GNU bug report logs - #16253
24.3.50; Irrelevant warnings from gnutls

Previous Next

Package: emacs;

Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>

Date: Wed, 25 Dec 2013 09:16:02 UTC

Severity: minor

Tags: fixed

Merged with 18148, 25396

Found in versions 24.3.50, 24.3.92, 24.5

Fixed in versions 25.1, 26.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com>, Roland Winkler <winkler <at> gnu.org>, 15057 <at> debbugs.gnu.org, 16253 <at> debbugs.gnu.org, 11267 <at> debbugs.gnu.org, Tassilo Horn <tsdh <at> gnu.org>
Subject: bug#16253: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Date: Tue, 11 Feb 2014 09:21:58 -0500

On Mon, 10 Feb 2014 21:09:25 -0800 Lars Ingebrigtsen <larsi <at> gnus.org> wrote: 

LI> (Emacs, being Emacs, might offer as an option a way to restrict all TLS
LI> connections to a smaller set of algorithms/levels, but that should not
LI> be the default.)

I think it should, as long as we make it easy to drop down the security,
as I described:

>> * how to try allowing the less-secure connection (perhaps a simple
>> command to automate this, or even a clickable button, would be nicer
>> than asking the user to `customize-variable').  The original discussion
>> sort of settled on magically reopening the connection with less security
>> but I think that might be a disservice to the users.

LI> We would always try to get the most secure TLS connection possible, so I
LI> don't quite understand "reconnect"...

So my proposal is simply to provide two buttons "allow host X to connect
with lower DHE security [temporarily] [permanently]" and when the button
is clicked, customize `gnutls-algorithm-priority' to allow DHE to that
specific host.

`gnutls-negotiate' has to be changed slightly and the connection
rejection from insecure hosts will need to be handled in gnutls.c and
gnutls.el.

I think that's as seamless as we can make it, especially noting that
`gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see
http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits).

If we provide that simple UI, plus some help messaging, I think we can
disable DHE by default.  Based on Nikos' explanation, it seems to be the
best way forward.

Ted
This bug report was last modified 8 years and 190 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.