Network Security Manager warns safe renegotiation is not supported

Network Security Manager warns safe renegotiation is not supported

[Yuji Nakao]

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but
Network Security Manager warned `TLS connection to elpa.gnu.org:433 is
insecure for the following reason: * safe renegotiation is not
supported, connection not protected from impersonators`, and showed
`Continue connecting?` multiple choice prompt whether to accept the
certificate.

I guess this is caused by recently merged nsm.el, and
after some investigation, the warning disaapeared by setting
(setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3").
Is this a right workaround for this issue?

Thanks.
Yuji Nakao

[-- Attachment #2.1: Type: text/plain, Size: 0 bytes --]



[-- Attachment #2.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Network Security Manager warns safe renegotiation is not supported

[Jude DaShiell]

[-- Attachment #1: Type: text/plain, Size: 927 bytes --]

Until I put that line in my .emacs file eww wouldn't even connect to
google.

On Sun, 1 Sep 2019, Yuji Nakao wrote:

> Date: Sat, 31 Aug 2019 19:23:40
> From: Yuji Nakao <contact@yujinakao.com>
> To: help-gnu-emacs@gnu.org
> Subject: Network Security Manager warns safe renegotiation is not supported
>
> Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but
> Network Security Manager warned `TLS connection to elpa.gnu.org:433 is
> insecure for the following reason: * safe renegotiation is not
> supported, connection not protected from impersonators`, and showed
> `Continue connecting?` multiple choice prompt whether to accept the
> certificate.
>
> I guess this is caused by recently merged nsm.el, and
> after some investigation, the warning disaapeared by setting
> (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3").
> Is this a right workaround for this issue?
>
> Thanks.
> Yuji Nakao
>

-- 

[-- Attachment #2.1: Type: text/plain, Size: 0 bytes --]



[-- Attachment #2.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Network Security Manager warns safe renegotiation is not supported

[Amin Bandali]

Yuji Nakao <contact@yujinakao.com> writes:

> Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but
> Network Security Manager warned `TLS connection to elpa.gnu.org:433 is
> insecure for the following reason: * safe renegotiation is not
> supported, connection not protected from impersonators`, and showed
> `Continue connecting?` multiple choice prompt whether to accept the
> certificate.
>
> I guess this is caused by recently merged nsm.el, and
> after some investigation, the warning disaapeared by setting
> (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3").
> Is this a right workaround for this issue?
>

I’m no security expert, but I don’t think that’s a good idea.  Setting
`gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
TLS1.3 altogether, which is the latest version of the TLS protocol.

The issue seems to be that nsm.el checks for renegotiation_info[1] for
TLS1.3 connections as well; but if I understand correctly, renegotiation
was removed from TLS1.3, according to [2] and [3].  I *think* the proper
way to fix this would be have nsm *not* check for renegotiation-info-ext
for TlS1.3 connections.  Please don’t take my word for this as, again,
I’m no security/GnuTLS expert.  Hopefully others with more knowledge can
chime in to clarify.

Footnotes:
[1]  See C-h f nsm-protocol-check--renegotiation-info-ext RET

[2]  https://wiki.openssl.org/index.php/TLS1.3#Renegotiation

[3]  https://www.cloudflare.com/learning-resources/tls-1-3/

Re: Network Security Manager warns safe renegotiation is not supported

[Robert Pluim]

>>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said:
    Amin> I’m no security expert, but I don’t think that’s a good idea.  Setting
    Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
    Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.

    Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for
    Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation
    Amin> was removed from TLS1.3, according to [2] and [3].  I *think* the proper
    Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext
    Amin> for TlS1.3 connections.  Please don’t take my word for this as, again,
    Amin> I’m no security/GnuTLS expert.  Hopefully others with more knowledge can
    Amin> chime in to clarify.

Correct. Fixed in emacs-master.

Robert

Re: Network Security Manager warns safe renegotiation is not supported

[Herbert J. Skuhra]

On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said:
>     Amin> I’m no security expert, but I don’t think that’s a good idea.  Setting
>     Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
>     Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.
> 
>     Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for
>     Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation
>     Amin> was removed from TLS1.3, according to [2] and [3].  I *think* the proper
>     Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext
>     Amin> for TlS1.3 connections.  Please don’t take my word for this as, again,
>     Amin> I’m no security/GnuTLS expert.  Hopefully others with more knowledge can
>     Amin> chime in to clarify.
> 
> Correct. Fixed in emacs-master.

Hi,

I am still getting:

Certificate information
  Issued by:          Let's Encrypt Authority X3
  Issued to:          CN=elpa.gnu.org
  Hostname:           elpa.gnu.org
  Public key:         RSA, signature: RSA-SHA256
  Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac:
AEAD
  Security level:     Medium
  Valid:              From 2019-08-07 to 2019-11-05

The TLS connection to elpa.gnu.org:443 is insecure
for the following reason:

* safe renegotiation is not supported, connection not protected from
impersonators

-- 
Herbert

Re: Network Security Manager warns safe renegotiation is not supported

[Robert Pluim]

>>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said:

    Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
    >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said:
    Amin> I’m no security expert, but I don’t think that’s a good idea.  Setting
    Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
    Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.
    >> 
    Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for
    Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation
    Amin> was removed from TLS1.3, according to [2] and [3].  I *think* the proper
    Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext
    Amin> for TlS1.3 connections.  Please don’t take my word for this as, again,
    Amin> I’m no security/GnuTLS expert.  Hopefully others with more knowledge can
    Amin> chime in to clarify.
    >> 
    >> Correct. Fixed in emacs-master.

    Herbert> Hi,

    Herbert> I am still getting:

    Herbert> Certificate information
    Herbert>   Issued by:          Let's Encrypt Authority X3
    Herbert>   Issued to:          CN=elpa.gnu.org
    Herbert>   Hostname:           elpa.gnu.org
    Herbert>   Public key:         RSA, signature: RSA-SHA256
    Herbert>   Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac:
    Herbert> AEAD
    Herbert>   Security level:     Medium
    Herbert>   Valid:              From 2019-08-07 to 2019-11-05

    Herbert> The TLS connection to elpa.gnu.org:443 is insecure
    Herbert> for the following reason:

    Herbert> * safe renegotiation is not supported, connection not protected from
    Herbert> impersonators

When did you rebuild emacs? 95becaaf3b went in last night.

Robert

Re: Network Security Manager warns safe renegotiation is not supported

[Herbert J. Skuhra]

On Thu, Sep 05, 2019 at 11:38:41AM +0200, Robert Pluim wrote:
> >>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said:
> 
>     Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
>     >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said:
>     Amin> I’m no security expert, but I don’t think that’s a good idea.  Setting
>     Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
>     Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.
>     >> 
>     Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for
>     Amin> TLS1.3 connections as well; but if I understand correctly, renegotiation
>     Amin> was removed from TLS1.3, according to [2] and [3].  I *think* the proper
>     Amin> way to fix this would be have nsm *not* check for renegotiation-info-ext
>     Amin> for TlS1.3 connections.  Please don’t take my word for this as, again,
>     Amin> I’m no security/GnuTLS expert.  Hopefully others with more knowledge can
>     Amin> chime in to clarify.
>     >> 
>     >> Correct. Fixed in emacs-master.
> 
>     Herbert> Hi,
> 
>     Herbert> I am still getting:
> 
>     Herbert> Certificate information
>     Herbert>   Issued by:          Let's Encrypt Authority X3
>     Herbert>   Issued to:          CN=elpa.gnu.org
>     Herbert>   Hostname:           elpa.gnu.org
>     Herbert>   Public key:         RSA, signature: RSA-SHA256
>     Herbert>   Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac:
>     Herbert> AEAD
>     Herbert>   Security level:     Medium
>     Herbert>   Valid:              From 2019-08-07 to 2019-11-05
> 
>     Herbert> The TLS connection to elpa.gnu.org:443 is insecure
>     Herbert> for the following reason:
> 
>     Herbert> * safe renegotiation is not supported, connection not protected from
>     Herbert> impersonators
> 
> When did you rebuild emacs? 95becaaf3b went in last night.

I just did another full build (git clean -xfd, ./autogen.sh, ./configure,
etc.). Same result.

% git status
On branch master
Your branch is up to date with 'origin/master'.

% git log -1
commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master,
origin/master, origin/HEAD)

-- 
Herbert

Re: Network Security Manager warns safe renegotiation is not supported

[Robert Pluim]

>>>>> On Thu, 5 Sep 2019 12:02:58 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said:
    Herbert> I just did another full build (git clean -xfd, ./autogen.sh, ./configure,
    Herbert> etc.). Same result.

    Herbert> % git status
    Herbert> On branch master
    Herbert> Your branch is up to date with 'origin/master'.

    Herbert> % git log -1
    Herbert> commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master,
    Herbert> origin/master, origin/HEAD)

Hmm, Iʼm not seeing that with that commit. It does the same with
'emacs -Q'? Does M-x list-load-path-shadows show anything suspicious
like another copy of nsm.el somewhere?

Robert

Re: Network Security Manager warns safe renegotiation is not supported

[Robert Pluim]

>>>>> On Thu, 05 Sep 2019 13:22:46 +0200, Robert Pluim <rpluim@gmail.com> said:

>>>>> On Thu, 5 Sep 2019 12:02:58 +0200, "Herbert J. Skuhra" <herbert@gojira.at> said:
    Herbert> I just did another full build (git clean -xfd, ./autogen.sh, ./configure,
    Herbert> etc.). Same result.

    Herbert> % git status
    Herbert> On branch master
    Herbert> Your branch is up to date with 'origin/master'.

    Herbert> % git log -1
    Herbert> commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master,
    Herbert> origin/master, origin/HEAD)

    Robert> Hmm, Iʼm not seeing that with that commit. It does the same with
    Robert> 'emacs -Q'? Does M-x list-load-path-shadows show anything suspicious
    Robert> like another copy of nsm.el somewhere?

Never mind, my fix was wrong. Back to the drawing board.

Robert

Re: Network Security Manager warns safe renegotiation is not supported

[Herbert J. Skuhra]

On Thu, Sep 05, 2019 at 01:22:46PM +0200, Robert Pluim wrote:
> 
> Hmm, Iʼm not seeing that with that commit. It does the same with
> 'emacs -Q'? Does M-x list-load-path-shadows show anything suspicious
> like another copy of nsm.el somewhere?

Yes, I get the warning even when I am running 'emacs -Q'.
There is no other nsm.el in my load-path.

-- 
Herbert

Re: Network Security Manager warns safe renegotiation is not supported

[Lars Magne Ingebrigtsen]

Robert Pluim <rpluim@gmail.com> writes:

> Never mind, my fix was wrong. Back to the drawing board.

Do you have a TLS 1.3 server to test with?  I googled a bit but didn't
find anything.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Network Security Manager warns safe renegotiation is not supported

[Robert Pluim]

>>>>> On Thu, 05 Sep 2019 14:51:14 +0200, Lars Magne Ingebrigtsen <lmi@gnus.org> said:

    Lars> Robert Pluim <rpluim@gmail.com> writes:
    >> Never mind, my fix was wrong. Back to the drawing board.

    Lars> Do you have a TLS 1.3 server to test with?  I googled a bit but didn't
    Lars> find anything.

https://elpa.gnu.org is usually enough. Or https://www.google.com

Robert

Re: Network Security Manager warns safe renegotiation is not supported

[Lars Magne Ingebrigtsen]

Robert Pluim <rpluim@gmail.com> writes:

> https://elpa.gnu.org is usually enough. Or https://www.google.com

I guess my OS is too old, because I get TLS 1.2 on those.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Network Security Manager warns safe renegotiation is not supported

[Robert Pluim]

>>>>> On Thu, 05 Sep 2019 15:51:54 +0200, Lars Magne Ingebrigtsen <lmi@gnus.org> said:

    Lars> Robert Pluim <rpluim@gmail.com> writes:
    >> https://elpa.gnu.org is usually enough. Or https://www.google.com

    Lars> I guess my OS is too old, because I get TLS 1.2 on those.

GnuTLS started supporting TLS1.3 from 3.6.3, and made it default in
3.6.5, if memory serves.

Robert

Re: Network Security Manager warns safe renegotiation is not supported

[Herbert J. Skuhra]

On Thu, Sep 05, 2019 at 01:51:39PM +0200, Robert Pluim wrote:
> 
> Never mind, my fix was wrong. Back to the drawing board.

With Paul's commit (b9e37f5) the warning is gone. Thanks!

-- 
Herbert