From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#31946: 27.0.50; The NSM should warn about more TLS problems
Date: Thu, 28 Jun 2018 19:15:48 +0100
Message-ID: <CAKDRQS71J_bPMnSB77nPx_fYzAfgwqTVgNuCALBB3zVy_xv9JA@mail.gmail.com>
References: <m3vaa9aius.fsf@gnus.org> <87fu1apchn.fsf@gmail.com>
	<m3tvppq4mx.fsf@gnus.org> <83in65r4n9.fsf@gnu.org>
	<87y3f1njku.fsf@gmail.com>
	<CAKDRQS4MnAJfwxtQoss5vFikpwyzt-7tG3Ghkc+whSdsP9C2cA@mail.gmail.com>
	<87tvpnojgt.fsf@gmail.com>
	<CAKDRQS59U_itWd7E4FNi4g_QGp5qWWciqOS0-yd26Z-AkK6jZA@mail.gmail.com>
	<m3lgayhop3.fsf@gnus.org>
	<CAKDRQS5KOq7RsL1jfJvHk7apKQ3noscfK1r74A7pVQXcFErUxw@mail.gmail.com>
	<m3h8lmhmlf.fsf@gnus.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: blaine.gmane.org 1530209728 1981 195.159.176.226 (28 Jun 2018 18:15:28 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 28 Jun 2018 18:15:28 +0000 (UTC)
Cc: 31946@debbugs.gnu.org, Noam Postavsky <npostavs@gmail.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Jun 28 20:15:24 2018
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1fYbRz-0000Nf-0v
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Jun 2018 20:15:23 +0200
Original-Received: from localhost ([::1]:37913 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1fYbU4-0004Jy-RF
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Jun 2018 14:17:34 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41573)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fYbTe-0004FC-W7
	for bug-gnu-emacs@gnu.org; Thu, 28 Jun 2018 14:17:10 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fYbTa-0002OH-TA
	for bug-gnu-emacs@gnu.org; Thu, 28 Jun 2018 14:17:06 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:59163)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fYbTa-0002Nb-Po
	for bug-gnu-emacs@gnu.org; Thu, 28 Jun 2018 14:17:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fYbTa-000740-CR
	for bug-gnu-emacs@gnu.org; Thu, 28 Jun 2018 14:17:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 28 Jun 2018 18:17:02 +0000
Resent-Message-ID: <handler.31946.B31946.153020978327103@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 31946
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 31946-submit@debbugs.gnu.org id=B31946.153020978327103
	(code B ref 31946); Thu, 28 Jun 2018 18:17:02 +0000
Original-Received: (at 31946) by debbugs.gnu.org; 28 Jun 2018 18:16:23 +0000
Original-Received: from localhost ([127.0.0.1]:38827 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fYbSt-000731-1R
	for submit@debbugs.gnu.org; Thu, 28 Jun 2018 14:16:23 -0400
Original-Received: from mail-io0-f175.google.com ([209.85.223.175]:36771)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <wyuenho@gmail.com>) id 1fYbSo-00072k-Jo
	for 31946@debbugs.gnu.org; Thu, 28 Jun 2018 14:16:18 -0400
Original-Received: by mail-io0-f175.google.com with SMTP id k3-v6so6116591iog.3
	for <31946@debbugs.gnu.org>; Thu, 28 Jun 2018 11:16:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=4ctkey27cRJ1ysmSiLuD/YEAGfryVYFX5kGC0rybmd0=;
	b=aUxmxL5zMRlEoKtrXatbBKIp5OOf4LTTHwhoy7pSv8eUzPOfypKJClXKgW5y6+I9dh
	WrMKg+njfBVUkJyFDC8Ta5oMRcnt3fesE3JONrpeydLCXEkC95V2zuuqqGXCEC3rdbuk
	ijClCL/oE98e+aDS0rVmgnu/eL6GyGu2X/NWd3frYK77lQthCAtG2+iZ5WL5qZd3Agel
	3VLRz17DbGHgnoPMKAsIc0HVCCadUgo3uSpOPFWH/UkT7i3GcSp8Yj94eLPN1MsQr1eO
	gK4NbLAdNg0xpdFzEPfzP2eE1gXPWGtZWfseCj7pyLr0kg/My+Gs2IVomhAKoqOMjLA/
	AAYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=4ctkey27cRJ1ysmSiLuD/YEAGfryVYFX5kGC0rybmd0=;
	b=n/fq6FeYHqbxCLGgfx/s1l2jukjs/MS2h6tIJAyjQxexStkygTwiXkdHSYOX+qVo3E
	U7cHJZd9NgcNd47BIdILjk9XcS4QE7OzZxwO7aLtHFtaWLBGN243hl4CFYWOZaA4bEvL
	FG10EbRj6a5pmlSkLeb0U0aROFKdZdDYuWH4KjgTjTuXKR4rmgKoZ06pEDVIQOhp+kaV
	6TZJF5rZbCJmx3PO0vzeh6zq0MuqEi3r8+WSMYzzUquQux5kNYkQkVOCyG0TLyjigTxo
	oOw45tsWKWCvjXxS7R46UtRNQmb3QYbPt8DHNyGKD9JpSrv2kvN+FZ4x+KUCQfdSA3vZ
	i7BA==
X-Gm-Message-State: APt69E2UF/Ze99fctF6fPR2noGzhAUoJDFp+QJEip8o5Gvr4PCijAWxf
	gtHiDqkU1W/7h9njZ1hgAIRNQxwfMpIqxoCUZXU=
X-Google-Smtp-Source: AAOMgpd3gDf7a5Rn7qQONz7iRHS+lwcHFwjEL6jg5d+ZTKXpeInbpTO5n3+OucCiOna6yHiggM9P4POHvn7J4CvI4oQ=
X-Received: by 2002:a6b:2095:: with SMTP id
	g143-v6mr9205030iog.167.1530209769045; 
	Thu, 28 Jun 2018 11:16:09 -0700 (PDT)
Original-Received: by 2002:a02:985d:0:0:0:0:0 with HTTP; Thu, 28 Jun 2018 11:15:48
	-0700 (PDT)
In-Reply-To: <m3h8lmhmlf.fsf@gnus.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:147918
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/147918>

The Telemetry data[1] from Mozilla in bug report 1227519[2] suggests
DHE usage is very low for HTTP. No data for any other protocol.

I just used Wireshark on Chrome and Firefox on macOS, they all seem to
advertise DH and DHE cipher suites in Client Hello for TLS 1.2, they
even advertise CBC mode ciphers too. While I'm not sure about Firefox,
surely Chrome has removed DHE_SHA KX and CBC modes according to
ChromeStatus[3]?


[1]: https://tlscanary.mozilla.org/runs/2018-01-25-01-21-44/
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1227519
[3]: https://www.chromestatus.com/features#tls

On Thu, Jun 28, 2018 at 6:01 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote:
> Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes:
>
>>> I can't see that that web page mentions Diffie-Hellman at all?
>>>
>>
>> Click on the individual browsers.
>
> I see.
>
>> SSLLabs only reports that Firefox 59 / Win 7 has dropped support for
>> DHE_RSA in the UA capabilities page[1], but client test[2] still shows
>> it is supported, so does Chrome and Safari. I don't understand what's
>> going on there. Could that list in in client test be static? Or that
>> browsers still advertise their support for DHE_RSA when in fact they
>> don't? Might have to get on a server and log out the TLS handshake to
>> see what's actually going on...
>>
>> [1]: https://www.ssllabs.com/ssltest/clients.html
>> [2]: https://www.ssllabs.com/ssltest/viewMyClient.html
>
> My
>
> Chromium        66.0.3359.117 (Developer Build) built on Debian 9.4,
> running on Debian 9.4 (64-bit)
>
> on the viewMyClient reports not supporting DHE-RSA.
>
> Confusing.  :-)
>
> I tried finding a web site that says how many sites do not support ECDHE
> as key exchange, and only found something from 2014 that says that was
> 60%...
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no