From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: "Herbert J. Skuhra" <herbert@gojira.at>
Newsgroups: gmane.emacs.help
Subject: Re: Network Security Manager warns safe renegotiation is not supported
Date: Thu, 5 Sep 2019 09:53:08 +0200
Message-ID: <20190905075308.GA12767@mail.bsd4all.net>
References: <87zhjoj4w3.fsf@yujinakao.com> <875zmcdlc9.fsf@fencepost.gnu.org>
 <m2sgpbme1g.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="47930"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mutt/1.12.1 (2019-06-15)
To: help-gnu-emacs@gnu.org
Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Thu Sep 05 09:54:10 2019
Return-path: <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geh-help-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org>)
	id 1i5man-000CKy-O7
	for geh-help-gnu-emacs@m.gmane.org; Thu, 05 Sep 2019 09:54:09 +0200
Original-Received: from localhost ([::1]:42956 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org>)
	id 1i5mam-0005Sb-An
	for geh-help-gnu-emacs@m.gmane.org; Thu, 05 Sep 2019 03:54:08 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53717)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <herbert@gojira.at>) id 1i5ma2-0005SQ-CV
 for help-gnu-emacs@gnu.org; Thu, 05 Sep 2019 03:53:23 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <herbert@gojira.at>) id 1i5ma1-00007L-AW
 for help-gnu-emacs@gnu.org; Thu, 05 Sep 2019 03:53:22 -0400
Original-Received: from mail.bsd4all.net ([144.76.30.122]:25640)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <herbert@gojira.at>) id 1i5ma0-0008Q0-Rk
 for help-gnu-emacs@gnu.org; Thu, 05 Sep 2019 03:53:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at;
 s=mail201809; t=1567669988;
 bh=LW32n8MfIXDIQcwjF4QfGkSb140O26+pxWVsj7DFnwc=;
 h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type;
 b=aYdCqd6JfMMCfXvjribpGdSiPXSTZI4trgy/pjrATkI9Iz9yT4wTHHnKl1oHQ8HSR
 7xjtBlTtVy3EnTOJuHhE8ke4qJfN0o0v0FpQhqkO/zM9o0p+Rm61y1bMv7xUtRMjOF
 XT2M3g+z4gZtcBHuA+cFAsWSAW2hRCFusObGnLzpz64i/IEXtykvQRldAJZt0AvNDs
 raiwm+lyhGSy3Kfo5xxpZ7bbHqAVg/7idlswTEIAoUv7GBV7xzWHDkYoq/BevVmmER
 8+fjDNRwmKaadOy3zpg3SRMJhRMR0TkI5a9nNbCq5t02m0befDNBZG9V1ucMzar3lw
 BT2a8T0Sy/OcA==
Content-Disposition: inline
In-Reply-To: <m2sgpbme1g.fsf@gmail.com>
X-detected-operating-system: by eggs.gnu.org: FreeBSD 9.x [fuzzy]
X-Received-From: 144.76.30.122
X-BeenThere: help-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Users list for the GNU Emacs text editor <help-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-gnu-emacs>
List-Post: <mailto:help-gnu-emacs@gnu.org>
List-Help: <mailto:help-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "help-gnu-emacs"
 <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.help:121441
Archived-At: <http://permalink.gmane.org/gmane.emacs.help/121441>

On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org=
> said:
>     Amin> I=E2=80=99m no security expert, but I don=E2=80=99t think tha=
t=E2=80=99s a good idea.  Setting
>     Amin> `gnutls-algorithm-priority' to that value basically tells Gnu=
TLS to skip
>     Amin> TLS1.3 altogether, which is the latest version of the TLS pro=
tocol.
>=20
>     Amin> The issue seems to be that nsm.el checks for renegotiation_in=
fo[1] for
>     Amin> TLS1.3 connections as well; but if I understand correctly, re=
negotiation
>     Amin> was removed from TLS1.3, according to [2] and [3].  I *think*=
 the proper
>     Amin> way to fix this would be have nsm *not* check for renegotiati=
on-info-ext
>     Amin> for TlS1.3 connections.  Please don=E2=80=99t take my word fo=
r this as, again,
>     Amin> I=E2=80=99m no security/GnuTLS expert.  Hopefully others with=
 more knowledge can
>     Amin> chime in to clarify.
>=20
> Correct. Fixed in emacs-master.

Hi,

I am still getting:

Certificate information
  Issued by:          Let's Encrypt Authority X3
  Issued to:          CN=3Delpa.gnu.org
  Hostname:           elpa.gnu.org
  Public key:         RSA, signature: RSA-SHA256
  Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac:
AEAD
  Security level:     Medium
  Valid:              From 2019-08-07 to 2019-11-05

The TLS connection to elpa.gnu.org:443 is insecure
for the following reason:

* safe renegotiation is not supported, connection not protected from
impersonators

--=20
Herbert