* Network Security Manager warns safe renegotiation is not supported @ 2019-08-31 23:23 Yuji Nakao 2019-09-01 15:38 ` Jude DaShiell 2019-09-01 16:37 ` Amin Bandali 0 siblings, 2 replies; 15+ messages in thread From: Yuji Nakao @ 2019-08-31 23:23 UTC (permalink / raw) To: help-gnu-emacs [-- Attachment #1: Type: text/plain, Size: 591 bytes --] Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but Network Security Manager warned `TLS connection to elpa.gnu.org:433 is insecure for the following reason: * safe renegotiation is not supported, connection not protected from impersonators`, and showed `Continue connecting?` multiple choice prompt whether to accept the certificate. I guess this is caused by recently merged nsm.el, and after some investigation, the warning disaapeared by setting (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3"). Is this a right workaround for this issue? Thanks. Yuji Nakao [-- Attachment #2.1: Type: text/plain, Size: 0 bytes --] [-- Attachment #2.2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-08-31 23:23 Network Security Manager warns safe renegotiation is not supported Yuji Nakao @ 2019-09-01 15:38 ` Jude DaShiell 2019-09-01 16:37 ` Amin Bandali 1 sibling, 0 replies; 15+ messages in thread From: Jude DaShiell @ 2019-09-01 15:38 UTC (permalink / raw) To: Yuji Nakao, help-gnu-emacs [-- Attachment #1: Type: text/plain, Size: 927 bytes --] Until I put that line in my .emacs file eww wouldn't even connect to google. On Sun, 1 Sep 2019, Yuji Nakao wrote: > Date: Sat, 31 Aug 2019 19:23:40 > From: Yuji Nakao <contact@yujinakao.com> > To: help-gnu-emacs@gnu.org > Subject: Network Security Manager warns safe renegotiation is not supported > > Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but > Network Security Manager warned `TLS connection to elpa.gnu.org:433 is > insecure for the following reason: * safe renegotiation is not > supported, connection not protected from impersonators`, and showed > `Continue connecting?` multiple choice prompt whether to accept the > certificate. > > I guess this is caused by recently merged nsm.el, and > after some investigation, the warning disaapeared by setting > (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3"). > Is this a right workaround for this issue? > > Thanks. > Yuji Nakao > -- [-- Attachment #2.1: Type: text/plain, Size: 0 bytes --] [-- Attachment #2.2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-08-31 23:23 Network Security Manager warns safe renegotiation is not supported Yuji Nakao 2019-09-01 15:38 ` Jude DaShiell @ 2019-09-01 16:37 ` Amin Bandali 2019-09-05 6:51 ` Robert Pluim 1 sibling, 1 reply; 15+ messages in thread From: Amin Bandali @ 2019-09-01 16:37 UTC (permalink / raw) To: help-gnu-emacs Yuji Nakao <contact@yujinakao.com> writes: > Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but > Network Security Manager warned `TLS connection to elpa.gnu.org:433 is > insecure for the following reason: * safe renegotiation is not > supported, connection not protected from impersonators`, and showed > `Continue connecting?` multiple choice prompt whether to accept the > certificate. > > I guess this is caused by recently merged nsm.el, and > after some investigation, the warning disaapeared by setting > (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3"). > Is this a right workaround for this issue? > I’m no security expert, but I don’t think that’s a good idea. Setting `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip TLS1.3 altogether, which is the latest version of the TLS protocol. The issue seems to be that nsm.el checks for renegotiation_info[1] for TLS1.3 connections as well; but if I understand correctly, renegotiation was removed from TLS1.3, according to [2] and [3]. I *think* the proper way to fix this would be have nsm *not* check for renegotiation-info-ext for TlS1.3 connections. Please don’t take my word for this as, again, I’m no security/GnuTLS expert. Hopefully others with more knowledge can chime in to clarify. Footnotes: [1] See C-h f nsm-protocol-check--renegotiation-info-ext RET [2] https://wiki.openssl.org/index.php/TLS1.3#Renegotiation [3] https://www.cloudflare.com/learning-resources/tls-1-3/ ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-01 16:37 ` Amin Bandali @ 2019-09-05 6:51 ` Robert Pluim 2019-09-05 7:53 ` Herbert J. Skuhra 0 siblings, 1 reply; 15+ messages in thread From: Robert Pluim @ 2019-09-05 6:51 UTC (permalink / raw) To: Amin Bandali; +Cc: help-gnu-emacs >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said: Amin> I’m no security expert, but I don’t think that’s a good idea. Setting Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip Amin> TLS1.3 altogether, which is the latest version of the TLS protocol. Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation Amin> was removed from TLS1.3, according to [2] and [3]. I *think* the proper Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext Amin> for TlS1.3 connections. Please don’t take my word for this as, again, Amin> I’m no security/GnuTLS expert. Hopefully others with more knowledge can Amin> chime in to clarify. Correct. Fixed in emacs-master. Robert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 6:51 ` Robert Pluim @ 2019-09-05 7:53 ` Herbert J. Skuhra 2019-09-05 9:38 ` Robert Pluim 0 siblings, 1 reply; 15+ messages in thread From: Herbert J. Skuhra @ 2019-09-05 7:53 UTC (permalink / raw) To: help-gnu-emacs On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote: > >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said: > Amin> I’m no security expert, but I don’t think that’s a good idea. Setting > Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip > Amin> TLS1.3 altogether, which is the latest version of the TLS protocol. > > Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for > Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation > Amin> was removed from TLS1.3, according to [2] and [3]. I *think* the proper > Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext > Amin> for TlS1.3 connections. Please don’t take my word for this as, again, > Amin> I’m no security/GnuTLS expert. Hopefully others with more knowledge can > Amin> chime in to clarify. > > Correct. Fixed in emacs-master. Hi, I am still getting: Certificate information Issued by: Let's Encrypt Authority X3 Issued to: CN=elpa.gnu.org Hostname: elpa.gnu.org Public key: RSA, signature: RSA-SHA256 Session: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD Security level: Medium Valid: From 2019-08-07 to 2019-11-05 The TLS connection to elpa.gnu.org:443 is insecure for the following reason: * safe renegotiation is not supported, connection not protected from impersonators -- Herbert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 7:53 ` Herbert J. Skuhra @ 2019-09-05 9:38 ` Robert Pluim 2019-09-05 10:02 ` Herbert J. Skuhra 0 siblings, 1 reply; 15+ messages in thread From: Robert Pluim @ 2019-09-05 9:38 UTC (permalink / raw) To: Herbert J. Skuhra; +Cc: help-gnu-emacs >>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said: Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote: >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said: Amin> I’m no security expert, but I don’t think that’s a good idea. Setting Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip Amin> TLS1.3 altogether, which is the latest version of the TLS protocol. >> Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation Amin> was removed from TLS1.3, according to [2] and [3]. I *think* the proper Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext Amin> for TlS1.3 connections. Please don’t take my word for this as, again, Amin> I’m no security/GnuTLS expert. Hopefully others with more knowledge can Amin> chime in to clarify. >> >> Correct. Fixed in emacs-master. Herbert> Hi, Herbert> I am still getting: Herbert> Certificate information Herbert> Issued by: Let's Encrypt Authority X3 Herbert> Issued to: CN=elpa.gnu.org Herbert> Hostname: elpa.gnu.org Herbert> Public key: RSA, signature: RSA-SHA256 Herbert> Session: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: Herbert> AEAD Herbert> Security level: Medium Herbert> Valid: From 2019-08-07 to 2019-11-05 Herbert> The TLS connection to elpa.gnu.org:443 is insecure Herbert> for the following reason: Herbert> * safe renegotiation is not supported, connection not protected from Herbert> impersonators When did you rebuild emacs? 95becaaf3b went in last night. Robert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 9:38 ` Robert Pluim @ 2019-09-05 10:02 ` Herbert J. Skuhra 2019-09-05 11:22 ` Robert Pluim 0 siblings, 1 reply; 15+ messages in thread From: Herbert J. Skuhra @ 2019-09-05 10:02 UTC (permalink / raw) To: Robert Pluim; +Cc: help-gnu-emacs On Thu, Sep 05, 2019 at 11:38:41AM +0200, Robert Pluim wrote: > >>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said: > > Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote: > >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said: > Amin> I’m no security expert, but I don’t think that’s a good idea. Setting > Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip > Amin> TLS1.3 altogether, which is the latest version of the TLS protocol. > >> > Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for > Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation > Amin> was removed from TLS1.3, according to [2] and [3]. I *think* the proper > Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext > Amin> for TlS1.3 connections. Please don’t take my word for this as, again, > Amin> I’m no security/GnuTLS expert. Hopefully others with more knowledge can > Amin> chime in to clarify. > >> > >> Correct. Fixed in emacs-master. > > Herbert> Hi, > > Herbert> I am still getting: > > Herbert> Certificate information > Herbert> Issued by: Let's Encrypt Authority X3 > Herbert> Issued to: CN=elpa.gnu.org > Herbert> Hostname: elpa.gnu.org > Herbert> Public key: RSA, signature: RSA-SHA256 > Herbert> Session: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: > Herbert> AEAD > Herbert> Security level: Medium > Herbert> Valid: From 2019-08-07 to 2019-11-05 > > Herbert> The TLS connection to elpa.gnu.org:443 is insecure > Herbert> for the following reason: > > Herbert> * safe renegotiation is not supported, connection not protected from > Herbert> impersonators > > When did you rebuild emacs? 95becaaf3b went in last night. I just did another full build (git clean -xfd, ./autogen.sh, ./configure, etc.). Same result. % git status On branch master Your branch is up to date with 'origin/master'. % git log -1 commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master, origin/master, origin/HEAD) -- Herbert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 10:02 ` Herbert J. Skuhra @ 2019-09-05 11:22 ` Robert Pluim 2019-09-05 11:51 ` Robert Pluim 2019-09-05 12:03 ` Herbert J. Skuhra 0 siblings, 2 replies; 15+ messages in thread From: Robert Pluim @ 2019-09-05 11:22 UTC (permalink / raw) To: Herbert J. Skuhra; +Cc: help-gnu-emacs >>>>> On Thu, 5 Sep 2019 12:02:58 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said: Herbert> I just did another full build (git clean -xfd, ./autogen.sh, ./configure, Herbert> etc.). Same result. Herbert> % git status Herbert> On branch master Herbert> Your branch is up to date with 'origin/master'. Herbert> % git log -1 Herbert> commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master, Herbert> origin/master, origin/HEAD) Hmm, Iʼm not seeing that with that commit. It does the same with 'emacs -Q'? Does M-x list-load-path-shadows show anything suspicious like another copy of nsm.el somewhere? Robert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 11:22 ` Robert Pluim @ 2019-09-05 11:51 ` Robert Pluim [not found] ` <mailman.418.1567684317.2075.help-gnu-emacs@gnu.org> 2019-09-05 19:09 ` Herbert J. Skuhra 2019-09-05 12:03 ` Herbert J. Skuhra 1 sibling, 2 replies; 15+ messages in thread From: Robert Pluim @ 2019-09-05 11:51 UTC (permalink / raw) To: Herbert J. Skuhra; +Cc: help-gnu-emacs >>>>> On Thu, 05 Sep 2019 13:22:46 +0200, Robert Pluim <rpluim@gmail.com> said: >>>>> On Thu, 5 Sep 2019 12:02:58 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said: Herbert> I just did another full build (git clean -xfd, ./autogen.sh, ./configure, Herbert> etc.). Same result. Herbert> % git status Herbert> On branch master Herbert> Your branch is up to date with 'origin/master'. Herbert> % git log -1 Herbert> commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master, Herbert> origin/master, origin/HEAD) Robert> Hmm, Iʼm not seeing that with that commit. It does the same with Robert> 'emacs -Q'? Does M-x list-load-path-shadows show anything suspicious Robert> like another copy of nsm.el somewhere? Never mind, my fix was wrong. Back to the drawing board. Robert ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <mailman.418.1567684317.2075.help-gnu-emacs@gnu.org>]
* Re: Network Security Manager warns safe renegotiation is not supported [not found] ` <mailman.418.1567684317.2075.help-gnu-emacs@gnu.org> @ 2019-09-05 12:51 ` Lars Magne Ingebrigtsen 2019-09-05 13:44 ` Robert Pluim 0 siblings, 1 reply; 15+ messages in thread From: Lars Magne Ingebrigtsen @ 2019-09-05 12:51 UTC (permalink / raw) To: help-gnu-emacs Robert Pluim <rpluim@gmail.com> writes: > Never mind, my fix was wrong. Back to the drawing board. Do you have a TLS 1.3 server to test with? I googled a bit but didn't find anything. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 12:51 ` Lars Magne Ingebrigtsen @ 2019-09-05 13:44 ` Robert Pluim [not found] ` <mailman.423.1567691091.2075.help-gnu-emacs@gnu.org> 0 siblings, 1 reply; 15+ messages in thread From: Robert Pluim @ 2019-09-05 13:44 UTC (permalink / raw) To: Lars Magne Ingebrigtsen; +Cc: help-gnu-emacs >>>>> On Thu, 05 Sep 2019 14:51:14 +0200, Lars Magne Ingebrigtsen <lmi@gnus.org> said: Lars> Robert Pluim <rpluim@gmail.com> writes: >> Never mind, my fix was wrong. Back to the drawing board. Lars> Do you have a TLS 1.3 server to test with? I googled a bit but didn't Lars> find anything. https://elpa.gnu.org is usually enough. Or https://www.google.com Robert ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <mailman.423.1567691091.2075.help-gnu-emacs@gnu.org>]
* Re: Network Security Manager warns safe renegotiation is not supported [not found] ` <mailman.423.1567691091.2075.help-gnu-emacs@gnu.org> @ 2019-09-05 13:51 ` Lars Magne Ingebrigtsen 2019-09-05 14:02 ` Robert Pluim 0 siblings, 1 reply; 15+ messages in thread From: Lars Magne Ingebrigtsen @ 2019-09-05 13:51 UTC (permalink / raw) To: help-gnu-emacs Robert Pluim <rpluim@gmail.com> writes: > https://elpa.gnu.org is usually enough. Or https://www.google.com I guess my OS is too old, because I get TLS 1.2 on those. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 13:51 ` Lars Magne Ingebrigtsen @ 2019-09-05 14:02 ` Robert Pluim 0 siblings, 0 replies; 15+ messages in thread From: Robert Pluim @ 2019-09-05 14:02 UTC (permalink / raw) To: Lars Magne Ingebrigtsen; +Cc: help-gnu-emacs >>>>> On Thu, 05 Sep 2019 15:51:54 +0200, Lars Magne Ingebrigtsen <lmi@gnus.org> said: Lars> Robert Pluim <rpluim@gmail.com> writes: >> https://elpa.gnu.org is usually enough. Or https://www.google.com Lars> I guess my OS is too old, because I get TLS 1.2 on those. GnuTLS started supporting TLS1.3 from 3.6.3, and made it default in 3.6.5, if memory serves. Robert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 11:51 ` Robert Pluim [not found] ` <mailman.418.1567684317.2075.help-gnu-emacs@gnu.org> @ 2019-09-05 19:09 ` Herbert J. Skuhra 1 sibling, 0 replies; 15+ messages in thread From: Herbert J. Skuhra @ 2019-09-05 19:09 UTC (permalink / raw) To: Robert Pluim; +Cc: help-gnu-emacs On Thu, Sep 05, 2019 at 01:51:39PM +0200, Robert Pluim wrote: > > Never mind, my fix was wrong. Back to the drawing board. With Paul's commit (b9e37f5) the warning is gone. Thanks! -- Herbert ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Network Security Manager warns safe renegotiation is not supported 2019-09-05 11:22 ` Robert Pluim 2019-09-05 11:51 ` Robert Pluim @ 2019-09-05 12:03 ` Herbert J. Skuhra 1 sibling, 0 replies; 15+ messages in thread From: Herbert J. Skuhra @ 2019-09-05 12:03 UTC (permalink / raw) To: Robert Pluim; +Cc: help-gnu-emacs On Thu, Sep 05, 2019 at 01:22:46PM +0200, Robert Pluim wrote: > > Hmm, Iʼm not seeing that with that commit. It does the same with > 'emacs -Q'? Does M-x list-load-path-shadows show anything suspicious > like another copy of nsm.el somewhere? Yes, I get the warning even when I am running 'emacs -Q'. There is no other nsm.el in my load-path. -- Herbert ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2019-09-05 19:09 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-08-31 23:23 Network Security Manager warns safe renegotiation is not supported Yuji Nakao 2019-09-01 15:38 ` Jude DaShiell 2019-09-01 16:37 ` Amin Bandali 2019-09-05 6:51 ` Robert Pluim 2019-09-05 7:53 ` Herbert J. Skuhra 2019-09-05 9:38 ` Robert Pluim 2019-09-05 10:02 ` Herbert J. Skuhra 2019-09-05 11:22 ` Robert Pluim 2019-09-05 11:51 ` Robert Pluim [not found] ` <mailman.418.1567684317.2075.help-gnu-emacs@gnu.org> 2019-09-05 12:51 ` Lars Magne Ingebrigtsen 2019-09-05 13:44 ` Robert Pluim [not found] ` <mailman.423.1567691091.2075.help-gnu-emacs@gnu.org> 2019-09-05 13:51 ` Lars Magne Ingebrigtsen 2019-09-05 14:02 ` Robert Pluim 2019-09-05 19:09 ` Herbert J. Skuhra 2019-09-05 12:03 ` Herbert J. Skuhra
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).