Re: gnutls.c warning

["Herbert J. Skuhra" <hskuhra@eumx.net>]

On Thu, 27 Jun 2013 13:43:34 -0400
Ted Zlatanov <tzz@lifelogs.com> wrote:

> On Wed, 26 Jun 2013 08:25:38 +0200 Tassilo Horn <tsdh@gnu.org> wrote: 
> 
> TH> "Herbert J. Skuhra" <hskuhra@eumx.net> writes:
> >>> I keep getting this warning, and can't find any way to turn it off.
> >>> 
> >>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
> >>> has been lowered to 256 bits and this may allow decryption of the session data
> 
> TH> Ditto.
> 
> This is not coming from Emacs, actually.  Shutting it up requires
> lowering the gnutls.el verbosity level altogether.  But the warning is
> very important and should not be ignored.
> 
> >>> Is there some setting to say ok, I understand, quit nagging me?
> >> 
> >> After setting gnutls-min-prime-bits to 1024 I no longer get this
> >> warning.
> 
> TH> ,----[ C-h v gnutls-min-prime-bits RET ]
> TH> | gnutls-min-prime-bits is a variable defined in `gnutls.el'.
> TH> | Its value is 1024
> TH> | Original value was 256
> TH> | 
> TH> | Documentation:
> TH> | Minimum number of prime bits accepted by GnuTLS for key exchange.
> TH> | During a Diffie-Hellman handshake, if the server sends a prime
> TH> | number with fewer than this number of bits, the handshake is
> TH> | rejected.  (The smaller the prime number, the less secure the
> TH> | key exchange is against man-in-the-middle attacks.)
> TH> | 
> TH> | A value of nil says to use the default GnuTLS value.
> TH> `----
> 
> TH> Hm, what happens if the value is higher than what the server wants to
> TH> provide?  Connection error (fine)?  Drop to an insecured connection
> TH> (please no!)?  Or do the servers automatically increase the bit number
> TH> if a client rejects a handshake?
> 
> (The below is AFAIK and please forgive any inaccuracies.)
> 
> We rely on GnuTLS to DTRT.  The DH handshake does not affect the
> security of the session after it's established, so it would not create
> an insecure connection.  Its only purpose is to shake hands and exchange
> identities.
> 
> When the client (Emacs) and the server negotiate to 1024, for instance,
> everything is kosher.  They will try for the highest number.

Will they?

With gnutls-min-prime-bits = 256:

gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
has been lowered to 256 bits and this may allow decryption of the session data

With gnutls-min-prime-bits = 512:

gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
has been lowered to 512 bits and this may allow decryption of the session data
 
The warning is gone if value is >= 768 or nil.

-- 
Herbert