* Diffie-Hellman key exchange has been lowered to 256 bits
@ 2014-06-21 11:44 James Cloos
2014-06-22 8:35 ` Melleus
2015-01-28 5:18 ` Lars Ingebrigtsen
0 siblings, 2 replies; 7+ messages in thread
From: James Cloos @ 2014-06-21 11:44 UTC (permalink / raw)
To: ding
I've been getting this message on my deb box for a few days now:
,----
| gnutls.c: [1] Note that the security level of the Diffie-Hellman key
| exchange has been lowered to 256 bits and this may allow decryption of
| the session data
`----
It occurs for both nntp starttls and imaps connectins.
That box runs sid and emacs24-nox, which uses libgnutls-deb0-28
(currently 3.2.15-2).
Using gnutls-cli directly, with either --tofu or --insecure to
connect to news.gmane.org (also with --starttls) results in:
,----
| - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
| - Session ID: E9:A4:91:94:AF:F0:B0:0E:EB:E1:55:BD:80:8F:A5:63:88:FC:38:96:3F:75:1E:63:2B:18:F4:F1:11:D6:98:E0
| - Version: TLS1.0
| - Key Exchange: RSA
| - Cipher: AES-128-CBC
| - MAC: SHA1
| - Compression: NULL
`----
and no error.
gnutls-cli -p imaps imap.gmail.com also works well, generating:
,----
| - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
| - Session ID: 5A:B8:70:F0:43:3D:25:EF:9D:F2:2D:9A:73:5C:CB:6E:DE:45:01:0C:71:E3:D6:F6:B3:C0:B9:47:5A:E2:E4:A4
| - Ephemeral EC Diffie-Hellman parameters
| - Using curve: SECP256R1
| - Curve size: 256 bits
| - Version: TLS1.2
| - Key Exchange: ECDHE-RSA
| - Server Signature: RSA-SHA256
| - Cipher: AES-128-GCM
| - MAC: AEAD
| - Compression: NULL
`----
So I cannot see why gnus' usage triggers that warning from gnutls.
-JimC
--
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Diffie-Hellman key exchange has been lowered to 256 bits
2014-06-21 11:44 Diffie-Hellman key exchange has been lowered to 256 bits James Cloos
@ 2014-06-22 8:35 ` Melleus
2014-06-22 14:33 ` James Cloos
2015-01-28 5:18 ` Lars Ingebrigtsen
1 sibling, 1 reply; 7+ messages in thread
From: Melleus @ 2014-06-22 8:35 UTC (permalink / raw)
To: ding
Emacs' gnutls security defaults have been changed.
Try to add:
(setq gnutls-min-prime-bits nil)
to your .emacs somewhere.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Diffie-Hellman key exchange has been lowered to 256 bits
2014-06-22 8:35 ` Melleus
@ 2014-06-22 14:33 ` James Cloos
2014-09-24 20:55 ` Ted Zlatanov
0 siblings, 1 reply; 7+ messages in thread
From: James Cloos @ 2014-06-22 14:33 UTC (permalink / raw)
To: Melleus; +Cc: ding
>>>>> "M" == Melleus <melleus@openmailbox.org> writes:
M> Emacs' gnutls security defaults have been changed.
With the default of 256 for gnutls-min-prime-bits, it shouldn't complain
about ecdh with SECP256R1. The fact that it does implies that the logic
around that variable is wrong.
It also shouldn't complain when the remote site, such as gmane, doesn't
offer ecdh.
But thanks; forcing it to nil does avoid the message.
-JimC
--
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Diffie-Hellman key exchange has been lowered to 256 bits
2014-06-22 14:33 ` James Cloos
@ 2014-09-24 20:55 ` Ted Zlatanov
0 siblings, 0 replies; 7+ messages in thread
From: Ted Zlatanov @ 2014-09-24 20:55 UTC (permalink / raw)
To: ding
On Sun, 22 Jun 2014 14:33:49 +0000 James Cloos <cloos@jhcloos.com> wrote:
>>>>>> "M" == Melleus <melleus@openmailbox.org> writes:
M> Emacs' gnutls security defaults have been changed.
JC> With the default of 256 for gnutls-min-prime-bits, it shouldn't complain
JC> about ecdh with SECP256R1. The fact that it does implies that the logic
JC> around that variable is wrong.
There is no logic, just a default. We had to pick a default value that
wouldn't break too many users and encourage people to increase it.
JC> It also shouldn't complain when the remote site, such as gmane, doesn't
JC> offer ecdh.
I think it should, since IIUC (but I'm not an expert) EC-DH eliminates
the need for `gnutls-min-prime-bits' altogether.
Ted
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Diffie-Hellman key exchange has been lowered to 256 bits
2014-06-21 11:44 Diffie-Hellman key exchange has been lowered to 256 bits James Cloos
2014-06-22 8:35 ` Melleus
@ 2015-01-28 5:18 ` Lars Ingebrigtsen
2015-01-28 12:32 ` Greg Troxel
1 sibling, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2015-01-28 5:18 UTC (permalink / raw)
To: James Cloos; +Cc: ding
James Cloos <cloos@jhcloos.com> writes:
> I've been getting this message on my deb box for a few days now:
>
> ,----
> | gnutls.c: [1] Note that the security level of the Diffie-Hellman key
> | exchange has been lowered to 256 bits and this may allow decryption of
> | the session data
> `----
>
> It occurs for both nntp starttls and imaps connectins.
>
> That box runs sid and emacs24-nox, which uses libgnutls-deb0-28
> (currently 3.2.15-2).
Is this a new warning libgnutls outputs now? If so, we should filter it
out on the Emacs side.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Diffie-Hellman key exchange has been lowered to 256 bits
2015-01-28 5:18 ` Lars Ingebrigtsen
@ 2015-01-28 12:32 ` Greg Troxel
2015-01-29 1:39 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Greg Troxel @ 2015-01-28 12:32 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: James Cloos, ding
[-- Attachment #1: Type: text/plain, Size: 679 bytes --]
Lars Ingebrigtsen <larsi@gnus.org> writes:
> James Cloos <cloos@jhcloos.com> writes:
>
>> I've been getting this message on my deb box for a few days now:
>>
>> ,----
>> | gnutls.c: [1] Note that the security level of the Diffie-Hellman key
>> | exchange has been lowered to 256 bits and this may allow decryption of
>> | the session data
>> `----
>>
>> It occurs for both nntp starttls and imaps connectins.
>>
>> That box runs sid and emacs24-nox, which uses libgnutls-deb0-28
>> (currently 3.2.15-2).
>
> Is this a new warning libgnutls outputs now? If so, we should filter it
> out on the Emacs side.
No, the problem should be fixed. 256-bit DH does not make any sense.
[-- Attachment #2: Type: application/pgp-signature, Size: 180 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Diffie-Hellman key exchange has been lowered to 256 bits
2015-01-28 12:32 ` Greg Troxel
@ 2015-01-29 1:39 ` Lars Ingebrigtsen
0 siblings, 0 replies; 7+ messages in thread
From: Lars Ingebrigtsen @ 2015-01-29 1:39 UTC (permalink / raw)
To: Greg Troxel; +Cc: James Cloos, ding
Greg Troxel <gdt@lexort.com> writes:
> No, the problem should be fixed. 256-bit DH does not make any sense.
It will use as many DH bits as the server allows. If the server only
uses 256-bits Diffie-Hellman, the connection is essentially unencrypted,
and you may chose not to talk to the server, or you may choose talk to
the server anyway. That's up to the user.
So there is no problem to be fixed.
(The network security manager (on "high") will warn about DH lower than
1024, though.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-01-29 1:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-21 11:44 Diffie-Hellman key exchange has been lowered to 256 bits James Cloos
2014-06-22 8:35 ` Melleus
2014-06-22 14:33 ` James Cloos
2014-09-24 20:55 ` Ted Zlatanov
2015-01-28 5:18 ` Lars Ingebrigtsen
2015-01-28 12:32 ` Greg Troxel
2015-01-29 1:39 ` Lars Ingebrigtsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).