From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Roland Winkler" Newsgroups: gmane.emacs.bugs Subject: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Date: Tue, 11 Feb 2014 16:49:06 -0600 Message-ID: <21242.43234.861627.965636@gargle.gargle.HOWL> References: <87iozfl001.fsf@thinkpad.tsdh.org> <87li24zpg1.fsf@flea.lifelogs.com> <87lhxx6kr0.fsf@building.gnus.org> <871tzbaf1n.fsf@lifelogs.com> <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> <87ob2f8zdr.fsf@lifelogs.com> <21240.16957.410641.502622@gargle.gargle.HOWL> <87ppmvwu5h.fsf@building.gnus.org> <87d2iv8ck8.fsf@lifelogs.com> <87ppmup75m.fsf@building.gnus.org> <87mwhx686x.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1392159000 8458 80.91.229.3 (11 Feb 2014 22:50:00 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 11 Feb 2014 22:50:00 +0000 (UTC) Cc: Nikos Mavrogiannopoulos , 15057@debbugs.gnu.org, 16253@debbugs.gnu.org, 11267@debbugs.gnu.org, Tassilo Horn , Lars Ingebrigtsen To: Ted Zlatanov Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Feb 11 23:50:07 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WDM9X-0001xf-0P for geb-bug-gnu-emacs@m.gmane.org; Tue, 11 Feb 2014 23:50:07 +0100 Original-Received: from localhost ([::1]:36362 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WDM9W-0005sR-LX for geb-bug-gnu-emacs@m.gmane.org; Tue, 11 Feb 2014 17:50:06 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46622) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WDM9T-0005sC-R7 for bug-gnu-emacs@gnu.org; Tue, 11 Feb 2014 17:50:04 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WDM9S-0004Lt-SP for bug-gnu-emacs@gnu.org; Tue, 11 Feb 2014 17:50:03 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:46773) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WDM9S-0004Lh-OJ for bug-gnu-emacs@gnu.org; Tue, 11 Feb 2014 17:50:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WDM9S-00055u-A8 for bug-gnu-emacs@gnu.org; Tue, 11 Feb 2014 17:50:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: "Roland Winkler" Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 11 Feb 2014 22:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 11267 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 11267-submit@debbugs.gnu.org id=B11267.139215895419488 (code B ref 11267); Tue, 11 Feb 2014 22:50:02 +0000 Original-Received: (at 11267) by debbugs.gnu.org; 11 Feb 2014 22:49:14 +0000 Original-Received: from localhost ([127.0.0.1]:47951 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDM8f-00054E-C4 for submit@debbugs.gnu.org; Tue, 11 Feb 2014 17:49:13 -0500 Original-Received: from fencepost.gnu.org ([208.118.235.10]:55277 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WDM8d-00053z-0n; Tue, 11 Feb 2014 17:49:11 -0500 Original-Received: from 162-229-45-114.lightspeed.cicril.sbcglobal.net ([162.229.45.114]:55799 helo=regnitz) by fencepost.gnu.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1WDM8b-0003sP-0V; Tue, 11 Feb 2014 17:49:09 -0500 In-Reply-To: <87mwhx686x.fsf@lifelogs.com> X-Mailer: VM 8.2 trial under 24.3.1 (x86_64-unknown-linux-gnu) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:85414 Archived-At: On Tue Feb 11 2014 Ted Zlatanov wrote: > So my proposal is simply to provide two buttons "allow host X to > connect with lower DHE security [temporarily] [permanently]" and > when the button is clicked, customize `gnutls-algorithm-priority' > to allow DHE to that specific host. > > `gnutls-negotiate' has to be changed slightly and the connection > rejection from insecure hosts will need to be handled in gnutls.c > and gnutls.el. > > I think that's as seamless as we can make it, especially noting > that `gnutls-min-prime-bits' is deprecated since GnuTLS 3.1.7 (see > http://www.gnutls.org/manual/gnutls.html#index-gnutls_005fdh_005fset_005fprime_005fbits). > > If we provide that simple UI, plus some help messaging, I think we > can disable DHE by default. Based on Nikos' explanation, it seems > to be the best way forward. Whatever customizability will be provided (permanently or temporarily on the fly), I'd find it most important to have documentation that allows the user to put the choices into perspective. -- Is this feasible? Certainly, we cannot expect that the average user who is offered a pop-up menu with choices "allow host X to connect with lower DHE security [temporarily] [permanently]" that he can readily understand its implications and put it into perspective. (DHE security lower than what? Lower by how much? How insecure is that?) (According to Murphy's law, this selection will probably pop up most often, when the user is not in the mood to read long info pages...) Roland