From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Amin Bandali Newsgroups: gmane.emacs.help Subject: Re: Network Security Manager warns safe renegotiation is not supported Date: Sun, 01 Sep 2019 12:37:10 -0400 Message-ID: <875zmcdlc9.fsf@fencepost.gnu.org> References: <87zhjoj4w3.fsf@yujinakao.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="242234"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Sun Sep 01 18:37:25 2019 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i4Sqy-0010ny-55 for geh-help-gnu-emacs@m.gmane.org; Sun, 01 Sep 2019 18:37:24 +0200 Original-Received: from localhost ([::1]:58864 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i4Sqw-0006ny-LD for geh-help-gnu-emacs@m.gmane.org; Sun, 01 Sep 2019 12:37:22 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57067) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i4Sqn-0006nr-2z for help-gnu-emacs@gnu.org; Sun, 01 Sep 2019 12:37:14 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:49696) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1i4Sqm-0004B2-Vm for help-gnu-emacs@gnu.org; Sun, 01 Sep 2019 12:37:13 -0400 Original-Received: from [2607:fea8:3b80:184:c49a:49f1:9d6f:ed58] (port=56272 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1i4Sqm-0006HL-Jw for help-gnu-emacs@gnu.org; Sun, 01 Sep 2019 12:37:12 -0400 In-Reply-To: <87zhjoj4w3.fsf@yujinakao.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:121406 Archived-At: Yuji Nakao writes: > Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but > Network Security Manager warned `TLS connection to elpa.gnu.org:433 is > insecure for the following reason: * safe renegotiation is not > supported, connection not protected from impersonators`, and showed > `Continue connecting?` multiple choice prompt whether to accept the > certificate. > > I guess this is caused by recently merged nsm.el, and > after some investigation, the warning disaapeared by setting > (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3"). > Is this a right workaround for this issue? > I=E2=80=99m no security expert, but I don=E2=80=99t think that=E2=80=99s a = good idea. Setting `gnutls-algorithm-priority' to that value basically tells GnuTLS to skip TLS1.3 altogether, which is the latest version of the TLS protocol. The issue seems to be that nsm.el checks for renegotiation_info[1] for TLS1.3 connections as well; but if I understand correctly, renegotiation was removed from TLS1.3, according to [2] and [3]. I *think* the proper way to fix this would be have nsm *not* check for renegotiation-info-ext for TlS1.3 connections. Please don=E2=80=99t take my word for this as, aga= in, I=E2=80=99m no security/GnuTLS expert. Hopefully others with more knowledg= e can chime in to clarify. Footnotes: [1] See C-h f nsm-protocol-check--renegotiation-info-ext RET [2] https://wiki.openssl.org/index.php/TLS1.3#Renegotiation [3] https://www.cloudflare.com/learning-resources/tls-1-3/