Re: gnutls.c warning - Tassilo Horn

Gnus development mailing list
 help / color / mirror / Atom feed

From: Tassilo Horn <tsdh@gnu.org>
To: "Herbert J. Skuhra" <hskuhra@eumx.net>
Cc: david@adboyd.com (J. David Boyd),  ding@gnus.org
Subject: Re: gnutls.c warning
Date: Wed, 26 Jun 2013 08:25:38 +0200	[thread overview]
Message-ID: <87li5x5qxp.fsf@thinkpad.tsdh.de> (raw)
In-Reply-To: <87fvw57tx5.wl%hskuhra@eumx.net> (Herbert J. Skuhra's message of "Tue, 25 Jun 2013 23:38:14 +0200")

"Herbert J. Skuhra" <hskuhra@eumx.net> writes:

>> I keep getting this warning, and can't find any way to turn it off.
>> 
>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>> has been lowered to 256 bits and this may allow decryption of the session data

Ditto.

>> Is there some setting to say ok, I understand, quit nagging me?
>
> After setting gnutls-min-prime-bits to 1024 I no longer get this
> warning.

,----[ C-h v gnutls-min-prime-bits RET ]
| gnutls-min-prime-bits is a variable defined in `gnutls.el'.
| Its value is 1024
| Original value was 256
| 
| Documentation:
| Minimum number of prime bits accepted by GnuTLS for key exchange.
| During a Diffie-Hellman handshake, if the server sends a prime
| number with fewer than this number of bits, the handshake is
| rejected.  (The smaller the prime number, the less secure the
| key exchange is against man-in-the-middle attacks.)
| 
| A value of nil says to use the default GnuTLS value.
`----

Hm, what happens if the value is higher than what the server wants to
provide?  Connection error (fine)?  Drop to an insecured connection
(please no!)?  Or do the servers automatically increase the bit number
if a client rejects a handshake?

Bye,
Tassilo

next prev parent reply	other threads:[~2013-06-26  6:25 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-25 19:07 J. David Boyd
2013-06-25 21:38 ` Herbert J. Skuhra
2013-06-26  6:25   ` Tassilo Horn [this message]
2013-06-27 17:43     ` Ted Zlatanov
2013-06-27 22:53       ` Herbert J. Skuhra
2013-06-28 12:39         ` Tassilo Horn
2013-06-28 14:22           ` Ted Zlatanov
2013-07-01 12:41             ` Ted Zlatanov
2013-06-26 15:47   ` J. David Boyd
2013-06-26 16:59     ` J. David Boyd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87li5x5qxp.fsf@thinkpad.tsdh.de \
    --to=tsdh@gnu.org \
    --cc=david@adboyd.com \
    --cc=ding@gnus.org \
    --cc=hskuhra@eumx.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).