr/share/emacs/24.3.50/lisp/gnus/mm-bodies ~/Repos/el/gnus/lisp/nndir hides /usr/share/emacs/24.3.50/lisp/gnus/nndir ~/Repos/el/gnus/lisp/gnus-picon hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-picon ~/Repos/el/gnus/lisp/score-mode hides /usr/share/emacs/24.3.50/lisp/gnus/score-mode ~/Repos/el/gnus/lisp/gnus-demon hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-demon ~/Repos/el/gnus/lisp/gssapi hides /usr/share/emacs/24.3.50/lisp/gnus/gssapi ~/Repos/el/gnus/lisp/gnus-delay hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-delay ~/Repos/el/gnus/lisp/nntp hides /usr/share/emacs/24.3.50/lisp/gnus/nntp ~/Repos/el/gnus/lisp/gnus-spec hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-spec ~/Repos/el/gnus/lisp/mml hides /usr/share/emacs/24.3.50/lisp/gnus/mml ~/Repos/el/gnus/lisp/utf7 hides /usr/share/emacs/24.3.50/lisp/gnus/utf7 ~/Repos/el/gnus/lisp/nndiary hides /usr/share/emacs/24.3.50/lisp/gnus/nndiary ~/Repos/el/gnus/lisp/rtree hides /usr/share/emacs/24.3.50/lisp/gnus/rtree ~/Repos/el/gnus/lisp/compface hides /usr/share/emacs/24.3.50/lisp/gnus/compface ~/Repos/el/gnus/lisp/smime hides /usr/share/emacs/24.3.50/lisp/gnus/smime ~/Repos/el/gnus/lisp/starttls hides /usr/share/emacs/24.3.50/lisp/gnus/starttls ~/Repos/el/gnus/lisp/gnus-win hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-win ~/Repos/el/gnus/lisp/gnus-draft hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-draft ~/Repos/el/gnus/lisp/gnus-dup hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-dup ~/Repos/el/gnus/lisp/auth-source hides /usr/share/emacs/24.3.50/lisp/gnus/auth-source ~/Repos/el/gnus/lisp/nnrss hides /usr/share/emacs/24.3.50/lisp/gnus/nnrss ~/Repos/el/gnus/lisp/nndoc hides /usr/share/emacs/24.3.50/lisp/gnus/nndoc ~/Repos/el/gnus/lisp/mm-view hides /usr/share/emacs/24.3.50/lisp/gnus/mm-view ~/Repos/el/gnus/lisp/gnus-cache hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-cache ~/Repos/el/gnus/lisp/gnus-cus hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-cus ~/Repos/el/gnus/lisp/flow-fill hides /usr/share/emacs/24.3.50/lisp/gnus/flow-fill ~/Repos/el/gnus/lisp/nnfolder hides /usr/share/emacs/24.3.50/lisp/gnus/nnfolder ~/Repos/el/gnus/lisp/mml-sec hides /usr/share/emacs/24.3.50/lisp/gnus/mml-sec ~/Repos/el/gnus/lisp/rfc2045 hides /usr/share/emacs/24.3.50/lisp/gnus/rfc2045 ~/Repos/el/gnus/lisp/nnheader hides /usr/share/emacs/24.3.50/lisp/gnus/nnheader ~/Repos/el/gnus/lisp/nnoo hides /usr/share/emacs/24.3.50/lisp/gnus/nnoo ~/Repos/el/gnus/lisp/nnvirtual hides /usr/share/emacs/24.3.50/lisp/gnus/nnvirtual ~/Repos/el/gnus/lisp/rfc2231 hides /usr/share/emacs/24.3.50/lisp/gnus/rfc2231 ~/Repos/el/gnus/lisp/message hides /usr/share/emacs/24.3.50/lisp/gnus/message ~/Repos/el/gnus/lisp/gnus-sync hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-sync ~/Repos/el/gnus/lisp/gmm-utils hides /usr/share/emacs/24.3.50/lisp/gnus/gmm-utils ~/Repos/el/magit/.dir-locals hides /usr/share/emacs/24.3.50/lisp/gnus/.dir-locals ~/Repos/el/gnus/lisp/nnbabyl hides /usr/share/emacs/24.3.50/lisp/gnus/nnbabyl ~/Repos/el/gnus/lisp/gnus-msg hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-msg ~/Repos/el/gnus/lisp/registry hides /usr/share/emacs/24.3.50/lisp/gnus/registry ~/Repos/el/gnus/lisp/rfc2104 hides /usr/share/emacs/24.3.50/lisp/gnus/rfc2104 ~/Repos/el/gnus/lisp/spam hides /usr/share/emacs/24.3.50/lisp/gnus/spam ~/Repos/el/gnus/lisp/nnmairix hides /usr/share/emacs/24.3.50/lisp/gnus/nnmairix ~/Repos/el/gnus/lisp/gnus-mlspl hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-mlspl ~/Repos/el/gnus/lisp/gnus-mh hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-mh ~/Repos/el/gnus/lisp/gnus-ml hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-ml ~/Repos/el/gnus/lisp/nnimap hides /usr/share/emacs/24.3.50/lisp/gnus/nnimap ~/Repos/el/gnus/lisp/mailcap hides /usr/share/emacs/24.3.50/lisp/gnus/mailcap ~/Repos/el/gnus/lisp/gnus-start hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-start ~/Repos/el/gnus/lisp/mm-decode hides /usr/share/emacs/24.3.50/lisp/gnus/mm-decode ~/Repos/el/gnus/lisp/plstore hides /usr/share/emacs/24.3.50/lisp/gnus/plstore ~/Repos/el/gnus/lisp/pop3 hides /usr/share/emacs/24.3.50/lisp/gnus/pop3 ~/Repos/el/gnus/lisp/mm-extern hides /usr/share/emacs/24.3.50/lisp/gnus/mm-extern ~/Repos/el/gnus/lisp/sieve-manage hides /usr/share/emacs/24.3.50/lisp/gnus/sieve-manage ~/Repos/el/gnus/lisp/nnir hides /usr/share/emacs/24.3.50/lisp/gnus/nnir ~/Repos/el/gnus/lisp/mml1991 hides /usr/share/emacs/24.3.50/lisp/gnus/mml1991 ~/Repos/el/gnus/lisp/nndraft hides /usr/share/emacs/24.3.50/lisp/gnus/nndraft ~/Repos/el/gnus/lisp/mail-source hides /usr/share/emacs/24.3.50/lisp/gnus/mail-source ~/Repos/el/gnus/lisp/gnus-salt hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-salt ~/Repos/el/gnus/lisp/spam-wash hides /usr/share/emacs/24.3.50/lisp/gnus/spam-wash ~/Repos/el/gnus/lisp/nneething hides /usr/share/emacs/24.3.50/lisp/gnus/nneething ~/Repos/el/gnus/lisp/mml-smime hides /usr/share/emacs/24.3.50/lisp/gnus/mml-smime ~/Repos/el/gnus/lisp/deuglify hides /usr/share/emacs/24.3.50/lisp/gnus/deuglify ~/Repos/el/gnus/lisp/mm-partial hides /usr/share/emacs/24.3.50/lisp/gnus/mm-partial ~/Repos/el/gnus/lisp/spam-report hides /usr/share/emacs/24.3.50/lisp/gnus/spam-report ~/Repos/el/gnus/lisp/nnspool hides /usr/share/emacs/24.3.50/lisp/gnus/nnspool ~/Repos/el/gnus/lisp/gnus-gravatar hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-gravatar ~/Repos/el/gnus/lisp/gnus hides /usr/share/emacs/24.3.50/lisp/gnus/gnus ~/Repos/el/gnus/lisp/gnus-dired hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-dired ~/Repos/el/gnus/lisp/mml2015 hides /usr/share/emacs/24.3.50/lisp/gnus/mml2015 ~/Repos/el/gnus/lisp/html2text hides /usr/share/emacs/24.3.50/lisp/gnus/html2text ~/Repos/el/gnus/lisp/nnmaildir hides /usr/share/emacs/24.3.50/lisp/gnus/nnmaildir ~/Repos/el/gnus/lisp/ecomplete hides /usr/share/emacs/24.3.50/lisp/gnus/ecomplete ~/Repos/el/gnus/lisp/gnus-ems hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-ems ~/Repos/el/gnus/lisp/nnweb hides /usr/share/emacs/24.3.50/lisp/gnus/nnweb ~/Repos/el/gnus/lisp/gnus-group hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-group ~/Repos/el/gnus/lisp/nnregistry hides /usr/share/emacs/24.3.50/lisp/gnus/nnregistry ~/Repos/el/gnus/lisp/ietf-drums hides /usr/share/emacs/24.3.50/lisp/gnus/ietf-drums ~/Repos/el/gnus/lisp/legacy-gnus-agent hides /usr/share/emacs/24.3.50/lisp/gnus/legacy-gnus-agent ~/Repos/el/gnus/lisp/gnus-bcklg hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-bcklg ~/Repos/el/gnus/lisp/gnus-sum hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-sum ~/Repos/el/gnus/lisp/gnus-icalendar hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-icalendar ~/Repos/el/gnus/lisp/rfc2047 hides /usr/share/emacs/24.3.50/lisp/gnus/rfc2047 ~/Repos/el/gnus/lisp/canlock hides /usr/share/emacs/24.3.50/lisp/gnus/canlock ~/Repos/el/gnus/lisp/sieve hides /usr/share/emacs/24.3.50/lisp/gnus/sieve ~/Repos/el/gnus/lisp/gnus-util hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-util ~/Repos/el/gnus/lisp/gnus-fun hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-fun ~/Repos/el/gnus/lisp/nnml hides /usr/share/emacs/24.3.50/lisp/gnus/nnml ~/Repos/el/gnus/lisp/mm-util hides /usr/share/emacs/24.3.50/lisp/gnus/mm-util ~/Repos/el/gnus/lisp/gnus-bookmark hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-bookmark ~/Repos/el/gnus/lisp/gnus-kill hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-kill ~/Repos/el/gnus/lisp/mm-url hides /usr/share/emacs/24.3.50/lisp/gnus/mm-url ~/Repos/el/gnus/lisp/gnus-async hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-async ~/Repos/el/gnus/lisp/nngateway hides /usr/share/emacs/24.3.50/lisp/gnus/nngateway ~/Repos/el/gnus/lisp/sieve-mode hides /usr/share/emacs/24.3.50/lisp/gnus/sieve-mode ~/Repos/el/gnus/lisp/gnus-int hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-int ~/Repos/el/gnus/lisp/gravatar hides /usr/share/emacs/24.3.50/lisp/gnus/gravatar ~/Repos/el/gnus/lisp/gnus-notifications hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-notifications ~/Repos/el/gnus/lisp/gnus-art hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-art ~/Repos/el/gnus/lisp/yenc hides /usr/share/emacs/24.3.50/lisp/gnus/yenc ~/Repos/el/gnus/lisp/nnmh hides /usr/share/emacs/24.3.50/lisp/gnus/nnmh ~/Repos/el/gnus/lisp/mail-prsvr hides /usr/share/emacs/24.3.50/lisp/gnus/mail-prsvr ~/Repos/el/gnus/lisp/gnus-range hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-range ~/Repos/el/gnus/lisp/mm-archive hides /usr/share/emacs/24.3.50/lisp/gnus/mm-archive ~/Repos/el/gnus/lisp/gnus-sieve hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-sieve ~/Repos/el/gnus/lisp/gnus-agent hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-agent ~/Repos/el/gnus/lisp/messcompat hides /usr/share/emacs/24.3.50/lisp/gnus/messcompat ~/Repos/el/gnus/lisp/mm-uu hides /usr/share/emacs/24.3.50/lisp/gnus/mm-uu ~/Repos/el/gnus/lisp/gnus-logic hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-logic ~/Repos/el/gnus/lisp/gnus-topic hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-topic ~/Repos/el/gnus/lisp/gnus-diary hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-diary ~/Repos/el/gnus/lisp/gnus-setup hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-setup ~/Repos/el/gnus/lisp/nnmbox hides /usr/share/emacs/24.3.50/lisp/gnus/nnmbox ~/Repos/el/gnus/lisp/rfc1843 hides /usr/share/emacs/24.3.50/lisp/gnus/rfc1843 ~/Repos/el/gnus/lisp/gnus-eform hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-eform ~/Repos/el/gnus/lisp/gnus-vm hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-vm ~/Repos/el/gnus/lisp/nnagent hides /usr/share/emacs/24.3.50/lisp/gnus/nnagent ~/Repos/el/gnus/lisp/mail-parse hides /usr/share/emacs/24.3.50/lisp/gnus/mail-parse ~/Repos/el/gnus/lisp/gnus-html hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-html ~/Repos/el/gnus/lisp/gnus-uu hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-uu ~/Repos/el/gnus/lisp/gnus-registry hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-registry ~/Repos/el/gnus/lisp/gnus-score hides /usr/share/emacs/24.3.50/lisp/gnus/gnus-score ~/Repos/el/gnus/lisp/time-date hides /usr/share/emacs/24.3.50/lisp/calendar/time-date ~/Repos/el/gnus/lisp/parse-time hides /usr/share/emacs/24.3.50/lisp/calendar/parse-time Features: (shadow emacsbug flow-fill mm-archive hippie-exp timezone oauth2 json plstore align url-http url-gw url-auth pp mailalias smtpmail sendmail qp mule-util sort smiley gnus-cite gnus-async gnus-bcklg gnus-draft gnus-ml misearch multi-isearch vc-git cus-start cus-load hl-line nndraft nnmh rot13 utf-7 gnutls network-stream starttls nnimap parse-time tls utf7 netrc nnml nnnil gnus-agent gnus-srvr gnus-score score-mode nnvirtual gnus-cache gnus-demon nntp spam spam-stat gnus-uu yenc gnus-msg gnus-gravatar mail-extr gravatar gnus-topic nnir gnus-registry registry eieio-base th-private highlight-parentheses stratego-mode go-mode-load greql-mode tg-mode generic preview-latex tex-site auto-loads paredit magit-cherry magit-bisect magit-log-edit log-edit pcvs-util add-log magit-key-mode magit diff-mode magit-compat epa-file epa epg rdictcc google-contacts-message google-contacts-gnus gnus-art mm-uu mml2015 epg-config mm-view mml-smime smime dig gnus-sum nnoo gnus-group gnus-undo nnmail mail-source gnus-start gnus-spec gnus-int gnus-range gnus-win gnus gnus-ems gnus-compat nnheader google-contacts url-cache google-oauth dired-x em-term term ehelp electric esh-opt esh-ext esh-util highlight-symbol boxquote ecomplete message idna rfc822 mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mailabbrev mail-utils gmm-utils mailheader info edit-server server yasnippet help-mode disp-table noutline outline browse-kill-ring recentf tree-widget wid-edit helm-nrepl helm-elisp helm-eval helm-info helm-net browse-url xml url url-proxy url-privacy url-expand url-methods url-history url-cookie url-domsuf url-util url-parse url-vars mailcap helm-plugin nrepl ewoc eldoc arc-mode archive-mode etags clojure-mode derived imenu inf-lisp tramp tramp-compat auth-source eieio byte-opt bytecomp byte-compile cconv eieio-core gnus-util mm-util mail-prsvr password-cache tramp-loaddefs trampver shell pcomplete format-spec helm-buffers helm-grep helm-regexp grep helm-elscreen helm-utils dired compile comint ansi-color ring helm helm-config helm-aliases easymenu uniquify multiple-cursors mc-separate-operations rectangular-region-mode mc-mark-pop mc-mark-more thingatpt mc-cycle-cursors mc-edit-lines multiple-cursors-core easy-mmode rect iedit help-macro iedit-lib cl-macs gv cl superword subword saveplace savehist paren ido mb-depth advice help-fns diminish rx windmove edmacro kmacro cl-loaddefs cl-lib gnus-load tsdh-dark-theme ack-and-a-half-autoloads boxquote-autoloads browse-kill-ring-autoloads debbugs-autoloads graphviz-dot-mode-autoloads highlight-parentheses-autoloads markdown-mode-autoloads memory-usage-autoloads window-number-autoloads package site-gentoo time-date tooltip ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process dbusbind inotify dynamic-setting system-font-setting font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs) From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Lars Magne Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Sun, 11 Aug 2013 20:05:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Tassilo Horn Cc: 15057@debbugs.gnu.org Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.137625144232760 (code B ref 15057); Sun, 11 Aug 2013 20:05:01 +0000 Received: (at 15057) by debbugs.gnu.org; 11 Aug 2013 20:04:02 +0000 Received: from localhost ([127.0.0.1]:53390 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1V8brt-0008W8-Qv for submit@debbugs.gnu.org; Sun, 11 Aug 2013 16:04:02 -0400 Received: from hermes.netfonds.no ([80.91.224.195]:57032) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1V8brq-0008Vr-2i for 15057@debbugs.gnu.org; Sun, 11 Aug 2013 16:03:59 -0400 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1V8bre-0008Gz-GN; Sun, 11 Aug 2013 22:03:46 +0200 From: Lars Magne Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEXv4M3z6MMzKy67rqjZ y8Lr3M3l1sorqWIfAAACZklEQVQ4jV1UwW7bMAylkchnC1l/wAZ2Xi3N5wamdVbRSGdvpfT/n7BH 20G9MkAA8YmP5CNlcofNXFISLsyhhloj7W72wplnDlyr5MpcD8D7mWEiQapIRRTBxyGUlFOONUdJ LQsHWQAoK/hTWonIpGi4RNIcvDG/p0QNrGvINh2uwH+/2z/WvlDXNNZ2+FkFkMG+2+bFdu/wAL/d ARgAzgG4v9qucbdXxRBGyOLmu73r6fb6w+72YklzBA7O47i5u9sE3wNMNHposdMjrNPLhtq4VbVm 5L43FpUvqCfSBvaTS29kEHwZnAuRWu0TBr3QWlpACslComtRdzqAutKlVxEKXZ8RzuPg3ujvMEWN 1cSax7kp0mUlMzo/cc3tlJe4IhEqiajhw4HJ9bCBOc0IgVaR0kf/ZYGdIyE/uypuPAG/61aXH/uh /89+ZjRjiMf+m01YkSuq+u7vf+2NKHDmchO6VtsOu29ArymqgE9g0NWacqWzoS8vaLWtJb6tJ8BD RJRhWinFnwGWmkQnk3N1ZyovITEicgk1ngGea/lER1h+oqzQ9TlBwRLRpWiioJ6WSXNho7HH5rEA bn8dNHlf0ZIetSxUvvi1Re9Ql9TozTN3OqrC+5CwGG8OLUzduQYAHNb93hZzUOKpeZ7wkijuC2LS YyvODW7wiz6xkvSfyqElJB+g9hUXC7VYvHRQjZgSgAdEx7ZoM3FPNfoREVly0YKK7hhtw/Junn0Q fA6iac8AkmOvZS4YS651jVs/JmK0fvZVPgJicg5xl2oDMFsALElyChoA9aG/w456lk90CcWWrEBb 8voPlpDBomQbADsAAAAASUVORK5CYII= X-Now-Playing: Arto Lindsay's _Ecomixes_: "Unsure (Live)" X-Hashcash: 1:23:130811:15057@debbugs.gnu.org::Zkk7vI71dUUg6XXQ:0000000000000000000000000000000000000000CjlN X-Hashcash: 1:23:130811:tsdh@gnu.org::nD2GKxJiAAvZMy+F:00000c/vD Date: Sun, 11 Aug 2013 22:03:46 +0200 In-Reply-To: <87iozfl001.fsf@thinkpad.tsdh.org> (Tassilo Horn's message of "Fri, 09 Aug 2013 10:52:14 +0200") Message-ID: User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1V8bre-0008Gz-GN X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1376856226.76473@LoU9LMD9uKANEa1OvCq7MA X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Tassilo Horn writes: > When TLS support landed and Gnus used it, I frequently had messages like > "the Diffie-Hellman prime has been lowered to XXX bits" for XXX being > 256(?) or something like that. Then I've set The fix here is to make that warning go away. But we're moving to a new version of gnutls, so nobody has taken the time to twiddle with warning from the old version of the gnutls library. > Would it be possible to have a new variable > `gnutls-preferred-prime-bits' which is tried first for every connection? > If the server doesn't want to, you'd get a warning and the number of > bits would be lowered, but never below `gnutls-min-prime-bits' which > would still be the hard limit where you get an error. gnutls will try to use as high a number of bits as the server supports, I think? So the variables are fine as they are -- they will give you all the security that the server says that it can provide. So the warning is kinda semi-bogus. Or at least ... premature. -- (domestic pets only, the antidote for overdose, milk.) No Gnus T-Shirt for sale: http://ingebrigtsen.no/no.php and http://lars.ingebrigtsen.no/2013/08/twenty-years-of-september.html From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 07 Oct 2013 22:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Lars Magne Ingebrigtsen Cc: 15057@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.138118487618378 (code B ref 15057); Mon, 07 Oct 2013 22:28:01 +0000 Received: (at 15057) by debbugs.gnu.org; 7 Oct 2013 22:27:56 +0000 Received: from localhost ([127.0.0.1]:33038 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VTJHP-0004mL-2w for submit@debbugs.gnu.org; Mon, 07 Oct 2013 18:27:55 -0400 Received: from mail-qe0-f48.google.com ([209.85.128.48]:58569) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VTJHK-0004mB-AF for 15057@debbugs.gnu.org; Mon, 07 Oct 2013 18:27:53 -0400 Received: by mail-qe0-f48.google.com with SMTP id q19so1690636qeb.7 for <15057@debbugs.gnu.org>; Mon, 07 Oct 2013 15:27:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=G0fu9BkwijFuxx3erz0LC2+36hfXpnjuoZdT3BigtNk=; b=Td4DPS19rLfZTFINRVpm9pPLBLCFzfnle5GtJDTDw8mDZhH0wgRbATXahMy4JDE65P cPMMF9IGziSgnbEFur16OAsovMfWSk0uPO6DQ/GCUUEVdbBtoC2ULXwlmQWirN3Irvp3 tEOa069w11gEjaNG94Nf4+zD/NkCXDWi8lTms= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=G0fu9BkwijFuxx3erz0LC2+36hfXpnjuoZdT3BigtNk=; b=cWoDuqLHWjpThbAoN2Q7cOp07f2+OMDK6p36ozcT/2DXod1XbssxSdq1sxO+UV7K6w 2lnFE6F7ddXm2rG6DlsQ/dBiLqP438LgxlUVFd+RUjqn8T5UQcoZ/Xsro0d848Ddxww/ sm1fjeEEiuL/liwed9XIexxTAPKC+0Uge+V89BdWAZPPL4ZFaL2rAaPkMc2sM5VDT3wT ZYCOrAqp9qt6DUbr6uChL8Cocc4j422F/7sIW93alN7DRerrktYuY31pMR12jpOikavi EK8JLadnlX03tLgivUu484+b+QzAuuZb25VTLmJFxOq8DXTCTyYuPtL/O3dWbm0honA3 0O0Q== X-Gm-Message-State: ALoCoQl5TpY8+Y56TU4C1FFAxXQRu9yFCUCu0byT9IGlctSzeFOsDDNSPA8DU9OL3t9fwGNwBlx4 X-Received: by 10.224.172.132 with SMTP id l4mr39604917qaz.22.1381184869789; Mon, 07 Oct 2013 15:27:49 -0700 (PDT) Received: from flea.lifelogs.com (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id r5sm66945731qaj.13.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 07 Oct 2013 15:27:49 -0700 (PDT) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <87iozfl001.fsf@thinkpad.tsdh.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Mon, 07 Oct 2013 18:27:58 -0400 In-Reply-To: (Lars Magne Ingebrigtsen's message of "Sun, 11 Aug 2013 22:03:46 +0200") Message-ID: <87li24zpg1.fsf@flea.lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Sun, 11 Aug 2013 22:03:46 +0200 Lars Magne Ingebrigtsen wrote: LMI> Tassilo Horn writes: >> When TLS support landed and Gnus used it, I frequently had messages like >> "the Diffie-Hellman prime has been lowered to XXX bits" for XXX being >> 256(?) or something like that. Then I've set LMI> The fix here is to make that warning go away. But we're moving to a new LMI> version of gnutls, so nobody has taken the time to twiddle with warning LMI> from the old version of the gnutls library. See bug#14774 for some info on the warning; I think this is a legitimate warning. >> Would it be possible to have a new variable >> `gnutls-preferred-prime-bits' which is tried first for every connection? >> If the server doesn't want to, you'd get a warning and the number of >> bits would be lowered, but never below `gnutls-min-prime-bits' which >> would still be the hard limit where you get an error. LMI> gnutls will try to use as high a number of bits as the server supports, LMI> I think? So the variables are fine as they are -- they will give you LMI> all the security that the server says that it can provide. LMI> So the warning is kinda semi-bogus. Or at least ... premature. It's complicated and depends on the specific TLS priority string on the client and the server's preferences; e.g. ECC seems to negotiate in a completely different way. I asked on the gnutls-devel mailing list and there's just no good answer AFAICT. Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Fri, 31 Jan 2014 00:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: 15057@debbugs.gnu.org Cc: Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139112926910110 (code B ref 15057); Fri, 31 Jan 2014 00:48:01 +0000 Received: (at 15057) by debbugs.gnu.org; 31 Jan 2014 00:47:49 +0000 Received: from localhost ([127.0.0.1]:42043 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1W92Gq-0002d0-Qe for submit@debbugs.gnu.org; Thu, 30 Jan 2014 19:47:49 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:44906) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1W92Go-0002cs-Nu for 15057@debbugs.gnu.org; Thu, 30 Jan 2014 19:47:47 -0500 Received: from [204.14.154.233] (helo=building.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1W92Ga-00039a-JH; Fri, 31 Jan 2014 01:47:32 +0100 From: Lars Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> Date: Thu, 30 Jan 2014 16:46:43 -0800 In-Reply-To: <87li24zpg1.fsf@flea.lifelogs.com> (Ted Zlatanov's message of "Mon, 07 Oct 2013 18:27:58 -0400") Message-ID: <87lhxx6kr0.fsf@building.gnus.org> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1W92Ga-00039a-JH X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1391734053.22285@zRiGLCAenR9Gfw2ci8oKqw X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Ted Zlatanov writes: > LMI> gnutls will try to use as high a number of bits as the server supports, > LMI> I think? So the variables are fine as they are -- they will give you > LMI> all the security that the server says that it can provide. > > LMI> So the warning is kinda semi-bogus. Or at least ... premature. > > It's complicated and depends on the specific TLS priority string on the > client and the server's preferences; e.g. ECC seems to negotiate in a > completely different way. I asked on the gnutls-devel mailing list and > there's just no good answer AFAICT. But we're specifying the minimum prime bits that we accept. Surely the client and server will negotiate the maximum possible bits they both accept? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 10 Feb 2014 02:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Lars Ingebrigtsen Cc: 15057@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.13919985492621 (code B ref 15057); Mon, 10 Feb 2014 02:16:02 +0000 Received: (at 15057) by debbugs.gnu.org; 10 Feb 2014 02:15:49 +0000 Received: from localhost ([127.0.0.1]:32947 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCgPU-0000fG-Do for submit@debbugs.gnu.org; Sun, 09 Feb 2014 21:15:49 -0500 Received: from mail-qa0-f52.google.com ([209.85.216.52]:38410) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCgPO-0000Y6-DR for 15057@debbugs.gnu.org; Sun, 09 Feb 2014 21:15:46 -0500 Received: by mail-qa0-f52.google.com with SMTP id j15so8704402qaq.39 for <15057@debbugs.gnu.org>; Sun, 09 Feb 2014 18:15:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=v15cLUzWX33ykOoTBB45x8L30UEIXyXzC0ueIJMd9j8=; b=YxJvWFTUlQZ3rRtXvO2w2hUsHnAhMsin+F61r89z0Drey5Ihb/jviKvgcpnykv6R8T HTh/u5jrbu3BdKPP3mSkjsojNwdMidDuDnj2AYZCKZN5bHq0MM5ku0dgKM7yaMbf2AIa ljmPkTHKTyItP2i6gU7cvVRAUleodrmwIshgc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=v15cLUzWX33ykOoTBB45x8L30UEIXyXzC0ueIJMd9j8=; b=VfqY9TohdhqTCaDp/fx6oYHkNVwpmRCICmgHPkNzOdHpV8lSFQZllmjQt/+OggrFp4 PMQ4iNZGpnQXjifpAljJn2kEmyE1ZFGp9l889IjkDHMoStB6QS0FKys4z6JbEmLSC79r a0odWBEPX9+ad9N1Mvpko40TATWS35J2fipKlSDtMyAEO3Q4V3tYcpVdrh5T6FXHyxO8 HMphWKheDCUkhTywKP+zKj+CEZTvU8qL+YYOyPogB1yD6GLW7BqEHge9MPfBSmTQ1azs v1olDPFUUqWziX9gvXQQLC3fm/TYT1HAvn/5rtmtwrZYxFV+KGov6m1OyH3uSpQWl6IO 8Hqw== X-Gm-Message-State: ALoCoQmdf6qzmqWkY0mB3lPMES5kE6xSa86wlvs1shr40DtJBPeRuMIiLgM1PJtTKgnkZW/NAj68 X-Received: by 10.140.83.203 with SMTP id j69mr6528686qgd.42.1391998542075; Sun, 09 Feb 2014 18:15:42 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id r7sm21671743qgr.17.2014.02.09.18.15.41 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sun, 09 Feb 2014 18:15:41 -0800 (PST) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Sun, 09 Feb 2014 21:15:48 -0500 In-Reply-To: <87lhxx6kr0.fsf@building.gnus.org> (Lars Ingebrigtsen's message of "Thu, 30 Jan 2014 16:46:43 -0800") Message-ID: <871tzbaf1n.fsf@lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Thu, 30 Jan 2014 16:46:43 -0800 Lars Ingebrigtsen wrote: LI> Ted Zlatanov writes: LMI> gnutls will try to use as high a number of bits as the server supports, LMI> I think? So the variables are fine as they are -- they will give you LMI> all the security that the server says that it can provide. >> LMI> So the warning is kinda semi-bogus. Or at least ... premature. >> >> It's complicated and depends on the specific TLS priority string on the >> client and the server's preferences; e.g. ECC seems to negotiate in a >> completely different way. I asked on the gnutls-devel mailing list and >> there's just no good answer AFAICT. LI> But we're specifying the minimum prime bits that we accept. Surely the LI> client and server will negotiate the maximum possible bits they both LI> accept? See http://thread.gmane.org/gmane.network.gnutls.general/3181/focus=3299 Try, first of all, appending `!DHE-RSA:!DHE-DSS' to your GnuTLS priority string to disable DHE. ECDHE will not have the minimum bits message, ever, IIUC. The suggestion from Nikos was to make the above the *default* for all connections. I'm OK with that, if it works for you. Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 10 Feb 2014 02:40:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: n.mavrogiannopoulos@gmail.com, winkler@gnu.org Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139199997210682 (code B ref 15057); Mon, 10 Feb 2014 02:40:03 +0000 Received: (at 15057) by debbugs.gnu.org; 10 Feb 2014 02:39:32 +0000 Received: from localhost ([127.0.0.1]:33024 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCgmR-0002m8-Cy for submit@debbugs.gnu.org; Sun, 09 Feb 2014 21:39:31 -0500 Received: from mail-qc0-f172.google.com ([209.85.216.172]:60944) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCgmI-0002lX-GF for 15057@debbugs.gnu.org; Sun, 09 Feb 2014 21:39:29 -0500 Received: by mail-qc0-f172.google.com with SMTP id c9so9740397qcz.3 for <15057@debbugs.gnu.org>; Sun, 09 Feb 2014 18:39:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=guskNnvG7QbVxhUlCbBOpTPfT9PRYqzmedC8RBZ/PtY=; b=a8F5zT317lmkVqXh3Nex7fTsdWsMLyG44Gp2alJt8MeH3tK6wmtcbm00BcXCgGsGl0 EAJCiUaC06nHsXvl0q+zoakQdqsgCbUnPeyEYICq9/Bli9LHVMHkIGIuPToujcls19uB Ou0iwIVvz5JZFkQAO2mBsx0KJzj2NIuQYsAGg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=guskNnvG7QbVxhUlCbBOpTPfT9PRYqzmedC8RBZ/PtY=; b=iATaKspAMWP5E2WWAmpcKTDLrI+t/vHw4LAksYtAhCKhO61UeUqlE8oCNJjdaOR0/A gwX07ZoQ+/nNC6aYOJ1rFCfPIQYRVfFCUBB1JeHxKpjJ5JEu4HSK8bLpEUSDGfWwRz10 irH5rmWIKWGLZidI6qnDSQmx0uLsiUltj1WVSf56nNAmxoEsLENwp9qBUreJj4MeRQDd gt+/dFVtDz/Dtav7ttY+xMZi2AAomL/DVnmp8NutG6aoCADVgsvt9hdgNp4IQzzNs4Yl fMdYJ4orSQb2KUI3kLO0mQzecdmbW7dFi2YGKaF4ZMf4K56khBr+UCYKoLy+P2rbi3GV GYSw== X-Gm-Message-State: ALoCoQm/7o7XB0AgDUoYvBfQHfqbpk/yEnVh6TTQu1j23Hor4rXnustlVwOMZlAaTP1Ym/voHvYs X-Received: by 10.140.22.39 with SMTP id 36mr31802110qgm.59.1391999961913; Sun, 09 Feb 2014 18:39:21 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id w9sm38570203qax.3.2014.02.09.18.39.20 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sun, 09 Feb 2014 18:39:20 -0800 (PST) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Sun, 09 Feb 2014 21:39:28 -0500 In-Reply-To: (n. mavrogiannopoulos's message of "Fri, 18 May 2012 04:38:01 -0700 (PDT)") Message-ID: <87ob2f8zdr.fsf@lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Fri, 18 May 2012 04:38:01 -0700 (PDT) n.mavrogiannopoulos@gmail.com wrote: nm> On Tuesday, May 15, 2012 10:24:56 AM UTC+2, Ted Zlatanov wrote: >> On Sun, 13 May 2012 21:04:24 +0200 Lars Magne Ingebrigtsen wrote: >> LMI> "Roland Winkler" writes: >> >> Also, it would be good (though I don't know whether a generic answer >> >> is possible) to give some guidance on "reasonable" values for >> >> `gnutls-min-prime-bits' as compared to cases where it would be >> >> better to contact the sysadmin of the server requesting a change in >> >> the setup of the server. >> LMI> Yeah. And I think `gnutls-min-prime-bits' should default to whatever LMI> that "reasonable" is, because there's apparently quite a few servers out LMI> there that has less bits than whatever the GnuTLS default is. Which LMI> isn't a very good user experience. >> >> I'm OK with lowering it to 256. nm> Note that Diffie-Hellman group of 256-bits means that the communication can be nm> decrypted by someone that stored the session. The default minimum nm> accepted value in gnutls is already weak according to [0] (727 bits) nm> but a good balance between security and compatibility. (other nm> implementations like NSS have similar limits). nm> If you need to support weaker servers you could warn your users of the consequences. nm> [0]. http://www.keylength.com/en/3/ Hi Nikos, We've continued the discussion in bug#15057 (about the min prime bits) and bug#16253 (about the logging). I've copied all three bug trackers on this e-mail. I hope that helps connect them for searches and when we close them. Roland, if you are satisfied with the direction taken in those bugs, we can probably close this one. Thanks Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 10 Feb 2014 03:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: 15057@debbugs.gnu.org Cc: Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139200120517326 (code B ref 15057); Mon, 10 Feb 2014 03:01:01 +0000 Received: (at 15057) by debbugs.gnu.org; 10 Feb 2014 03:00:05 +0000 Received: from localhost ([127.0.0.1]:33070 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCh6K-0004VN-BX for submit@debbugs.gnu.org; Sun, 09 Feb 2014 22:00:04 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:53706) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCh6I-0004Uw-Af for 15057@debbugs.gnu.org; Sun, 09 Feb 2014 22:00:03 -0500 Received: from [204.14.154.233] (helo=building.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WCh63-0004gr-QB; Mon, 10 Feb 2014 03:59:48 +0100 From: Lars Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> Date: Sun, 09 Feb 2014 18:58:34 -0800 In-Reply-To: <871tzbaf1n.fsf@lifelogs.com> (Ted Zlatanov's message of "Sun, 09 Feb 2014 21:15:48 -0500") Message-ID: <87ppmvwu5h.fsf@building.gnus.org> User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1WCh63-0004gr-QB X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1392605988.2622@zYwBeRPoCgJDDQQBmvzfOQ X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Ted Zlatanov writes: > See http://thread.gmane.org/gmane.network.gnutls.general/3181/focus=3299 > > Try, first of all, appending `!DHE-RSA:!DHE-DSS' to your GnuTLS priority > string to disable DHE. ECDHE will not have the minimum bits message, > ever, IIUC. But aren't there lots of (or some) servers that only supports DHE and not ECDHE? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: "Roland Winkler" Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 10 Feb 2014 03:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Ted Zlatanov Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, n.mavrogiannopoulos@gmail.com, 11267@debbugs.gnu.org Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139200160518090 (code B ref 15057); Mon, 10 Feb 2014 03:07:02 +0000 Received: (at 15057) by debbugs.gnu.org; 10 Feb 2014 03:06:45 +0000 Received: from localhost ([127.0.0.1]:33086 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WChCn-0004hc-1q for submit@debbugs.gnu.org; Sun, 09 Feb 2014 22:06:45 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:35548) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WChCk-0004hL-A4; Sun, 09 Feb 2014 22:06:42 -0500 Received: from 162-229-45-114.lightspeed.cicril.sbcglobal.net ([162.229.45.114]:53714 helo=regnitz) by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1WChCj-0003So-Ak; Sun, 09 Feb 2014 22:06:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21240.16957.410641.502622@gargle.gargle.HOWL> Date: Sun, 9 Feb 2014 21:06:37 -0600 From: "Roland Winkler" In-Reply-To: <87ob2f8zdr.fsf@lifelogs.com> References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> X-Mailer: VM 8.2 trial under 24.3.1 (x86_64-unknown-linux-gnu) X-Spam-Score: -5.6 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.6 (-----) On Sun Feb 9 2014 Ted Zlatanov wrote: > Roland, if you are satisfied with the direction taken in those > bugs, we can probably close this one. I am still a bit confused concerning a "reasonable minimal value" for gnutls-min-prime-bits. Is 256 a value that I can feel comfortable about? Since this was made the default, I did not see again any error messages. But I cannot judge whether this means "all is OK". Part of the problem is certainly that most users do not even know that there is such a customizable user variable. So one can only hope that the default *is* reasonable. From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 10 Feb 2014 10:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Lars Ingebrigtsen Cc: Nikos Mavrogiannopoulos , Roland Winkler , 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139202954726070 (code B ref 15057); Mon, 10 Feb 2014 10:53:02 +0000 Received: (at 15057) by debbugs.gnu.org; 10 Feb 2014 10:52:27 +0000 Received: from localhost ([127.0.0.1]:39190 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCoTS-0006mN-Hi for submit@debbugs.gnu.org; Mon, 10 Feb 2014 05:52:27 -0500 Received: from mail-qc0-f173.google.com ([209.85.216.173]:34397) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WCoTN-0006lt-MZ for 15057@debbugs.gnu.org; Mon, 10 Feb 2014 05:52:25 -0500 Received: by mail-qc0-f173.google.com with SMTP id i8so10205027qcq.18 for <15057@debbugs.gnu.org>; Mon, 10 Feb 2014 02:52:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=D8pTzJK38fxWd09M1Y8I9T/aHD98fh5Bh6eNV7qTQyI=; b=EijRegSnY/dRD3eWqFNWqmfjxXSTGtZR5js2aSAt558fhW2MgtJkDxZHVdnWD0UN4R tYRGWhMjQo/R6xc1Zk+a6zoD78KJ3Hu6bwbMEsO65ucpB3kod1cth7Q8cr9pc36/4U50 Ox/vVuq+iIbAybX3PRo6JWhcDB2oRnIBIk0uA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=D8pTzJK38fxWd09M1Y8I9T/aHD98fh5Bh6eNV7qTQyI=; b=ip66EIt3RcJwrttvo8SY1XW3h6MkSuMJvjacqtUcFummTWSoSMMk+DS8qS6+lq1ztw i2t2uKL7/Dr0apdujpAd/r5/ckny0hySFo0/LhypOAFSn2GOU6weLJflzlJcqBAi5+8M AbEicLOAkJbQUumTOXe4uscDhjjBvI3SWUSZpbCX6Img+LkYaIqKaHRhHzKQm2gH0b8t ead+OunMZ5YCpqQMGf93sQKYklXJSgkdta9lVo+wM/spJWN02rft1NxYAKS61H2XY+XM tL1p00K+I5UfgBl/XrCnz7TVE3TZS+OPiGTFTFgn4lmy+cwWZFyMsvxf/Y6OSXwskoIv VMtA== X-Gm-Message-State: ALoCoQk+6kwUYU96iRZm7pGUG6mFrcNLI3tjEWyNJeMFvJUOTqb6LT+rv35zZ3NP+ak/f2E1BQqT X-Received: by 10.224.167.19 with SMTP id o19mr35269484qay.77.1392029536177; Mon, 10 Feb 2014 02:52:16 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id 67sm23199898qgr.15.2014.02.10.02.52.15 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 10 Feb 2014 02:52:15 -0800 (PST) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Mon, 10 Feb 2014 05:52:23 -0500 In-Reply-To: <87ppmvwu5h.fsf@building.gnus.org> (Lars Ingebrigtsen's message of "Sun, 09 Feb 2014 18:58:34 -0800, Mon, 10 Feb 2014 09:28:09 +0100") Message-ID: <87d2iv8ck8.fsf@lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Mon, 10 Feb 2014 09:28:09 +0100 Nikos Mavrogiannopoulos wrote: NM> On Mon, Feb 10, 2014 at 4:06 AM, Roland Winkler wrote: >> I am still a bit confused concerning a "reasonable minimal value" >> for gnutls-min-prime-bits. Is 256 a value that I can feel >> comfortable about? NM> No. 256-bit DH is a bit harder than rot13 as encryption. I'd suggest NM> not to set the minimum acceptable size and let gnutls decide instead. NM> For broken servers that use very small sizes, you could disable the NM> DHE ciphersuites as described in the previous mails. On Sun, 09 Feb 2014 18:58:34 -0800 Lars Ingebrigtsen wrote: LI> Ted Zlatanov writes: >> See http://thread.gmane.org/gmane.network.gnutls.general/3181/focus=3299 >> >> Try, first of all, appending `!DHE-RSA:!DHE-DSS' to your GnuTLS priority >> string to disable DHE. ECDHE will not have the minimum bits message, >> ever, IIUC. LI> But aren't there lots of (or some) servers that only supports DHE and LI> not ECDHE? There's no way to know until you connect, that's the heart of the problem. So IIUC you'd have to either be potentially insecure all the time (DHE enabled) or potentially fail connecting to some servers. I think the latter is the better option as a default, as long as we make it clear (not in a *GnuTLS log* buffer but with `message' so it shows up in the echo region and in STDERR in batch mode) that * the connection was rejected because the remote requires a lower level of security * how to try allowing the less-secure connection (perhaps a simple command to automate this, or even a clickable button, would be nicer than asking the user to `customize-variable'). The original discussion sort of settled on magically reopening the connection with less security but I think that might be a disservice to the users. * why it's smarter to ask the server admin to upgrade their TLS implementation Fitting all of that in a short readable message might be a challenge, hence the button suggestion, but that's not ideal either. Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Tue, 11 Feb 2014 05:12:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Nikos Mavrogiannopoulos Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, Roland Winkler , 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139209546418715 (code B ref 15057); Tue, 11 Feb 2014 05:12:03 +0000 Received: (at 15057) by debbugs.gnu.org; 11 Feb 2014 05:11:04 +0000 Received: from localhost ([127.0.0.1]:42339 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WD5ce-0004ri-8v for submit@debbugs.gnu.org; Tue, 11 Feb 2014 00:11:04 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:33876) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WD5cX-0004qy-6i; Tue, 11 Feb 2014 00:11:01 -0500 Received: from [204.14.154.233] (helo=building.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WD5cH-0006E7-MJ; Tue, 11 Feb 2014 06:10:42 +0100 From: Lars Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> Date: Mon, 10 Feb 2014 21:09:25 -0800 In-Reply-To: <87d2iv8ck8.fsf@lifelogs.com> (Ted Zlatanov's message of "Mon, 10 Feb 2014 05:52:23 -0500") Message-ID: <87ppmup75m.fsf@building.gnus.org> User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1WD5cH-0006E7-MJ X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1392700242.5987@nRN+9mreSxIwvY8/BRkaBw X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Ted Zlatanov writes: > LI> But aren't there lots of (or some) servers that only supports DHE and > LI> not ECDHE? > > There's no way to know until you connect, that's the heart of the > problem. So IIUC you'd have to either be potentially insecure all the > time (DHE enabled) or potentially fail connecting to some servers. I thought TLS worked like this: 1) You connect to a server. 2) A server says what encryption methods it supports 3) You choose one, and start talking in that method. So things like browsers have a pre-defined list of methods, in descending order of what they consider "more safe", so that ECDHE is used if available, etc. > I think the latter is the better option as a default, as long as we make > it clear (not in a *GnuTLS log* buffer but with `message' so it shows up > in the echo region and in STDERR in batch mode) that > > * the connection was rejected because the remote requires a lower level > of security I've basically never ever seen Firefox say "you can't talk to this server, because the TLS is too weak". Neither should Emacs. (Emacs, being Emacs, might offer as an option a way to restrict all TLS connections to a smaller set of algorithms/levels, but that should not be the default.) > * how to try allowing the less-secure connection (perhaps a simple > command to automate this, or even a clickable button, would be nicer > than asking the user to `customize-variable'). The original discussion > sort of settled on magically reopening the connection with less security > but I think that might be a disservice to the users. We would always try to get the most secure TLS connection possible, so I don't quite understand "reconnect"... > * why it's smarter to ask the server admin to upgrade their TLS > implementation > > Fitting all of that in a short readable message might be a challenge, > hence the button suggestion, but that's not ideal either. If the user has explicitly said "don't talk unless it has teh haxors leet mode", then that's not necessary, I would have thought. But I might be misunderstanding the problem completely. >"? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Nikos Mavrogiannopoulos Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Tue, 11 Feb 2014 10:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Lars Ingebrigtsen Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, Roland Winkler , 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139211494719465 (code B ref 15057); Tue, 11 Feb 2014 10:36:03 +0000 Received: (at 15057) by debbugs.gnu.org; 11 Feb 2014 10:35:47 +0000 Received: from localhost ([127.0.0.1]:45770 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDAgo-00053d-Ui for submit@debbugs.gnu.org; Tue, 11 Feb 2014 05:35:46 -0500 Received: from mail-qa0-f45.google.com ([209.85.216.45]:44320) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDAge-00052s-SK; Tue, 11 Feb 2014 05:35:36 -0500 Received: by mail-qa0-f45.google.com with SMTP id ii20so11304727qab.18 for ; Tue, 11 Feb 2014 02:35:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WKGmOGwyUBlnzQRX2+iXQWHZDk1OFGvxzxoUj9Xp19o=; b=C28shBYYdJTepHilZ2gaR/E/O5FXQKF4iRfYg/2yqrVeqC4vghc5li47ymFSV0EiA9 Mem1pdhBDKhRButENvrSazj4x+FjZxXPkas4H4r0shxcWKk8b9thETOEAkL6pemmVEzx Kafjd18d+9citgdBVF1wfdcDIqr1sWQKnBtga2fvVYJYFFVNu01ucyFsMLjRxWKY0HJq dKrAnq7hXkyPaKWlJ2KgTpJvYE1pIiyTHMz1b4jDRYVO5Il6HfPZ4IQ4EozFkhJg6kbC 5hXkcJKxjmw0MTY7xd5A4g1M+gG5dn4v9MOd5qGsHAUqNyu2fSv1GVPdcoAStQxdGDSf GmHg== MIME-Version: 1.0 X-Received: by 10.224.46.130 with SMTP id j2mr55450881qaf.7.1392114927241; Tue, 11 Feb 2014 02:35:27 -0800 (PST) Received: by 10.229.58.137 with HTTP; Tue, 11 Feb 2014 02:35:27 -0800 (PST) In-Reply-To: <87ppmup75m.fsf@building.gnus.org> References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> Date: Tue, 11 Feb 2014 11:35:27 +0100 Message-ID: From: Nikos Mavrogiannopoulos Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Tue, Feb 11, 2014 at 6:09 AM, Lars Ingebrigtsen wrote: > Ted Zlatanov writes: >> LI> But aren't there lots of (or some) servers that only supports DHE and >> LI> not ECDHE? >> There's no way to know until you connect, that's the heart of the >> problem. So IIUC you'd have to either be potentially insecure all the >> time (DHE enabled) or potentially fail connecting to some servers. > I thought TLS worked like this: > 1) You connect to a server. > 2) A server says what encryption methods it supports > 3) You choose one, and start talking in that method. (let's suppose that the chosen method is DHE) 4) The server presents its DHE parameters and you realize that they are not acceptable. 5) Cannot do anything except abort the session, disable support for DHE and go to (1). >> I think the latter is the better option as a default, as long as we make >> it clear (not in a *GnuTLS log* buffer but with `message' so it shows up >> in the echo region and in STDERR in batch mode) that >> * the connection was rejected because the remote requires a lower level >> of security > I've basically never ever seen Firefox say "you can't talk to this > server, because the TLS is too weak". Neither should Emacs. Firefox in the past would happily connect to a server offering weak parameters. This is changing now: https://bugzilla.mozilla.org/show_bug.cgi?id=587234 So instead of emacs replicating what the insecure versions of firefox did, it could provide security by default. regards, Nikos From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Tue, 11 Feb 2014 14:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Lars Ingebrigtsen Cc: Nikos Mavrogiannopoulos , Roland Winkler , 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.13921285295391 (code B ref 15057); Tue, 11 Feb 2014 14:23:02 +0000 Received: (at 15057) by debbugs.gnu.org; 11 Feb 2014 14:22:09 +0000 Received: from localhost ([127.0.0.1]:46071 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDEDs-0001Og-VF for submit@debbugs.gnu.org; Tue, 11 Feb 2014 09:22:08 -0500 Received: from mail-qa0-f53.google.com ([209.85.216.53]:44885) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDEDj-0001Nl-H3 for 15057@debbugs.gnu.org; Tue, 11 Feb 2014 09:21:59 -0500 Received: by mail-qa0-f53.google.com with SMTP id cm18so11805633qab.12 for <15057@debbugs.gnu.org>; Tue, 11 Feb 2014 06:21:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=6Vm7HcEWYE9bypWOgxlLIqMT9QOLbjGfkGh21mHiECo=; b=VDZ2OUZq5ue/+pJx6WWqxqBJ+4Lgu5V8/2w13PPSwG6xA8HUbCeFuEn/UFOvJWTNjZ pifcEnoIyyanTW5lZR52E2i4B7MIUM/DRP5sAoQYI7t5ZFYNqhvyPis1Le1t32s+G+Vn XfbLUPq8BESwhOiOWMCAIwDeH2mOligCfFiHg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=6Vm7HcEWYE9bypWOgxlLIqMT9QOLbjGfkGh21mHiECo=; b=IJzWYwYGrfwrA+2GVpImbz0V1nazvkQOLNt5CZeTmOuLO04vlcuB4dy7oROeBVDBNk sB3dnXHgNircZtCSTpRags0t6UUXZA6upkX09yDCCodkRNhZ7dnGx4C+SGoxJhYPkFgG ACz/lpUdGUOB2Vx6eXow3LGnRFItq+F+fYkvCQ5ia5FitesckvBE5TpK5gpbzIoGLIY2 ETECHeTopwOh9oCn9qy/KlTKN6L/1++qNwR6Lteeuk/qNQR8eiHxinYqG8Gnq4iPF4PZ cNHqVAaV4wZpprBGW+iRbCikBvjEHbi6NMFcXlWGvL2c7wBOezj4nZgfw91CFonYjuun FM4Q== X-Gm-Message-State: ALoCoQlS/5Ygvp3p1ZI/lpsD1xsjGH7gqnO70q5lCPwd6S8IxMFaKG2WPtvKsPyoWQInIHxef0KX X-Received: by 10.224.167.19 with SMTP id o19mr46890414qay.77.1392128509928; Tue, 11 Feb 2014 06:21:49 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id a5sm53271625qae.2.2014.02.11.06.21.48 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 11 Feb 2014 06:21:49 -0800 (PST) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Tue, 11 Feb 2014 09:21:58 -0500 In-Reply-To: <87ppmup75m.fsf@building.gnus.org> (Lars Ingebrigtsen's message of "Mon, 10 Feb 2014 21:09:25 -0800") Message-ID: <87mwhx686x.fsf@lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Mon, 10 Feb 2014 21:09:25 -0800 Lars Ingebrigtsen wrote: LI> (Emacs, being Emacs, might offer as an option a way to restrict all TLS LI> connections to a smaller set of algorithms/levels, but that should not LI> be the default.) I think it should, as long as we make it easy to drop down the security, as I described: >> * how to try allowing the less-secure connection (perhaps a simple >> command to automate this, or even a clickable button, would be nicer >> than asking the user to `customize-variable'). The original discussion >> sort of settled on magically reopening the connection with less security >> but I think that might be a disservice to the users. LI> We would always try to get the most secure TLS connection possible, so I LI> don't quite understand "reconnect"... So my proposal is simply to provide two buttons "allow host X to connect with lower DHE security [temporarily] [permanently]" and when the button is clicked, customize `gnutls-algorithm-priority' to allow DHE to that specific host. `gnutls-negotiate' has to be changed slightly and the connection rejection from insecure hosts will need to be handled in gnutls.c and gnutls.el. I think that's as seamless as we can make it, especially noting that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits). If we provide that simple UI, plus some help messaging, I think we can disable DHE by default. Based on Nikos' explanation, it seems to be the best way forward. Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: "Roland Winkler" Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Tue, 11 Feb 2014 22:50:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Ted Zlatanov Cc: Nikos Mavrogiannopoulos , 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org, Tassilo Horn , Lars Ingebrigtsen Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139215895519501 (code B ref 15057); Tue, 11 Feb 2014 22:50:03 +0000 Received: (at 15057) by debbugs.gnu.org; 11 Feb 2014 22:49:15 +0000 Received: from localhost ([127.0.0.1]:47955 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDM8g-00054O-Lc for submit@debbugs.gnu.org; Tue, 11 Feb 2014 17:49:14 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:55277 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDM8d-00053z-0n; Tue, 11 Feb 2014 17:49:11 -0500 Received: from 162-229-45-114.lightspeed.cicril.sbcglobal.net ([162.229.45.114]:55799 helo=regnitz) by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1WDM8b-0003sP-0V; Tue, 11 Feb 2014 17:49:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21242.43234.861627.965636@gargle.gargle.HOWL> Date: Tue, 11 Feb 2014 16:49:06 -0600 From: "Roland Winkler" In-Reply-To: <87mwhx686x.fsf@lifelogs.com> References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com> X-Mailer: VM 8.2 trial under 24.3.1 (x86_64-unknown-linux-gnu) X-Spam-Score: -5.7 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.7 (-----) On Tue Feb 11 2014 Ted Zlatanov wrote: > So my proposal is simply to provide two buttons "allow host X to > connect with lower DHE security [temporarily] [permanently]" and > when the button is clicked, customize `gnutls-algorithm-priority' > to allow DHE to that specific host. > > `gnutls-negotiate' has to be changed slightly and the connection > rejection from insecure hosts will need to be handled in gnutls.c > and gnutls.el. > > I think that's as seamless as we can make it, especially noting > that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see > http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits). > > If we provide that simple UI, plus some help messaging, I think we > can disable DHE by default. Based on Nikos' explanation, it seems > to be the best way forward. Whatever customizability will be provided (permanently or temporarily on the fly), I'd find it most important to have documentation that allows the user to put the choices into perspective. -- Is this feasible? Certainly, we cannot expect that the average user who is offered a pop-up menu with choices "allow host X to connect with lower DHE security [temporarily] [permanently]" that he can readily understand its implications and put it into perspective. (DHE security lower than what? Lower by how much? How insecure is that?) (According to Murphy's law, this selection will probably pop up most often, when the user is not in the mood to read long info pages...) Roland From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Tue, 11 Feb 2014 23:55:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: "Roland Winkler" Cc: Nikos Mavrogiannopoulos , 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org, Tassilo Horn , Lars Ingebrigtsen Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139216289026186 (code B ref 15057); Tue, 11 Feb 2014 23:55:03 +0000 Received: (at 15057) by debbugs.gnu.org; 11 Feb 2014 23:54:50 +0000 Received: from localhost ([127.0.0.1]:47976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDNAA-0006oI-A5 for submit@debbugs.gnu.org; Tue, 11 Feb 2014 18:54:50 -0500 Received: from mail-qc0-f177.google.com ([209.85.216.177]:52584) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDNA6-0006nz-BX for 15057@debbugs.gnu.org; Tue, 11 Feb 2014 18:54:47 -0500 Received: by mail-qc0-f177.google.com with SMTP id i8so14073547qcq.22 for <15057@debbugs.gnu.org>; Tue, 11 Feb 2014 15:54:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=DIluoanrtCxxnAlJT5gJfXWLmxp0Hvu7c4qkl1XJX8s=; b=siAQRtXFV/7E8nDW/B0HzftPFpM2pLNcxYC6ZxxxVF679jSogiohmfj4iaKRUKtias CdEU8XvDfGy+2KvGZVnejeoppltDAimMIrS87tHgI1YfeAIXW4fAfMO4fvU0JtKAt5DO JPdJyhE0poZbSq8fOkD46LT54in92vtuaA/tg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=DIluoanrtCxxnAlJT5gJfXWLmxp0Hvu7c4qkl1XJX8s=; b=RXTLgdE0HfFijPhmPRdAZGQYnC9qWfCfKIGzsOhXhxAE3goIJSlIffCTYqzVZH8Cvq H5opSA3uuywpL/kilIrgjBHoi+yGO3NNsAjDkRkM9Qy4N2vYwaSikvCi3PfxvrGz1sgO VZrWpbUKHB1rlhf1ZUZA1PsQkmAoQJYNN4brWWhIpTcrJSWtaI7oAYawzseaJBIRwIJQ qcO0awfL1Ikw3UlPjlhPhjIoaiqfcFKMzIvuIRuHnbdL1slQFjob6KW75hHGXhoeJPWG 8hhgmfl+s1eYSZ1g0Vndl/eqqn83eykLmWb13o8hdROBIM8VAEcUbri1VjbQFtUFz/AM pzsA== X-Gm-Message-State: ALoCoQlnaPDeRMdUvNFOI3A7R+QK2hyTGwEYRgXtaje2zCXji2fi9Hxy6LIQYs0KvyE4uaRXM7Yy X-Received: by 10.224.44.8 with SMTP id y8mr62881309qae.44.1392162880666; Tue, 11 Feb 2014 15:54:40 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id 3sm57437362qan.15.2014.02.11.15.54.39 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 11 Feb 2014 15:54:40 -0800 (PST) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <87iozfl001.fsf@thinkpad.tsdh.org> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com> <21242.43234.861627.965636@gargle.gargle.HOWL> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Tue, 11 Feb 2014 18:54:49 -0500 In-Reply-To: <21242.43234.861627.965636@gargle.gargle.HOWL> (Roland Winkler's message of "Tue, 11 Feb 2014 16:49:06 -0600") Message-ID: <8761ol5ho6.fsf@lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Tue, 11 Feb 2014 16:49:06 -0600 "Roland Winkler" wrote: RW> On Tue Feb 11 2014 Ted Zlatanov wrote: >> So my proposal is simply to provide two buttons "allow host X to >> connect with lower DHE security [temporarily] [permanently]" and >> when the button is clicked, customize `gnutls-algorithm-priority' >> to allow DHE to that specific host. >> >> `gnutls-negotiate' has to be changed slightly and the connection >> rejection from insecure hosts will need to be handled in gnutls.c >> and gnutls.el. >> >> I think that's as seamless as we can make it, especially noting >> that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see >> http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits). >> >> If we provide that simple UI, plus some help messaging, I think we >> can disable DHE by default. Based on Nikos' explanation, it seems >> to be the best way forward. RW> Whatever customizability will be provided (permanently or RW> temporarily on the fly), I'd find it most important to have RW> documentation that allows the user to put the choices into RW> perspective. -- Is this feasible? Certainly, we cannot expect that RW> the average user who is offered a pop-up menu with choices "allow RW> host X to connect with lower DHE security [temporarily] RW> [permanently]" that he can readily understand its implications and RW> put it into perspective. (DHE security lower than what? Lower by RW> how much? How insecure is that?) I'm sure we can come up with more helpful messaging. Does it have to fit in 78 chars? Can we use buttons? If so, it could be like this, going over 78 but not too much: !! remote host X requires lower security [OK once] [OK always] [Cancel] [?] With the ? taking the user to more details: a help message or even the relevant section of gnutls.texi If we can use a multi-line message it becomes easier, certainly. The buttons could instead be a simple (y,Y,n,?) prompt. But that could be confusing to the inexperienced users we're trying to help. I need some guidance :) I don't know if this has been implemented in another part of Emacs or other packages. Thanks Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Wed, 12 Feb 2014 04:31:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Nikos Mavrogiannopoulos Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, Roland Winkler , 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139217944931353 (code B ref 15057); Wed, 12 Feb 2014 04:31:03 +0000 Received: (at 15057) by debbugs.gnu.org; 12 Feb 2014 04:30:49 +0000 Received: from localhost ([127.0.0.1]:48131 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDRTE-00089X-ER for submit@debbugs.gnu.org; Tue, 11 Feb 2014 23:30:48 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:60185) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDRTA-000898-Qx; Tue, 11 Feb 2014 23:30:46 -0500 Received: from [204.14.154.233] (helo=building.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WDRSv-0008O4-0S; Wed, 12 Feb 2014 05:30:29 +0100 From: Lars Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com> Date: Tue, 11 Feb 2014 20:29:09 -0800 In-Reply-To: <87mwhx686x.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 11 Feb 2014 09:21:58 -0500") Message-ID: <878uth2bu2.fsf@building.gnus.org> User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1WDRSv-0008O4-0S X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1392784230.10113@Yh5Oe3YALCorsAjMNVXQuA X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Ted Zlatanov writes: > If we provide that simple UI, plus some help messaging, I think we can > disable DHE by default. Based on Nikos' explanation, it seems to be the > best way forward. But why would we disable DHE? Prefer ECDHE over DHE, certainly, but I don't understand disabling... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Wed, 12 Feb 2014 04:33:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: "Roland Winkler" Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, Nikos Mavrogiannopoulos , 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139217955531585 (code B ref 15057); Wed, 12 Feb 2014 04:33:03 +0000 Received: (at 15057) by debbugs.gnu.org; 12 Feb 2014 04:32:35 +0000 Received: from localhost ([127.0.0.1]:48143 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDRUw-0008DH-8O for submit@debbugs.gnu.org; Tue, 11 Feb 2014 23:32:34 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:60197) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDRUt-0008Cr-Id; Tue, 11 Feb 2014 23:32:32 -0500 Received: from [204.14.154.233] (helo=building.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WDRUf-0008PH-6h; Wed, 12 Feb 2014 05:32:17 +0100 From: Lars Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com> <21242.43234.861627.965636@gargle.gargle.HOWL> <8761ol5ho6.fsf@lifelogs.com> Date: Tue, 11 Feb 2014 20:30:58 -0800 In-Reply-To: <8761ol5ho6.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 11 Feb 2014 18:54:49 -0500") Message-ID: <874n452br1.fsf@building.gnus.org> User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1WDRUf-0008PH-6h X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1392784337.96077@NqBCDeFUHj7AXQwyWTJGrg X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Ted Zlatanov writes: > I'm sure we can come up with more helpful messaging. Does it have > to fit in 78 chars? Can we use buttons? If so, it could be like this, > going over 78 but not too much: > > !! remote host X requires lower security [OK once] [OK always] [Cancel] [?] Yeah, that would be nice. And, remember, somebody (ahem) also has to write code to handle invalid certificates. It could be done the same way. And if the user types "OK always" for this (and for invalid certificates), it should be stored using the customize functions. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough) Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Wed, 12 Feb 2014 17:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Lars Ingebrigtsen Cc: Nikos Mavrogiannopoulos , Roland Winkler , 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org, Tassilo Horn Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.139222511623225 (code B ref 15057); Wed, 12 Feb 2014 17:12:02 +0000 Received: (at 15057) by debbugs.gnu.org; 12 Feb 2014 17:11:56 +0000 Received: from localhost ([127.0.0.1]:49192 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDdLm-00062R-U6 for submit@debbugs.gnu.org; Wed, 12 Feb 2014 12:11:55 -0500 Received: from mail-qc0-f175.google.com ([209.85.216.175]:51697) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDdLV-00061K-Jm for 15057@debbugs.gnu.org; Wed, 12 Feb 2014 12:11:47 -0500 Received: by mail-qc0-f175.google.com with SMTP id x13so15929298qcv.34 for <15057@debbugs.gnu.org>; Wed, 12 Feb 2014 09:11:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=8JdLPzd2z7pTMLLVmZ1ABbxe+o8xuHTlQ36kxIcOr6I=; b=ZSJHazg2rpmFZUWDq39mp5RVcDQ3Aw8DDTiGLgea7PFZKlsSTdtDmpCIDW3WXE6qZn LnjK9tPY5GjoeTXmoJps2l9JpPV+D7jGIgkVXqJQPxZDdZ9EDF0V73awyScKXqMcrK1O xeMpM89IHV7kYemfQmxEw5fLlaKKCtvo3/cvo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=8JdLPzd2z7pTMLLVmZ1ABbxe+o8xuHTlQ36kxIcOr6I=; b=TpVKLwErxCZQRln9uJgWXdnGCj9Q90ShElgCbMQv7nUlH27aTF2Z68GsIw3bjlXVXe H9GGKNIUgKuFK6uhfxlZQW0X/GNVbo+v63i4KCRjEnNKIpxAAnruw6wZaGwz0pQ7whij LiELST3oMA4W43/JY+dbFydHq2EiNf2rGmHy7/HvzmH5y1JNwuY+AALDzMplpeHrVwnI JNsFGNWnDgn+1GhFGUsvVKW4ooHL/Pbq6Vf9kXSbtBMyxagPkHgQWdy0CSabFG9SHNqQ dvBxF83VBRmtoBdauUw4xol/Cso6wEh/qWt/wYACi+okXkPMh6XmyEDqPCJKu3wzAxb1 JM5g== X-Gm-Message-State: ALoCoQmxLQJzV8J7HMT4T8sHGmOONYnSETK8R8eHfok0irXrGZJ6/3iI31lbUs5EGcrXPYQVmfyk X-Received: by 10.229.90.199 with SMTP id j7mr52359078qcm.14.1392225092037; Wed, 12 Feb 2014 09:11:32 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id y71sm34458039qgd.3.2014.02.12.09.11.30 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 12 Feb 2014 09:11:31 -0800 (PST) From: Ted Zlatanov Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos References: <87iozfl001.fsf@thinkpad.tsdh.org> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com> <874n452br1.fsf@building.gnus.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Wed, 12 Feb 2014 12:11:41 -0500 In-Reply-To: <874n452br1.fsf@building.gnus.org> (Lars Ingebrigtsen's message of "Tue, 11 Feb 2014 20:30:58 -0800, Tue, 11 Feb 2014 20:29:09 -0800") Message-ID: <87k3d0gss2.fsf_-_@lifelogs.com> User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) (I love how mangled the subject line became) On Tue, 11 Feb 2014 20:30:58 -0800 Lars Ingebrigtsen wrote: LI> Ted Zlatanov writes: >> I'm sure we can come up with more helpful messaging. Does it have >> to fit in 78 chars? Can we use buttons? If so, it could be like this, >> going over 78 but not too much: >> >> !! remote host X requires lower security [OK once] [OK always] [Cancel] [?] LI> Yeah, that would be nice. And, remember, somebody (ahem) also has to LI> write code to handle invalid certificates. It could be done the LI> same way. Yes, it's a similar UI. After 24.4. Is that available as a debbugs tag, "target-version=24.5" or something? LI> And if the user types "OK always" for this (and for invalid LI> certificates), it should be stored using the customize functions. Right. I feel Customize is the right place to put certificate exceptions. The user can set their custom.el file to be GnuPG-encrypted if they are concerned. >> If we provide that simple UI, plus some help messaging, I think we can >> disable DHE by default. Based on Nikos' explanation, it seems to be the >> best way forward. LI> But why would we disable DHE? Prefer ECDHE over DHE, certainly, but I LI> don't understand disabling... Nikos advocates (and I agree) that it's prudent to add "!DHE-RSA:!DHE-DSS" to the default priority string. We can make it easy for the user to remove that exclusion or make a specific exception as we've discussed. Ted From unknown Mon Aug 18 08:59:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Resent-From: Lars Magne Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Mon, 08 Dec 2014 19:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15057 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: To: Tassilo Horn Cc: 15057@debbugs.gnu.org Received: via spool by 15057-submit@debbugs.gnu.org id=B15057.141806784214043 (code B ref 15057); Mon, 08 Dec 2014 19:45:02 +0000 Received: (at 15057) by debbugs.gnu.org; 8 Dec 2014 19:44:02 +0000 Received: from localhost ([127.0.0.1]:58043 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xy4Dx-0003eG-GV for submit@debbugs.gnu.org; Mon, 08 Dec 2014 14:44:01 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:56981) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xy4Dv-0003du-6j for 15057@debbugs.gnu.org; Mon, 08 Dec 2014 14:43:59 -0500 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1Xy4Dc-0005mp-J0; Mon, 08 Dec 2014 20:43:40 +0100 From: Lars Magne Ingebrigtsen References: <87iozfl001.fsf@thinkpad.tsdh.org> X-Hashcash: 1:20:141208:15057@debbugs.gnu.org::XseqSQw4B2jo3IAc:00000000000000000000000000000000000000001Uun X-Hashcash: 1:20:141208:tsdh@gnu.org::wMeoSjwKJuEQTOzZ:000003WMJ Date: Mon, 08 Dec 2014 20:43:40 +0100 In-Reply-To: <87iozfl001.fsf@thinkpad.tsdh.org> (Tassilo Horn's message of "Fri, 09 Aug 2013 10:52:14 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1Xy4Dc-0005mp-J0 X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1418672620.95797@1CmUh5aokeLfi6vmNN+QMg X-Spam-Status: No X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Tassilo Horn writes: > When TLS support landed and Gnus used it, I frequently had messages like > "the Diffie-Hellman prime has been lowered to XXX bits" for XXX being > 256(?) or something like that. Then I've set > > (setq gnutls-min-prime-bits 2048) > > and everything worked smoothly, I got no warning messages, and I felt > more secure. Well, until today. When I fired up Gnus today, I got this > error for my Fastmail IMAP account: > > 20130809T100721.075> Opening connection to mail.messagingengine.com via tls... > gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). That's what you asked it to do, so it's not a bug. However, the NSM just got a Diffie-Hellman check, so that can be used instead. So I'm closing this bug report. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 08 14:44:05 2014 Received: (at control) by debbugs.gnu.org; 8 Dec 2014 19:44:05 +0000 Received: from localhost ([127.0.0.1]:58046 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xy4E1-0003eh-0K for submit@debbugs.gnu.org; Mon, 08 Dec 2014 14:44:05 -0500 Received: from hermes.netfonds.no ([80.91.224.195]:56987) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Xy4Dz-0003eY-7C for control@debbugs.gnu.org; Mon, 08 Dec 2014 14:44:03 -0500 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1Xy4Dh-0005my-HD for control@debbugs.gnu.org; Mon, 08 Dec 2014 20:43:45 +0100 Date: Mon, 08 Dec 2014 20:43:45 +0100 Message-Id: To: control@debbugs.gnu.org From: Lars Magne Ingebrigtsen Subject: control message for bug #15057 X-MailScanner-ID: 1Xy4Dh-0005my-HD X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1418672625.9824@R0Kd/kv5TmkYjG9QKpFGzA X-Spam-Status: No X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) tags 15057 fixed close 15057 25.1