[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Robert Pluim |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Mon, 09 Jul 2018 18:35:45 +0200 |
Jimmy Yuen Ho Wong <address@hidden> writes:
>>
>> > Users aren't supposed to care about that variable, anyway, since the NSM
>> > warns about less than 1024 bits...
>>
>> Yes, but what if GnuTLS bumps the default to more than that? And even
>> if not, I think I might like to know how far below 1024 I'm going to
>> be if I allow the connection.
>
> I've surfaced the DH_PRIME_UNACCEPTABLE error from the handshake to
> the Lisp side here.
> https://github.com/wyuenho/emacs/commit/6c00758175b227338005533b27999435b33528d5
>
> I'm don't like this change to much. It's full of exceptions in the C
> code, and you still can't get the prime bits the server sent over,
> because gnutls_dh_get_prime_bits() only returns a prime bit if an
> actual DH key exchange was done. Since the handshake failed early as
> soon as the client found out the prime bits are too low, ciphers, mac
> and all the rest were not negotiated, so they are all NULL. You do at
> least get a warning that lets you know the prime bit is too low tho,
> and you can still proceed with this connection tho, but it wouldn't be
> very useful. Since the handshake failed, the result will be a plain
> HTTP request to an HTTPS port, of which the server will typically
> return with an HTTP 400.
Iʼd much rather we hard fail the connection here than proceed without
TLS.
> Perhaps it's simply better to let the user know that they can (setq
> gnutls-log-level 1) to log out the actual GnuTLS error message (which
> is still just prime bits too low without specifying a number)
Yes, that sounds like a good idea.
Robert
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security,
Robert Pluim <=
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Paul Eggert, 2018/07/06