GNU bug report logs - #17660
24.3; gnutls-min-prime-bits is 256

Previous Next

Package: emacs;

Reported by: Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>

Date: Sun, 1 Jun 2014 13:25:01 UTC

Severity: important

Tags: fixed, security

Found in version 24.3

Fixed in version 25.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 17660 in the body.
You can then email your comments to 17660 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#17660; Package emacs. (Sun, 01 Jun 2014 13:25:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Sun, 01 Jun 2014 13:25:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.3; gnutls-min-prime-bits is 256
Date: Sun, 01 Jun 2014 15:23:49 +0200

In gnutls.el, I see

  (defcustom gnutls-min-prime-bits 256
     ...)

This uses 256 bits for Diffie-Helman rather than the gnutls default, which
seems awfully low to me.

It looks like this was lowered due to bug#11267.  I suggest that it really
should be set to a reasonable value.

-- Juliusz
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#17660; Package emacs. (Thu, 05 Jun 2014 14:32:01 GMT) Full text and rfc822 format available.

Message #8 received at 17660 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>
Cc: 17660 <at> debbugs.gnu.org
Subject: Re: bug#17660: 24.3; gnutls-min-prime-bits is 256
Date: Thu, 05 Jun 2014 10:30:53 -0400

On Sun, 01 Jun 2014 15:23:49 +0200 Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr> wrote: 

JC> In gnutls.el, I see
JC>   (defcustom gnutls-min-prime-bits 256
JC>      ...)

JC> This uses 256 bits for Diffie-Helman rather than the gnutls default, which
JC> seems awfully low to me.

JC> It looks like this was lowered due to bug#11267.  I suggest that it really
JC> should be set to a reasonable value.

Please read through bug#11267 and bug#15057. The recommended solution
from the GnuTLS maintainer was to avoid the DH exchange that requires
`gnutls-min-prime-bits' altogether.  So the proper fix seems to be to
change the default for `gnutls-algorithm-priority' but that may break
some people's setups (just like raising `gnutls-min-prime-bits' would).

Ted
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#17660; Package emacs. (Mon, 08 Dec 2014 19:47:02 GMT) Full text and rfc822 format available.

Message #11 received at 17660 <at> debbugs.gnu.org (full text, mbox):

From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
To: Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>
Cc: 17660 <at> debbugs.gnu.org
Subject: Re: bug#17660: 24.3; gnutls-min-prime-bits is 256
Date: Mon, 08 Dec 2014 20:46:35 +0100

Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr> writes:

> In gnutls.el, I see
>
>   (defcustom gnutls-min-prime-bits 256
>      ...)
>
> This uses 256 bits for Diffie-Helman rather than the gnutls default, which
> seems awfully low to me.
>
> It looks like this was lowered due to bug#11267.  I suggest that it really
> should be set to a reasonable value.

In Emacs 25, people who want higher security can use the Network
Security Manager to achieve this, so I think the default here is
reasonable.  Closing.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed. Request was from Lars Magne Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Mon, 08 Dec 2014 19:48:01 GMT) Full text and rfc822 format available.
bug marked as fixed in version 25.1, send any further explanations to 17660 <at> debbugs.gnu.org and Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr> Request was from Lars Magne Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Mon, 08 Dec 2014 19:48:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 06 Jan 2015 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 10 years and 253 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.