gnutls.c warning

gnutls.c warning

[J. David Boyd]

I keep getting this warning, and can't find any way to turn it off.

gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
has been lowered to 256 bits and this may allow decryption of the session data


Is there some setting to say ok, I understand, quit nagging me?

I'm using "GNU Emacs 24.3.1 (i686-pc-cygwin, GTK+ Version 3.6.4)" with
gnutls-cli version 3.2.0

Dave

Re: gnutls.c warning

[Herbert J. Skuhra]

On Tue, 25 Jun 2013 15:07:08 -0400
david@adboyd.com (J. David Boyd) wrote:

> 
> I keep getting this warning, and can't find any way to turn it off.
> 
> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
> has been lowered to 256 bits and this may allow decryption of the session data
>  
> Is there some setting to say ok, I understand, quit nagging me?

After setting gnutls-min-prime-bits to 1024 I no longer get this
warning.

-- 
Herbert

Re: gnutls.c warning

[Tassilo Horn]

"Herbert J. Skuhra" <hskuhra@eumx.net> writes:

>> I keep getting this warning, and can't find any way to turn it off.
>> 
>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>> has been lowered to 256 bits and this may allow decryption of the session data

Ditto.

>> Is there some setting to say ok, I understand, quit nagging me?
>
> After setting gnutls-min-prime-bits to 1024 I no longer get this
> warning.

,----[ C-h v gnutls-min-prime-bits RET ]
| gnutls-min-prime-bits is a variable defined in `gnutls.el'.
| Its value is 1024
| Original value was 256
| 
| Documentation:
| Minimum number of prime bits accepted by GnuTLS for key exchange.
| During a Diffie-Hellman handshake, if the server sends a prime
| number with fewer than this number of bits, the handshake is
| rejected.  (The smaller the prime number, the less secure the
| key exchange is against man-in-the-middle attacks.)
| 
| A value of nil says to use the default GnuTLS value.
`----

Hm, what happens if the value is higher than what the server wants to
provide?  Connection error (fine)?  Drop to an insecured connection
(please no!)?  Or do the servers automatically increase the bit number
if a client rejects a handshake?

Bye,
Tassilo

Re: gnutls.c warning

[J. David Boyd]

"Herbert J. Skuhra" <hskuhra@eumx.net> writes:

> On Tue, 25 Jun 2013 15:07:08 -0400
> david@adboyd.com (J. David Boyd) wrote:
>
>> 
>> I keep getting this warning, and can't find any way to turn it off.
>> 
>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>> has been lowered to 256 bits and this may allow decryption of the session data
>>  
>> Is there some setting to say ok, I understand, quit nagging me?
>
> After setting gnutls-min-prime-bits to 1024 I no longer get this
> warning.

Huh, I'll try that, thanks.

Dave

Re: gnutls.c warning

[J. David Boyd]

david@adboyd.com (J. David Boyd) writes:

> "Herbert J. Skuhra" <hskuhra@eumx.net> writes:
>
>> On Tue, 25 Jun 2013 15:07:08 -0400
>> david@adboyd.com (J. David Boyd) wrote:
>>
>>> 
>>> I keep getting this warning, and can't find any way to turn it off.
>>> 
>>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>>> has been lowered to 256 bits and this may allow decryption of the session data
>>>  
>>> Is there some setting to say ok, I understand, quit nagging me?
>>
>> After setting gnutls-min-prime-bits to 1024 I no longer get this
>> warning.
>
> Huh, I'll try that, thanks.
>
> Dave

And it seems to work just fine.   Thanks again.

Re: gnutls.c warning

[Ted Zlatanov]

On Wed, 26 Jun 2013 08:25:38 +0200 Tassilo Horn <tsdh@gnu.org> wrote: 

TH> "Herbert J. Skuhra" <hskuhra@eumx.net> writes:
>>> I keep getting this warning, and can't find any way to turn it off.
>>> 
>>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>>> has been lowered to 256 bits and this may allow decryption of the session data

TH> Ditto.

This is not coming from Emacs, actually.  Shutting it up requires
lowering the gnutls.el verbosity level altogether.  But the warning is
very important and should not be ignored.

>>> Is there some setting to say ok, I understand, quit nagging me?
>> 
>> After setting gnutls-min-prime-bits to 1024 I no longer get this
>> warning.

TH> ,----[ C-h v gnutls-min-prime-bits RET ]
TH> | gnutls-min-prime-bits is a variable defined in `gnutls.el'.
TH> | Its value is 1024
TH> | Original value was 256
TH> | 
TH> | Documentation:
TH> | Minimum number of prime bits accepted by GnuTLS for key exchange.
TH> | During a Diffie-Hellman handshake, if the server sends a prime
TH> | number with fewer than this number of bits, the handshake is
TH> | rejected.  (The smaller the prime number, the less secure the
TH> | key exchange is against man-in-the-middle attacks.)
TH> | 
TH> | A value of nil says to use the default GnuTLS value.
TH> `----

TH> Hm, what happens if the value is higher than what the server wants to
TH> provide?  Connection error (fine)?  Drop to an insecured connection
TH> (please no!)?  Or do the servers automatically increase the bit number
TH> if a client rejects a handshake?

(The below is AFAIK and please forgive any inaccuracies.)

We rely on GnuTLS to DTRT.  The DH handshake does not affect the
security of the session after it's established, so it would not create
an insecure connection.  Its only purpose is to shake hands and exchange
identities.

When the client (Emacs) and the server negotiate to 1024, for instance,
everything is kosher.  They will try for the highest number.  For GMail,
for instance, I never get the warning you saw.  So maybe this is a
problem with a specific TLS implementation?  I don't know, sorry.

We had plenty of discussion about this.  Lowering the minimum to 256 is
actually very strongly discouraged but many Emacs users asked for it and
I feel the warning is a viable compromise.

Ted

Re: gnutls.c warning

[Herbert J. Skuhra]

On Thu, 27 Jun 2013 13:43:34 -0400
Ted Zlatanov <tzz@lifelogs.com> wrote:

> On Wed, 26 Jun 2013 08:25:38 +0200 Tassilo Horn <tsdh@gnu.org> wrote: 
> 
> TH> "Herbert J. Skuhra" <hskuhra@eumx.net> writes:
> >>> I keep getting this warning, and can't find any way to turn it off.
> >>> 
> >>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
> >>> has been lowered to 256 bits and this may allow decryption of the session data
> 
> TH> Ditto.
> 
> This is not coming from Emacs, actually.  Shutting it up requires
> lowering the gnutls.el verbosity level altogether.  But the warning is
> very important and should not be ignored.
> 
> >>> Is there some setting to say ok, I understand, quit nagging me?
> >> 
> >> After setting gnutls-min-prime-bits to 1024 I no longer get this
> >> warning.
> 
> TH> ,----[ C-h v gnutls-min-prime-bits RET ]
> TH> | gnutls-min-prime-bits is a variable defined in `gnutls.el'.
> TH> | Its value is 1024
> TH> | Original value was 256
> TH> | 
> TH> | Documentation:
> TH> | Minimum number of prime bits accepted by GnuTLS for key exchange.
> TH> | During a Diffie-Hellman handshake, if the server sends a prime
> TH> | number with fewer than this number of bits, the handshake is
> TH> | rejected.  (The smaller the prime number, the less secure the
> TH> | key exchange is against man-in-the-middle attacks.)
> TH> | 
> TH> | A value of nil says to use the default GnuTLS value.
> TH> `----
> 
> TH> Hm, what happens if the value is higher than what the server wants to
> TH> provide?  Connection error (fine)?  Drop to an insecured connection
> TH> (please no!)?  Or do the servers automatically increase the bit number
> TH> if a client rejects a handshake?
> 
> (The below is AFAIK and please forgive any inaccuracies.)
> 
> We rely on GnuTLS to DTRT.  The DH handshake does not affect the
> security of the session after it's established, so it would not create
> an insecure connection.  Its only purpose is to shake hands and exchange
> identities.
> 
> When the client (Emacs) and the server negotiate to 1024, for instance,
> everything is kosher.  They will try for the highest number.

Will they?

With gnutls-min-prime-bits = 256:

gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
has been lowered to 256 bits and this may allow decryption of the session data

With gnutls-min-prime-bits = 512:

gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
has been lowered to 512 bits and this may allow decryption of the session data
 
The warning is gone if value is >= 768 or nil.

-- 
Herbert

Re: gnutls.c warning

[Tassilo Horn]

"Herbert J. Skuhra" <hskuhra@eumx.net> writes:

>> When the client (Emacs) and the server negotiate to 1024, for
>> instance, everything is kosher.  They will try for the highest
>> number.
>
> Will they?
>
> With gnutls-min-prime-bits = 256:
>
> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
> has been lowered to 256 bits and this may allow decryption of the session data
>
> With gnutls-min-prime-bits = 512:
>
> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
> has been lowered to 512 bits and this may allow decryption of the session data
>  
> The warning is gone if value is >= 768 or nil.

Same here, so it looks like it's the other way round: they seem to
negotiate the lowest number of prime bits the client is willing to
accept.  Or well, possibly servers can be configured to do it that way,
cause I think I got that warning not with all IMAP servers I'm using.

Bye,
Tassilo

Re: gnutls.c warning

[Ted Zlatanov]

On Fri, 28 Jun 2013 14:39:26 +0200 Tassilo Horn <tsdh@gnu.org> wrote: 

TH> "Herbert J. Skuhra" <hskuhra@eumx.net> writes:
>>> When the client (Emacs) and the server negotiate to 1024, for
>>> instance, everything is kosher.  They will try for the highest
>>> number.
>> 
>> Will they?
>> 
>> With gnutls-min-prime-bits = 256:
>> 
>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>> has been lowered to 256 bits and this may allow decryption of the session data
>> 
>> With gnutls-min-prime-bits = 512:
>> 
>> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
>> has been lowered to 512 bits and this may allow decryption of the session data
>> 
>> The warning is gone if value is >= 768 or nil.

TH> Same here, so it looks like it's the other way round: they seem to
TH> negotiate the lowest number of prime bits the client is willing to
TH> accept.  Or well, possibly servers can be configured to do it that way,
TH> cause I think I got that warning not with all IMAP servers I'm using.

gnutls.el patch that introduces the setting:
http://lists.gnu.org/archive/html/bug-gnu-emacs/2011-07/msg00657.html

I can't find a clear explanation of what this parameter means in the
negotiation, and in GnuTLS 3.1.7 the function `gnutls_dh_set_prime_bits'
is actually deprecated.  The clearest explanation is in the
documentation for `gnutls_dh_set_prime_bits':
http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits

"This function sets the number of bits, for use in a Diffie-Hellman key
exchange. This is used both in DH ephemeral and DH anonymous cipher
suites. This will set the minimum size of the prime that will be used
for the handshake.

In the client side it sets the minimum accepted number of bits. If a
server sends a prime with less bits than that
GNUTLS_E_DH_PRIME_UNACCEPTABLE will be returned by the handshake.

Note that values lower than 512 bits may allow decryption of the
exchanged data."

So I can't say for sure, but I think the answer is "it depends on the
server" rather than "they negotiate the lowest/highest/etc number of
bits."  I would suggest asking on the GnuTLS mailing list to get a
definitive answer.

HTH
Ted

Re: gnutls.c warning

[Ted Zlatanov]

On Fri, 28 Jun 2013 10:22:15 -0400 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> So I can't say for sure, but I think the answer is "it depends on the
TZ> server" rather than "they negotiate the lowest/highest/etc number of
TZ> bits."  I would suggest asking on the GnuTLS mailing list to get a
TZ> definitive answer.

I've asked on the GnuTLS user mailing list.

Ted