GNU bug report logs -
#31946
27.0.50; The NSM should warn about more TLS problems
Previous Next
Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>
Date: Sat, 23 Jun 2018 10:39:02 UTC
Severity: normal
Tags: fixed, security
Found in version 27.0.50
Fixed in version 27.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Eli Zaretskii <eliz <at> gnu.org> writes:
>> From: Lars Ingebrigtsen <larsi <at> gnus.org>
>> Date: Tue, 26 Jun 2018 11:27:34 +0200
>> Cc: 31946 <at> debbugs.gnu.org, Jimmy Yuen Ho Wong <wyuenho <at> gmail.com>
>>
>> We could get in touch with the gnutls maintainer and ask for his input
>> and perhaps ask for API endpoints to allow us to check for these things?
>
> Yes, I think that's the right way for moving forward.
By the way, I've researched this a bit more, it seems like there is no
practical way to detect small subgroups at all, the only solution is to
move to standardized domains (the smallest of which is 2048 bits)
similar to how ECDHE uses standard curves. This also solves the
composite prime problem, which is likely too expensive to check as well.
https://tools.ietf.org/html/rfc7919:
Additionally, the DH parameters selected by the server may have a
known structure that renders them secure against a small subgroup
attack, but a client receiving an arbitrary p and g has no efficient
way to verify that the structure of a new group is reasonable for
use.
This bug report was last modified 5 years and 327 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.