From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: "Herbert J. Skuhra" Newsgroups: gmane.emacs.help Subject: Re: Network Security Manager warns safe renegotiation is not supported Date: Thu, 5 Sep 2019 12:02:58 +0200 Message-ID: <20190905100258.GB12767@mail.bsd4all.net> References: <87zhjoj4w3.fsf@yujinakao.com> <875zmcdlc9.fsf@fencepost.gnu.org> <20190905075308.GA12767@mail.bsd4all.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="98558"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.12.1 (2019-06-15) Cc: help-gnu-emacs@gnu.org To: Robert Pluim Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Thu Sep 05 12:04:16 2019 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i5och-000PVI-RK for geh-help-gnu-emacs@m.gmane.org; Thu, 05 Sep 2019 12:04:16 +0200 Original-Received: from localhost ([::1]:43964 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i5ocg-0002gA-Bz for geh-help-gnu-emacs@m.gmane.org; Thu, 05 Sep 2019 06:04:14 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51724) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i5obW-0002d8-Vf for help-gnu-emacs@gnu.org; Thu, 05 Sep 2019 06:03:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i5obV-0006vz-Lc for help-gnu-emacs@gnu.org; Thu, 05 Sep 2019 06:03:02 -0400 Original-Received: from mail.bsd4all.net ([144.76.30.122]:63406) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1i5obV-0006vI-6j for help-gnu-emacs@gnu.org; Thu, 05 Sep 2019 06:03:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at; s=mail201809; t=1567677779; bh=e0+oaLRqRXaMA3dL4/qCle6G3wFjEihK839R9WGLAzI=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=b6CuqYXHusAxQIkJ+fMFOSjN3qw/G9UKMOaccdA/0zdQzSiPRzIRoF3t5uHyYnBNr uMnlCuX12SkLRCCP8EMVILlv+MO8JvZiapJyRKqwL0eJ5Qh61l6sDhB7TBWAwfHDAn FtZxFgiczfasg6mQZcfxyBSgUWaCbQ0+1bNIvxyYMOWQad7zluK45tOBlx3gSda256 hZu8KuOMVRNencXfzya2u1dqB6BJZi2HD3OT30IAFafqsQEfZXNusS5ghoPIvH4CkH 03PYAANlpexdulF2NnkFfNE7pOS2OVITy3Qx6tuKQxfKzPhsvyQV6Vv4pz3o8sPgQ7 Xd9T96osjYsTQ== Content-Disposition: inline In-Reply-To: X-detected-operating-system: by eggs.gnu.org: FreeBSD 9.x [fuzzy] X-Received-From: 144.76.30.122 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:121443 Archived-At: On Thu, Sep 05, 2019 at 11:38:41AM +0200, Robert Pluim wrote: > >>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra" said: >=20 > Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wro= te: > >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali said: > Amin> I=E2=80=99m no security expert, but I don=E2=80=99t think tha= t=E2=80=99s a good idea. Setting > Amin> `gnutls-algorithm-priority' to that value basically tells Gnu= TLS to skip > Amin> TLS1.3 altogether, which is the latest version of the TLS pro= tocol. > >>=20 > Amin> The issue seems to be that nsm.el checks for renegotiation_in= fo[1] for > Amin> TLS1.3 connections as well; but if I understand correctly, re= negotiation > Amin> was removed from TLS1.3, according to [2] and [3]. I *think*= the proper > Amin> way to fix this would be have nsm *not* check for renegotiati= on-info-ext > Amin> for TlS1.3 connections. Please don=E2=80=99t take my word fo= r this as, again, > Amin> I=E2=80=99m no security/GnuTLS expert. Hopefully others with= more knowledge can > Amin> chime in to clarify. > >>=20 > >> Correct. Fixed in emacs-master. >=20 > Herbert> Hi, >=20 > Herbert> I am still getting: >=20 > Herbert> Certificate information > Herbert> Issued by: Let's Encrypt Authority X3 > Herbert> Issued to: CN=3Delpa.gnu.org > Herbert> Hostname: elpa.gnu.org > Herbert> Public key: RSA, signature: RSA-SHA256 > Herbert> Session: TLS1.3, key: ECDHE-RSA, cipher: AES-= 256-GCM, mac: > Herbert> AEAD > Herbert> Security level: Medium > Herbert> Valid: From 2019-08-07 to 2019-11-05 >=20 > Herbert> The TLS connection to elpa.gnu.org:443 is insecure > Herbert> for the following reason: >=20 > Herbert> * safe renegotiation is not supported, connection not prot= ected from > Herbert> impersonators >=20 > When did you rebuild emacs? 95becaaf3b went in last night. I just did another full build (git clean -xfd, ./autogen.sh, ./configure, etc.). Same result. % git status On branch master Your branch is up to date with 'origin/master'. % git log -1 commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master, origin/master, origin/HEAD) --=20 Herbert