From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Lars Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.devel
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 08 Jul 2018 19:47:35 +0200
Message-ID: <87fu0tmxfs.fsf@mouse.gnus.org>
References: <m236xe5vo2.fsf@mobilecat.lan>
	<eba313cf-104d-50dd-f1cd-4acb15864c0f@cs.ucla.edu>
	<83o9g2uhju.fsf@gnu.org>
	<20180705115826.73c1d95e@jabberwock.cb.piermont.com>
	<E1fbCz5-00088E-Cg@fencepost.gnu.org>
	<CAKDRQS68xcs74s3afKTYgnQQYC1URhK6AAw=zGMSACGJbPU1Fw@mail.gmail.com>
	<878t6lom8g.fsf@mouse.gnus.org>
	<CAKDRQS4bX_dTnzvWoj5mNJC3=__jUoNGp4r+uygao+V0qks=5A@mail.gmail.com>
	<87pnzxn4kw.fsf@mouse.gnus.org>
	<CAKDRQS4PkF+wgW=X4F+F+=xvn_fXXt7i99e9v-idb5ch4XW1TQ@mail.gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1531071951 18171 195.159.176.226 (8 Jul 2018 17:45:51 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sun, 8 Jul 2018 17:45:51 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Cc: Emacs-Devel devel <emacs-devel@gnu.org>
To: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 08 19:45:47 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fcDko-0004dw-V4
	for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 19:45:47 +0200
Original-Received: from localhost ([::1]:37746 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fcDmv-00059Z-Vl
	for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 13:47:58 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60367)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1fcDmi-00058H-Sb
	for emacs-devel@gnu.org; Sun, 08 Jul 2018 13:47:45 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1fcDmf-0006nH-KP
	for emacs-devel@gnu.org; Sun, 08 Jul 2018 13:47:44 -0400
Original-Received: from hermes.netfonds.no ([80.91.224.195]:36076)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <larsi@gnus.org>) id 1fcDmf-0006lw-Ch
	for emacs-devel@gnu.org; Sun, 08 Jul 2018 13:47:41 -0400
Original-Received: from cm-84.212.221.165.getinternet.no ([84.212.221.165] helo=marnie)
	by hermes.netfonds.no with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2)
	(envelope-from <larsi@gnus.org>)
	id 1fcDmZ-0001Xw-Dt; Sun, 08 Jul 2018 19:47:37 +0200
In-Reply-To: <CAKDRQS4PkF+wgW=X4F+F+=xvn_fXXt7i99e9v-idb5ch4XW1TQ@mail.gmail.com>
	(Jimmy Yuen Ho Wong's message of "Sun, 8 Jul 2018 17:56:03 +0100")
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 80.91.224.195
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:227119
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/227119>

Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes:

> No we don't let GnuTLS always establish the connection. We don't set
> the priority string to the lowest level possible, i.e. "LEGACY". Are
> you suggesting you want to do that?

That's my preference, but others don't agree.  And it's basically a moot
point, since there are virtually no (legitimate real-world) connections
that fall between the nil and "LEGACY" settings of
`gnutls-algorithm-priority'.

> Setting `gnutls-min-prime-bits` to 256 as the standard value suggests
> to me that Emacs' network security level is so relaxed that a TLS
> connection with a DH prime 256-bits should go through, but in reality
> NSM still warns. This yet again contradicts the intention of the
> standard value. If the intention is to warn about prime-bit < 1024
> bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should
> not warn.
>
> Just switch it back to `nil` and let GnuTLS do the right thing
> according to the priority string for crying out loud. This also has no
> adverse effect.

I don't understand what you're saying here.  We've chosen 256 since
that's the way to say "don't stop any connections on the gnutls level
because of this stuff".  nil currently means 1008 bits, if I read the
docs right.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no