[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high
From: |
Ted Zlatanov |
Subject: |
bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). |
Date: |
Tue, 11 Feb 2014 09:21:58 -0500 |
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) |
On Mon, 10 Feb 2014 21:09:25 -0800 Lars Ingebrigtsen <larsi@gnus.org> wrote:
LI> (Emacs, being Emacs, might offer as an option a way to restrict all TLS
LI> connections to a smaller set of algorithms/levels, but that should not
LI> be the default.)
I think it should, as long as we make it easy to drop down the security,
as I described:
>> * how to try allowing the less-secure connection (perhaps a simple
>> command to automate this, or even a clickable button, would be nicer
>> than asking the user to `customize-variable'). The original discussion
>> sort of settled on magically reopening the connection with less security
>> but I think that might be a disservice to the users.
LI> We would always try to get the most secure TLS connection possible, so I
LI> don't quite understand "reconnect"...
So my proposal is simply to provide two buttons "allow host X to connect
with lower DHE security [temporarily] [permanently]" and when the button
is clicked, customize `gnutls-algorithm-priority' to allow DHE to that
specific host.
`gnutls-negotiate' has to be changed slightly and the connection
rejection from insecure hosts will need to be handled in gnutls.c and
gnutls.el.
I think that's as seamless as we can make it, especially noting that
`gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see
http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits).
If we provide that simple UI, plus some help messaging, I think we can
disable DHE by default. Based on Nikos' explanation, it seems to be the
best way forward.
Ted
- bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, Ted Zlatanov, 2014/02/09
- bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, Lars Ingebrigtsen, 2014/02/09
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Ted Zlatanov, 2014/02/10
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Lars Ingebrigtsen, 2014/02/11
- bug#16253: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Nikos Mavrogiannopoulos, 2014/02/11
- bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).,
Ted Zlatanov <=
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Roland Winkler, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Ted Zlatanov, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Lars Ingebrigtsen, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough), Ted Zlatanov, 2014/02/12
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Lars Ingebrigtsen, 2014/02/11