From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/83415 Path: news.gmane.org!not-for-mail From: Tassilo Horn Newsgroups: gmane.emacs.gnus.general Subject: Re: gnutls.c warning Date: Wed, 26 Jun 2013 08:25:38 +0200 Message-ID: <87li5x5qxp.fsf@thinkpad.tsdh.de> References: <87fvw57tx5.wl%hskuhra@eumx.net> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1372228065 790 80.91.229.3 (26 Jun 2013 06:27:45 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 26 Jun 2013 06:27:45 +0000 (UTC) Cc: david@adboyd.com (J. David Boyd), ding@gnus.org To: "Herbert J. Skuhra" Original-X-From: ding-owner+M31675@lists.math.uh.edu Wed Jun 26 08:27:45 2013 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UrjCj-0005NM-1l for ding-account@gmane.org; Wed, 26 Jun 2013 08:27:45 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1UrjB1-0004WC-VV; Wed, 26 Jun 2013 01:26:00 -0500 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1UrjAu-0004W0-5g for ding@lists.math.uh.edu; Wed, 26 Jun 2013 01:25:52 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1UrjAj-00028D-Jx for ding@lists.math.uh.edu; Wed, 26 Jun 2013 01:25:51 -0500 Original-Received: from deliver.uni-koblenz.de ([141.26.64.15]) by quimby.gnus.org with esmtp (Exim 4.72) (envelope-from ) id 1UrjAi-0003Jk-1i for ding@gnus.org; Wed, 26 Jun 2013 08:25:40 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by deliver.uni-koblenz.de (Postfix) with ESMTP id 683661A9114; Wed, 26 Jun 2013 08:25:39 +0200 (CEST) X-Virus-Scanned: amavisd-new at uni-koblenz.de Original-Received: from deliver.uni-koblenz.de ([127.0.0.1]) by localhost (deliver.uni-koblenz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdBRlh4OKOQh; Wed, 26 Jun 2013 08:25:39 +0200 (CEST) X-CHKRCPT: Envelopesender noch tsdh@gnu.org Original-Received: from thinkpad.tsdh.de (tsdh.uni-koblenz.de [141.26.67.142]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by deliver.uni-koblenz.de (Postfix) with ESMTPSA id 13BA01A9115; Wed, 26 Jun 2013 08:25:39 +0200 (CEST) Mail-Followup-To: "Herbert J. Skuhra" , david@adboyd.com (J. David Boyd), ding@gnus.org In-Reply-To: <87fvw57tx5.wl%hskuhra@eumx.net> (Herbert J. Skuhra's message of "Tue, 25 Jun 2013 23:38:14 +0200") User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) X-Spam-Score: -4.9 (----) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:83415 Archived-At: "Herbert J. Skuhra" writes: >> I keep getting this warning, and can't find any way to turn it off. >> >> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange >> has been lowered to 256 bits and this may allow decryption of the session data Ditto. >> Is there some setting to say ok, I understand, quit nagging me? > > After setting gnutls-min-prime-bits to 1024 I no longer get this > warning. ,----[ C-h v gnutls-min-prime-bits RET ] | gnutls-min-prime-bits is a variable defined in `gnutls.el'. | Its value is 1024 | Original value was 256 | | Documentation: | Minimum number of prime bits accepted by GnuTLS for key exchange. | During a Diffie-Hellman handshake, if the server sends a prime | number with fewer than this number of bits, the handshake is | rejected. (The smaller the prime number, the less secure the | key exchange is against man-in-the-middle attacks.) | | A value of nil says to use the default GnuTLS value. `---- Hm, what happens if the value is higher than what the server wants to provide? Connection error (fine)? Drop to an insecured connection (please no!)? Or do the servers automatically increase the bit number if a client rejects a handshake? Bye, Tassilo