[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Lars Ingebrigtsen
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 08 Jul 2018 19:47:35 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Jimmy Yuen Ho Wong <address@hidden> writes:

> No we don't let GnuTLS always establish the connection. We don't set
> the priority string to the lowest level possible, i.e. "LEGACY". Are
> you suggesting you want to do that?

That's my preference, but others don't agree.  And it's basically a moot
point, since there are virtually no (legitimate real-world) connections
that fall between the nil and "LEGACY" settings of

> Setting `gnutls-min-prime-bits` to 256 as the standard value suggests
> to me that Emacs' network security level is so relaxed that a TLS
> connection with a DH prime 256-bits should go through, but in reality
> NSM still warns. This yet again contradicts the intention of the
> standard value. If the intention is to warn about prime-bit < 1024
> bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should
> not warn.
> Just switch it back to `nil` and let GnuTLS do the right thing
> according to the priority string for crying out loud. This also has no
> adverse effect.

I don't understand what you're saying here.  We've chosen 256 since
that's the way to say "don't stop any connections on the gnutls level
because of this stuff".  nil currently means 1008 bits, if I read the
docs right.

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]