[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network Security Manager warns safe renegotiation is not supported
From: |
Amin Bandali |
Subject: |
Re: Network Security Manager warns safe renegotiation is not supported |
Date: |
Sun, 01 Sep 2019 12:37:10 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Yuji Nakao <contact@yujinakao.com> writes:
> Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but
> Network Security Manager warned `TLS connection to elpa.gnu.org:433 is
> insecure for the following reason: * safe renegotiation is not
> supported, connection not protected from impersonators`, and showed
> `Continue connecting?` multiple choice prompt whether to accept the
> certificate.
>
> I guess this is caused by recently merged nsm.el, and
> after some investigation, the warning disaapeared by setting
> (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3").
> Is this a right workaround for this issue?
>
I’m no security expert, but I don’t think that’s a good idea. Setting
`gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
TLS1.3 altogether, which is the latest version of the TLS protocol.
The issue seems to be that nsm.el checks for renegotiation_info[1] for
TLS1.3 connections as well; but if I understand correctly, renegotiation
was removed from TLS1.3, according to [2] and [3]. I *think* the proper
way to fix this would be have nsm *not* check for renegotiation-info-ext
for TlS1.3 connections. Please don’t take my word for this as, again,
I’m no security/GnuTLS expert. Hopefully others with more knowledge can
chime in to clarify.
Footnotes:
[1] See C-h f nsm-protocol-check--renegotiation-info-ext RET
[2] https://wiki.openssl.org/index.php/TLS1.3#Renegotiation
[3] https://www.cloudflare.com/learning-resources/tls-1-3/
- Re: Network Security Manager warns safe renegotiation is not supported, Jude DaShiell, 2019/09/01
- Re: Network Security Manager warns safe renegotiation is not supported,
Amin Bandali <=
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Herbert J. Skuhra, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Herbert J. Skuhra, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Message not available
- Re: Network Security Manager warns safe renegotiation is not supported, Lars Magne Ingebrigtsen, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Message not available
- Re: Network Security Manager warns safe renegotiation is not supported, Lars Magne Ingebrigtsen, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05