GNU bug report logs -
#31946
27.0.50; The NSM should warn about more TLS problems
Previous Next
Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>
Date: Sat, 23 Jun 2018 10:39:02 UTC
Severity: normal
Tags: fixed, security
Found in version 27.0.50
Fixed in version 27.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
Full log
Message #50 received at 31946 <at> debbugs.gnu.org (full text, mbox):
Jimmy Yuen Ho Wong <wyuenho <at> gmail.com> writes:
> Tidbit: The GnuTLS basically ignored a group of Adobe researchers when they
> reported to them GnuTLS was susceptible to the small group
> attack[7]...
> [7]: https://eprint.iacr.org/2016/995.pdf
I guess the report is here (the reporter, Luke Valenta, is the first
author of the paper): https://gitlab.com/gnutls/gnutls/issues/104
The paper just says "didn't patch", but looking in the details of the
report, Luke says:
From a client's perspective, the TLS protocol limitation does
prevent "q" from being specified. However, since a server knows the
value of "q", it should be perform proper subgroup validation checks
as a precaution against small subgroup attacks[...]
I agree that since the server does not reuse ephemeral DH keys, it
is not currently vulnerable to a small subgroup attack.
So, the client side can't be patched, and the server side doesn't really
need to be patched (just leave the "reuse ephemeral key" option turned
off).
Furthermore, it seems gnutls has added support for standardized primes,
so that pretty much resolves the issue as much as it can be:
https://gitlab.com/gnutls/gnutls/merge_requests/437
This bug report was last modified 5 years and 328 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.