bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-He

From: n . mavrogiannopoulos
Subject: Re: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Date: Fri, 18 May 2012 04:38:01 -0700 (PDT)
User-agent: G2/1.0 
On Tuesday, May 15, 2012 10:24:56 AM UTC+2, Ted Zlatanov wrote:
> On Sun, 13 May 2012 21:04:24 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> 
> wrote: 
> 
> LMI> "Roland Winkler" <winkler@gnu.org> writes:
> >> Also, it would be good (though I don't know whether a generic answer
> >> is possible) to give some guidance on "reasonable" values for
> >> `gnutls-min-prime-bits' as compared to cases where it would be
> >> better to contact the sysadmin of the server requesting a change in
> >> the setup of the server.
> 
> LMI> Yeah.  And I think `gnutls-min-prime-bits' should default to whatever
> LMI> that "reasonable" is, because there's apparently quite a few servers out
> LMI> there that has less bits than whatever the GnuTLS default is.  Which
> LMI> isn't a very good user experience.
> 
> I'm OK with lowering it to 256.

Note that Diffie-Hellman group of 256-bits means that the communication can be
decrypted by someone that stored the session. The default minimum accepted 
value in gnutls is already weak according to [0] (727 bits) but a good balance 
between security and compatibility. (other implementations like NSS have 
similar limits).

If you need to support weaker servers you could warn your users of the 
consequences.

[0]. http://www.keylength.com/en/3/

regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]