From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 09 10:49:31 2011 Received: (at submit) by debbugs.gnu.org; 9 Jul 2011 14:49:32 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QfYqZ-00023r-Am for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:31 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QfYqW-00023b-8K for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QfYqM-00066k-Ex for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_MED,T_RP_MATCHES_RCVD,T_TO_NO_BRKTS_FREEMAIL autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:36349) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYqM-00066e-53 for submit@debbugs.gnu.org; Sat, 09 Jul 2011 10:49:18 -0400 Received: from eggs.gnu.org ([140.186.70.92]:53444) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYqH-0003xu-FE for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:49:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QfYqB-00065L-HX for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:49:13 -0400 Received: from nougat.ucs.ed.ac.uk ([129.215.13.205]:63419) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QfYqA-000655-VY for bug-gnu-emacs@gnu.org; Sat, 09 Jul 2011 10:49:07 -0400 Received: from lmtp1.ucs.ed.ac.uk (lmtp1.ucs.ed.ac.uk [129.215.149.64]) by nougat.ucs.ed.ac.uk (8.13.8/8.13.4) with ESMTP id p69EmnH8021804 for ; Sat, 9 Jul 2011 15:48:54 +0100 (BST) Received: from e4300lm (02d8b348.bb.sky.com [2.216.179.72]) (authenticated user=lmitche4 mech=PLAIN bits=0) by lmtp1.ucs.ed.ac.uk (8.13.8/8.13.7) with ESMTP id p69Emlc6005612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Sat, 9 Jul 2011 15:48:48 +0100 (BST) From: Lawrence Mitchell To: bug-gnu-emacs@gnu.org Subject: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size Date: Sat, 9 Jul 2011 15:44:28 +0100 Message-ID: <87ei1zpl0x.fsf@ed.ac.uk> MIME-Version: 1.0 Content-Type: text/plain X-Edinburgh-Scanned: at nougat.ucs.ed.ac.uk with MIMEDefang 2.60, Sophie, Sophos Anti-Virus, Clam AntiVirus X-Scanned-By: MIMEDefang 2.60 on 129.215.13.205 X-Scanned-By: MIMEDefang 2.52 on 129.215.149.64 X-detected-operating-system: by eggs.gnu.org: Solaris 10 (beta) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -6.6 (------) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.6 (------) * gnutls.c (Qgnutls_bootprop_min_prime_bits): New variable. (Fgnutls_boot): Use it * net/gnutls.el (gnutls-min-prime-bits): New variable. (gnutls-negotiate): Use it. The default acceptable key size used by gnutls in Diffie-Hellman key exchange is larger than that advertised by many servers. Introduce a customization option to set the minimum acceptable value so that we can still connect to such servers using TLS. --- With the recent gnutls changes I could no longer send mail with STARTTLS since the smtp server I connect to only advertises a D-H key with 512bits. This is smaller than the default value gnutls allows and so the connection would be aborted. This patch adds the ability to set the minimum acceptable size of key, so that I can send email again! lisp/ChangeLog | 5 +++++ lisp/net/gnutls.el | 22 ++++++++++++++++++++-- src/ChangeLog | 5 +++++ src/gnutls.c | 16 ++++++++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/lisp/ChangeLog b/lisp/ChangeLog index c3162c3..ca20415 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -1,3 +1,8 @@ +2011-07-09 Lawrence Mitchell + + * net/gnutls.el (gnutls-min-prime-bits): New variable. + (gnutls-negotiate): Use it. + 2011-07-07 Lars Magne Ingebrigtsen * mail/smtpmail.el (smtpmail-stream-type): Note that `plain' can diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 67d7b2d..83726d0 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -47,6 +47,19 @@ :type 'integer :group 'gnutls) +;;;###autoload +(defcustom gnutls-min-prime-bits nil + "The minimum number of bits to be used in Diffie-Hellman key exchange. + +This sets the minimum accepted size of the key to be used in a +client-server handshake. If the server sends a prime with fewer than +the specified number of bits the handshake will fail. + +A value of nil says to use the default gnutls value." + :type '(choice (const :tag "Use default value" nil) + (integer :tag "Number of bits" 512)) + :group 'gnutls) + (defun open-gnutls-stream (name buffer host service) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. @@ -90,8 +103,8 @@ trust and key files, and priority string." (defun* gnutls-negotiate (&rest spec &key process type hostname priority-string - trustfiles crlfiles keylist verify-flags - verify-error verify-hostname-error + trustfiles crlfiles keylist min-prime-bits + verify-flags verify-error verify-hostname-error &allow-other-keys) "Negotiate a SSL/TLS connection. Returns proc. Signals gnutls-error. @@ -104,6 +117,9 @@ PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\". TRUSTFILES is a list of CA bundles. CRLFILES is a list of CRL files. KEYLIST is an alist of (client key file, client cert file) pairs. +MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys +\(see `gnutls-min-prime-bits' for more information). Use nil for the +default. When VERIFY-HOSTNAME-ERROR is not nil, an error will be raised when the hostname does not match the presented certificate's host @@ -146,9 +162,11 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." "NORMAL:+ANON-DH:!ARCFOUR-128") ((eq type 'gnutls-x509pki) "NORMAL")))) + (min-prime-bits (or min-prime-bits gnutls-min-prime-bits)) (params `(:priority ,priority-string :hostname ,hostname :loglevel ,gnutls-log-level + :min-prime-bits ,min-prime-bits :trustfiles ,trustfiles :crlfiles ,crlfiles :keylist ,keylist diff --git a/src/ChangeLog b/src/ChangeLog index ac20a60..7ea45e7 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2011-07-09 Lawrence Mitchell + + * gnutls.c (Qgnutls_bootprop_min_prime_bits): New variable. + (Fgnutls_boot): Use it. + 2011-07-07 Kenichi Handa * character.h (unicode_category_t): New enum type. diff --git a/src/gnutls.c b/src/gnutls.c index 76cfa5d..26a88a7 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -50,6 +50,7 @@ static Lisp_Object Qgnutls_bootprop_crlfiles; static Lisp_Object Qgnutls_bootprop_callbacks; static Lisp_Object Qgnutls_bootprop_loglevel; static Lisp_Object Qgnutls_bootprop_hostname; +static Lisp_Object Qgnutls_bootprop_min_prime_bits; static Lisp_Object Qgnutls_bootprop_verify_flags; static Lisp_Object Qgnutls_bootprop_verify_hostname_error; @@ -105,6 +106,8 @@ DEF_GNUTLS_FN (int, gnutls_certificate_verify_peers2, DEF_GNUTLS_FN (int, gnutls_credentials_set, (gnutls_session_t, gnutls_credentials_type_t, void *)); DEF_GNUTLS_FN (void, gnutls_deinit, (gnutls_session_t)); +DEF_GNUTLS_FN (void, gnutls_dh_set_prime_bits, + (gnutls_session_t, unsigned int)); DEF_GNUTLS_FN (int, gnutls_error_is_fatal, (int)); DEF_GNUTLS_FN (int, gnutls_global_init, (void)); DEF_GNUTLS_FN (void, gnutls_global_set_log_function, (gnutls_log_func)); @@ -167,6 +170,7 @@ init_gnutls_functions (Lisp_Object libraries) LOAD_GNUTLS_FN (library, gnutls_certificate_verify_peers2); LOAD_GNUTLS_FN (library, gnutls_credentials_set); LOAD_GNUTLS_FN (library, gnutls_deinit); + LOAD_GNUTLS_FN (library, gnutls_dh_set_prime_bits); LOAD_GNUTLS_FN (library, gnutls_error_is_fatal); LOAD_GNUTLS_FN (library, gnutls_global_init); LOAD_GNUTLS_FN (library, gnutls_global_set_log_function); @@ -213,6 +217,7 @@ init_gnutls_functions (Lisp_Object libraries) #define fn_gnutls_certificate_verify_peers2 gnutls_certificate_verify_peers2 #define fn_gnutls_credentials_set gnutls_credentials_set #define fn_gnutls_deinit gnutls_deinit +#define fn_gnutls_dh_set_prime_bits gnutls_dh_set_prime_bits #define fn_gnutls_error_is_fatal gnutls_error_is_fatal #define fn_gnutls_global_init gnutls_global_init #define fn_gnutls_global_set_log_function gnutls_global_set_log_function @@ -641,6 +646,9 @@ gnutls_certificate_set_verify_flags. :verify-hostname-error, if non-nil, makes a hostname mismatch an error. Otherwise it will be just a warning. +:min-prime-bits is the minimum accepted number of bits the client will +accept in Diffie-Hellman key exchange. + The debug level will be set for this process AND globally for GnuTLS. So if you set it higher or lower at any point, it affects global debugging. @@ -693,6 +701,7 @@ one trustfile (usually a CA bundle). */) Lisp_Object verify_flags; /* Lisp_Object verify_error; */ Lisp_Object verify_hostname_error; + Lisp_Object prime_bits; CHECK_PROCESS (proc); CHECK_SYMBOL (type); @@ -714,6 +723,7 @@ one trustfile (usually a CA bundle). */) verify_flags = Fplist_get (proplist, Qgnutls_bootprop_verify_flags); /* verify_error = Fplist_get (proplist, Qgnutls_bootprop_verify_error); */ verify_hostname_error = Fplist_get (proplist, Qgnutls_bootprop_verify_hostname_error); + prime_bits = Fplist_get (proplist, Qgnutls_bootprop_min_prime_bits); if (!STRINGP (hostname)) error ("gnutls-boot: invalid :hostname parameter"); @@ -931,6 +941,11 @@ one trustfile (usually a CA bundle). */) GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_PRIORITY; + if (!EQ (prime_bits, Qnil)) + { + fn_gnutls_dh_set_prime_bits (state, XUINT (prime_bits)); + } + if (EQ (type, Qgnutls_x509pki)) { ret = fn_gnutls_credentials_set (state, GNUTLS_CRD_CERTIFICATE, x509_cred); @@ -1109,6 +1124,7 @@ syms_of_gnutls (void) DEFSYM (Qgnutls_bootprop_crlfiles, ":crlfiles"); DEFSYM (Qgnutls_bootprop_callbacks, ":callbacks"); DEFSYM (Qgnutls_bootprop_callbacks_verify, "verify"); + DEFSYM (Qgnutls_bootprop_min_prime_bits, ":min-prime-bits"); DEFSYM (Qgnutls_bootprop_loglevel, ":loglevel"); DEFSYM (Qgnutls_bootprop_verify_flags, ":verify-flags"); DEFSYM (Qgnutls_bootprop_verify_hostname_error, ":verify-hostname-error"); -- 1.7.6.131.g99019 From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 15 12:49:38 2011 Received: (at 9036) by debbugs.gnu.org; 15 Jul 2011 16:49:39 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qhla5-0002BU-Lr for submit@debbugs.gnu.org; Fri, 15 Jul 2011 12:49:38 -0400 Received: from chirelay1o.jumptrading.com ([38.98.147.153] helo=chirelay1.jumptrading.com) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qhla3-0002BG-7L for 9036@debbugs.gnu.org; Fri, 15 Jul 2011 12:49:35 -0400 Received: from chirelay1.jumptrading.com (unknown [127.0.0.1]) by chirelay1.jumptrading.com (Symantec Mail Security) with ESMTP id 0BCBC320008 for <9036@debbugs.gnu.org>; Fri, 15 Jul 2011 11:49:30 -0500 (CDT) X-AuditID: 26629395-98466bb000007d42-01-4e206f99ec82 Received: from chiexchange02.w2k.jumptrading.com (unknown [38.98.147.140]) by chirelay1.jumptrading.com (Symantec Mail Security) with ESMTP id EB8C62DC006 for <9036@debbugs.gnu.org>; Fri, 15 Jul 2011 11:49:29 -0500 (CDT) Received: from internalsmtp.w2k.jumptrading.com (10.2.4.29) by chiexchange02.w2k.jumptrading.com (10.2.4.71) with Microsoft SMTP Server id 8.1.291.1; Fri, 15 Jul 2011 11:47:18 -0500 Received: from tzlatanov-ubuntu-desktop.jumptrading.com ([10.2.14.81]) by internalsmtp.w2k.jumptrading.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 15 Jul 2011 11:47:18 -0500 From: Ted Zlatanov To: Lawrence Mitchell Subject: Re: bug#9036: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos References: <87ei1zpl0x.fsf@ed.ac.uk> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Fri, 15 Jul 2011 11:47:16 -0500 In-Reply-To: <87ei1zpl0x.fsf@ed.ac.uk> (Lawrence Mitchell's message of "Sat, 9 Jul 2011 15:44:28 +0100") Message-ID: <87aacf7ap7.fsf@lifelogs.com> User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-OriginalArrivalTime: 15 Jul 2011 16:47:18.0745 (UTC) FILETIME=[DC0E9C90:01CC430E] X-Brightmail-Tracker: AAAAAA== X-Spam-Score: -2.8 (--) X-Debbugs-Envelope-To: 9036 Cc: 9036@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.8 (--) On Sat, 9 Jul 2011 15:44:28 +0100 Lawrence Mitchell wrote: LM> * gnutls.c (Qgnutls_bootprop_min_prime_bits): New variable. LM> (Fgnutls_boot): Use it LM> * net/gnutls.el (gnutls-min-prime-bits): New variable. LM> (gnutls-negotiate): Use it. I'm unable to get online for at least another week so please don't wait for me on any GnuTLS-related issues. If you can wait for me, I'll apply this; otherwise Lars or someone else can make the change. It looks fine FWIW but I haven't tested it. Thanks Ted From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 15 13:37:36 2011 Received: (at 9036) by debbugs.gnu.org; 15 Jul 2011 17:37:36 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QhmKS-0003IM-Gh for submit@debbugs.gnu.org; Fri, 15 Jul 2011 13:37:36 -0400 Received: from hermes.netfonds.no ([80.91.224.195]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QhmKM-0003I3-Q8 for 9036@debbugs.gnu.org; Fri, 15 Jul 2011 13:37:31 -0400 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=quimbies.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1QhmK7-0001kJ-ID; Fri, 15 Jul 2011 19:37:11 +0200 From: Lars Magne Ingebrigtsen To: Lawrence Mitchell Subject: Re: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size In-Reply-To: <87ei1zpl0x.fsf@ed.ac.uk> (Lawrence Mitchell's message of "Sat, 9 Jul 2011 15:44:28 +0100") Date: Fri, 15 Jul 2011 19:34:48 +0200 Message-ID: References: <87ei1zpl0x.fsf@ed.ac.uk> User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) X-Now-Playing: Joni Mitchell's _Shadows And Light (2)_: "Why Do Fools Fall In Love" X-Hashcash: 1:23:110715:bug-gnu-emacs@gnu.org::tiPxin0irbmVvah8:00000000000000000000000000000000000000002HCP X-Hashcash: 1:23:110715:wence@gmx.li::GrW2u8qjCOrYE/6b:000006J55 X-Hashcash: 1:23:110715:9036@debbugs.gnu.org::IavHFxJMp5VEAUS1:00000000000000000000000000000000000000000m+lm MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1QhmK7-0001kJ-ID X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1311356231.69429@amajR2T2WHpzTyr9Q3ioag X-Spam-Status: No X-Spam-Score: -2.7 (--) X-Debbugs-Envelope-To: 9036 Cc: 9036@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) Lawrence Mitchell writes: > With the recent gnutls changes I could no longer send mail with > STARTTLS since the smtp server I connect to only advertises a D-H > key with 512bits. This is smaller than the default value gnutls > allows and so the connection would be aborted. This patch adds > the ability to set the minimum acceptable size of key, so that I > can send email again! Thanks; I'll apply your patch. However, is there any way to make the gnutls library adjust the size downwards automatically if it's too big? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 16 06:27:55 2011 Received: (at submit) by debbugs.gnu.org; 16 Jul 2011 10:27:55 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qi26F-00042R-GJ for submit@debbugs.gnu.org; Sat, 16 Jul 2011 06:27:55 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qi26D-00042E-T1 for submit@debbugs.gnu.org; Sat, 16 Jul 2011 06:27:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Qi267-0000H1-K2 for submit@debbugs.gnu.org; Sat, 16 Jul 2011 06:27:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_TO_NO_BRKTS_FREEMAIL autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:55488) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qi267-0000Gx-Ia for submit@debbugs.gnu.org; Sat, 16 Jul 2011 06:27:47 -0400 Received: from eggs.gnu.org ([140.186.70.92]:51452) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qi266-0002L2-Ao for bug-gnu-emacs@gnu.org; Sat, 16 Jul 2011 06:27:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Qi265-0000Gn-Av for bug-gnu-emacs@gnu.org; Sat, 16 Jul 2011 06:27:46 -0400 Received: from lo.gmane.org ([80.91.229.12]:41265) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qi265-0000Gh-3w for bug-gnu-emacs@gnu.org; Sat, 16 Jul 2011 06:27:45 -0400 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Qi263-0001NB-85 for bug-gnu-emacs@gnu.org; Sat, 16 Jul 2011 12:27:43 +0200 Received: from host109-152-217-108.range109-152.btcentralplus.com ([109.152.217.108]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 16 Jul 2011 12:27:43 +0200 Received: from wence by host109-152-217-108.range109-152.btcentralplus.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 16 Jul 2011 12:27:43 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: bug-gnu-emacs@gnu.org From: Lawrence Mitchell Subject: Re: bug#9036: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size Date: Sat, 16 Jul 2011 11:27:30 +0100 Lines: 29 Message-ID: <87zkkefrl9.fsf@gmx.li> References: <87ei1zpl0x.fsf@ed.ac.uk> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: host109-152-217-108.range109-152.btcentralplus.com User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:Nk3Erk9R7GChmm7nQN4BvypIk0U= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -5.9 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.9 (-----) Lars Magne Ingebrigtsen wrote: > Lawrence Mitchell writes: >> With the recent gnutls changes I could no longer send mail with >> STARTTLS since the smtp server I connect to only advertises a D-H >> key with 512bits. This is smaller than the default value gnutls >> allows and so the connection would be aborted. This patch adds >> the ability to set the minimum acceptable size of key, so that I >> can send email again! > Thanks; I'll apply your patch. > However, is there any way to make the gnutls library adjust the size > downwards automatically if it's too big? The handshake returns GNUTLS_E_DH_PRIME_UNACCEPTABLE if the number of server prime bits is too low. I don't know how to query the size of the server prime. Maybe gnutls_dh_get_prime_bits? I'm wary to automatically adjust downwards. A better error message (pointing at the existance of gnutls-min-prime-bits) in the case of this failure mode would probably be good though. I'll try and cook up a patch in the next few days. Lawrence -- Lawrence Mitchell From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 16 12:08:54 2011 Received: (at 9036) by debbugs.gnu.org; 16 Jul 2011 16:08:54 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qi7QD-0005D9-Nc for submit@debbugs.gnu.org; Sat, 16 Jul 2011 12:08:54 -0400 Received: from hermes.netfonds.no ([80.91.224.195]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qi7QB-0005Ct-3I for 9036@debbugs.gnu.org; Sat, 16 Jul 2011 12:08:52 -0400 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=quimbies.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1Qi7Pz-0001aX-0h; Sat, 16 Jul 2011 18:08:39 +0200 From: Lars Magne Ingebrigtsen To: Lawrence Mitchell Subject: Re: bug#9036: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size In-Reply-To: <87zkkefrl9.fsf@gmx.li> (Lawrence Mitchell's message of "Sat, 16 Jul 2011 11:27:30 +0100") Date: Sat, 16 Jul 2011 18:08:36 +0200 Message-ID: References: <87ei1zpl0x.fsf@ed.ac.uk> <87zkkefrl9.fsf@gmx.li> User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEUzGBd3OiNfMB+BRCiK UzCMbkK+s4pcbVUqAAACY0lEQVQ4jU3UwZKjIBAA0JaYOQdx5owEc1bAPRvFPWejcJ+pgf//hG2i MemqVIwv3SDQQkxRabvFOGqtaUsLeAAzdg+z2gZaM6Yp0y3VlNKW6S2DDmKPCj/s/Cyl3mqlOG+l jDpB7Zy7gbgQAJ7LDVzfALkmqG8NGH44tA8IrGkIqTsECICR5XqFSp0IpZ2br5PDUnDYIJqhATHg IG5aLICSL+iBFOWypBldAXJpnrMaAKe12LFMhGBX0KqHg1+sAiDG+h2CVprnwY6Qc8imeHuDFsBZ dfQ+uBh/3qDBMWbuH4Vj2MGonkA5irQIPvr4BraHDgFL3eEdrl0P0n7G6MNcH1+lbKsGIkccwoXg eChfg6vmIKd06cICF/uCYQCCE42/f/FnbZ7A1MCBjHg546xiPcnxCQp32sWAz7d45xYE51Yw0+Tj /RgGLLc4LJU2wWEp3I0YeG7T/5wrxxW0sqJzcYDjgg8eFis3oGqoav8teB0+gnfXstyhF9LdRfb1 62/eUVnqBywUz9VpPlXV5eb4nyX7fEFDiqFg1ZE7fnHZJ3tCMQiqBMuOlzscp8q+APej4gpU7RCo Ye0DZiyVgWhFF3xs8u5HyjVjTksC8FngOuEpnfrnrOaqaQvOJS5HOrrilD8z6Empipg6RrxPyO1w 3qG5iuKCCTyJegcq+AeeqNQERJoN/jGcbp2Ox5AyQOxwxkP9hXf88MgQcoN7gorD4RtS23Aitwe8 02LRrNUd9oc2LbO23KAqRux+s/U0vj/kDmvv40uEFuvVCoLqNTAnfSGvgC2r34LuQHGENfDFtNJ/ r8n/HDAzPxkAAAAASUVORK5CYII= X-Now-Playing: Joni Mitchell's _Taming the Tiger_: "Taming the Tiger" X-Hashcash: 1:23:110716:wence@gmx.li::XMojBIGhWhKVolGN:000006xQW X-Hashcash: 1:23:110716:9036@debbugs.gnu.org::B84p3ijS1VI8ydRh:00000000000000000000000000000000000000000GiTa MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1Qi7Pz-0001aX-0h X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1311437319.0893@x2qMHQa/B+OAxLfvxBSVzg X-Spam-Status: No X-Spam-Score: -2.7 (--) X-Debbugs-Envelope-To: 9036 Cc: 9036@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) Lawrence Mitchell writes: > The handshake returns GNUTLS_E_DH_PRIME_UNACCEPTABLE if the > number of server prime bits is too low. I don't know how to > query the size of the server prime. Maybe > gnutls_dh_get_prime_bits? I'm wary to automatically adjust > downwards. I think adjusting it downwards automatically until you reach a (user-definable) absolute lower limit would be fine. But I have no idea what an acceptable default lower limit would be, or what the impact on security this would have. > A better error message (pointing at the existance of > gnutls-min-prime-bits) in the case of this failure mode would > probably be good though. I'll try and cook up a patch in the > next few days. Great! -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 10 10:22:38 2011 Received: (at submit) by debbugs.gnu.org; 10 Nov 2011 15:22:38 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1ROWSa-0001qC-IJ for submit@debbugs.gnu.org; Thu, 10 Nov 2011 10:22:37 -0500 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1ROWSX-0001pz-9T for submit@debbugs.gnu.org; Thu, 10 Nov 2011 10:22:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ROWSG-0003fU-1U for submit@debbugs.gnu.org; Thu, 10 Nov 2011 10:22:17 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:42633) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ROWSF-0003fP-V4 for submit@debbugs.gnu.org; Thu, 10 Nov 2011 10:22:16 -0500 Received: from eggs.gnu.org ([140.186.70.92]:39939) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ROWSB-0008RP-PV for bug-gnu-emacs@gnu.org; Thu, 10 Nov 2011 10:22:15 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ROWSA-0003eY-D2 for bug-gnu-emacs@gnu.org; Thu, 10 Nov 2011 10:22:11 -0500 Received: from lo.gmane.org ([80.91.229.12]:43132) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ROWSA-0003eG-7p for bug-gnu-emacs@gnu.org; Thu, 10 Nov 2011 10:22:10 -0500 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1ROWS7-0001tY-Jv for bug-gnu-emacs@gnu.org; Thu, 10 Nov 2011 16:22:07 +0100 Received: from e4300lm.epcc.ed.ac.uk ([129.215.63.156]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 10 Nov 2011 16:22:07 +0100 Received: from wence by e4300lm.epcc.ed.ac.uk with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 10 Nov 2011 16:22:07 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: bug-gnu-emacs@gnu.org From: Lawrence Mitchell Subject: Re: bug#9036: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size Date: Thu, 10 Nov 2011 15:21:54 +0000 Lines: 30 Message-ID: <87ty6c6m0d.fsf@gmx.li> References: <87ei1zpl0x.fsf@ed.ac.uk> <87zkkefrl9.fsf@gmx.li> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: e4300lm.epcc.ed.ac.uk User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.91 (gnu/linux) Cancel-Lock: sha1:VgQLNtUEKFRG7x75bD5/ICXm0L0= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -5.6 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.6 (-----) Lars Magne Ingebrigtsen wrote: > Lawrence Mitchell writes: >> The handshake returns GNUTLS_E_DH_PRIME_UNACCEPTABLE if the >> number of server prime bits is too low. I don't know how to >> query the size of the server prime. Maybe >> gnutls_dh_get_prime_bits? I'm wary to automatically adjust >> downwards. > I think adjusting it downwards automatically until you reach a > (user-definable) absolute lower limit would be fine. But I have no idea > what an acceptable default lower limit would be, or what the impact on > security this would have. >> A better error message (pointing at the existance of >> gnutls-min-prime-bits) in the case of this failure mode would >> probably be good though. I'll try and cook up a patch in the >> next few days. > Great! So it turns out this wasn't a few days. And I couldn't figure out a nice way to fix things up properly. So no patch sorry :(. However, I think the original bug can be closed, because there is now an option to set the DH key size. Lawrence -- Lawrence Mitchell From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 10 12:35:06 2011 Received: (at control) by debbugs.gnu.org; 10 Nov 2011 17:35:06 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1ROYWo-0006J6-6i for submit@debbugs.gnu.org; Thu, 10 Nov 2011 12:35:06 -0500 Received: from fencepost.gnu.org ([140.186.70.10] ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1ROYWm-0006Iz-AM for control@debbugs.gnu.org; Thu, 10 Nov 2011 12:35:05 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1ROYWZ-0004Uo-RQ for control@debbugs.gnu.org; Thu, 10 Nov 2011 12:34:51 -0500 Date: Thu, 10 Nov 2011 12:34:51 -0500 Message-Id: Subject: control message for bug 9036 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -6.4 (------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.4 (------) close 9036 24.1 From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 21 13:28:33 2011 Received: (at 9036-done) by debbugs.gnu.org; 21 Nov 2011 18:28:33 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1RSYbV-0004DH-0d for submit@debbugs.gnu.org; Mon, 21 Nov 2011 13:28:33 -0500 Received: from hermes.netfonds.no ([80.91.224.195]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1RSYbP-0004D4-OK for 9036-done@debbugs.gnu.org; Mon, 21 Nov 2011 13:28:28 -0500 Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1RSYa3-0007Bh-FC; Mon, 21 Nov 2011 19:26:59 +0100 From: Lars Magne Ingebrigtsen To: Lawrence Mitchell Subject: Re: bug#9036: [PATCH] gnutls: Add option to set minimum acceptable Diffie-Hellman key size In-Reply-To: <87ty6c6m0d.fsf@gmx.li> (Lawrence Mitchell's message of "Thu, 10 Nov 2011 15:21:54 +0000") Date: Mon, 21 Nov 2011 19:26:55 +0100 Message-ID: References: <87ei1zpl0x.fsf@ed.ac.uk> <87zkkefrl9.fsf@gmx.li> <87ty6c6m0d.fsf@gmx.li> User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.91 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAD1BMVEWehmwKBQwRBw4xGxsG Awq3BrNMAAACUElEQVQ4jT2Ui5HrMAhFGasCZBVggQtQwA3gqP+a3kXKPs3ObMIRvysIyT7u5kSj OA0qLvekOYOZq/hIC1EZPpwXmMkUtnXKIBeYqC+yQaGF3WbbHjHPZTl69QEu7/sHNJNS4dYM/7wv j8CfD8Qmr/VOUBCfwqOyKHkBkNAjPT7vTadlF5kZZRpfqzRtD0nvnhmREk7oJPt0YcrekOFCkbpv O32frKoqgF22/bIL5zYbPBQfTVQkC4ZconfwpBbwsM5d5BrFAD+hPRAqqggaglwKcZHnmd/yACC7 IOgMlYGIF8Dp8AiGA8/ZWKvixnXM6R68QUuBP3z2m98WZ0FkkiraU7C4Z9gds30TTEKdvt4Er1YP xJzvPe4phL49v1a5Ubhk0AlQ4aEGEMhUxfZ7aoOHu34S1B71tFX3/c03h3adQWrOyic/vQ9AIzGF iUM2kHqjvPQQXoCdKxpUBJ5aE7ycd7kalEmx/GiWLtBqneqydHfHS37R6x9ADMkXdM+XMv4DiIJn SZATbDZ5g3x31/9AnqVu2nHdXX9jnfMWtOy7nt/AF2duO8eaoPQZGxhsO4eYr/PbEO8JkiBWbtTv jC4b5KDgOgY09wnns0JByVguGNQfKJm8T6zoDgYfG+h8lNNvEth/3bsNQ2FHqvKkap5VYGLUvCv6 g7MZheZ2e07iOGzGKNo1VywqIkCgO5cfC65kFVMeFCHz/KmEcQlVXXuLcjFEMv6D9VOAId4/GXWL gUzvlFTNAN4UuV/ZW5nvyCIhY90euFZIIcXa5gJJ+z+mOJy7dSeYQwAAAABJRU5ErkJggg== X-Now-Playing: Wolves in the Throne Room's _Celestial Lineage_: "Woodland Cathedral" MIME-Version: 1.0 Content-Type: text/plain X-MailScanner-ID: 1RSYa3-0007Bh-FC X-Netfonds-MailScanner: Found to be clean X-Netfonds-MailScanner-From: larsi@gnus.org MailScanner-NULL-Check: 1322504820.02975@7mMoFmrE+yJGmf+OH4AohQ X-Spam-Status: No X-Spam-Score: -2.6 (--) X-Debbugs-Envelope-To: 9036-done Cc: 9036-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.6 (--) Lawrence Mitchell writes: > And I couldn't figure out a nice way to fix things up properly. > So no patch sorry :(. However, I think the original bug can be > closed, because there is now an option to set the DH key size. Ok; I'm closing the report. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/ From unknown Tue Jun 17 01:32:28 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 20 Dec 2011 12:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator