From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: n.mavrogiannopoulos@gmail.com Newsgroups: gmane.emacs.bugs Subject: Re: bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Date: Fri, 18 May 2012 04:38:01 -0700 (PDT) Organization: http://groups.google.com Message-ID: References: <874nsi12ng.fsf@niu.edu> <6mwr5d6l6e.fsf@fencepost.gnu.org> <20367.61741.640831.184941@gargle.gargle.HOWL> <20368.16452.379860.520133@gargle.gargle.HOWL> <87k4152t8j.fsf@lifelogs.com> <20375.1898.39520.582160@gargle.gargle.HOWL> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Trace: dough.gmane.org 1337341214 1308 80.91.229.3 (18 May 2012 11:40:14 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 18 May 2012 11:40:14 +0000 (UTC) To: bug-gnu-emacs@gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri May 18 13:40:14 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1SVLXZ-0002oU-T8 for geb-bug-gnu-emacs@m.gmane.org; Fri, 18 May 2012 13:40:14 +0200 Original-Received: from localhost ([::1]:40014 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SVLXZ-0007Mb-7f for geb-bug-gnu-emacs@m.gmane.org; Fri, 18 May 2012 07:40:13 -0400 Original-Path: usenet.stanford.edu!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Original-Newsgroups: gnu.emacs.bug Original-Lines: 26 Original-NNTP-Posting-Host: 134.58.253.57 Original-X-Trace: posting.google.com 1337341082 11043 127.0.0.1 (18 May 2012 11:38:02 GMT) Original-X-Complaints-To: groups-abuse@google.com Original-NNTP-Posting-Date: Fri, 18 May 2012 11:38:02 +0000 (UTC) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=134.58.253.57; posting-account=OguIaAoAAAAW9GmLY-4uqQMGSN-v83pe User-Agent: G2/1.0 Original-Xref: usenet.stanford.edu gnu.emacs.bug:86620 X-BeenThere: bug-gnu-emacs@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:60174 Archived-At: On Tuesday, May 15, 2012 10:24:56 AM UTC+2, Ted Zlatanov wrote: > On Sun, 13 May 2012 21:04:24 +0200 Lars Magne Ingebrigtsen wrote: > > LMI> "Roland Winkler" writes: > >> Also, it would be good (though I don't know whether a generic answer > >> is possible) to give some guidance on "reasonable" values for > >> `gnutls-min-prime-bits' as compared to cases where it would be > >> better to contact the sysadmin of the server requesting a change in > >> the setup of the server. > > LMI> Yeah. And I think `gnutls-min-prime-bits' should default to whatever > LMI> that "reasonable" is, because there's apparently quite a few servers out > LMI> there that has less bits than whatever the GnuTLS default is. Which > LMI> isn't a very good user experience. > > I'm OK with lowering it to 256. Note that Diffie-Hellman group of 256-bits means that the communication can be decrypted by someone that stored the session. The default minimum accepted value in gnutls is already weak according to [0] (727 bits) but a good balance between security and compatibility. (other implementations like NSS have similar limits). If you need to support weaker servers you could warn your users of the consequences. [0]. http://www.keylength.com/en/3/ regards, Nikos