From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Tuning GnuTLS Date: Mon, 18 Jul 2011 05:23:16 +0200 Organization: Programmerer Ingebrigtsen Message-ID: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1310959442 4611 80.91.229.12 (18 Jul 2011 03:24:02 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 18 Jul 2011 03:24:02 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jul 18 05:23:58 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QieR4-00079l-5G for ged-emacs-devel@m.gmane.org; Mon, 18 Jul 2011 05:23:58 +0200 Original-Received: from localhost ([::1]:49270 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QieR2-00032i-I6 for ged-emacs-devel@m.gmane.org; Sun, 17 Jul 2011 23:23:56 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:49014) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QieQg-000322-33 for emacs-devel@gnu.org; Sun, 17 Jul 2011 23:23:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QieQd-0003qK-Dr for emacs-devel@gnu.org; Sun, 17 Jul 2011 23:23:33 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:57687) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QieQc-0003q3-UK for emacs-devel@gnu.org; Sun, 17 Jul 2011 23:23:31 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1QieQa-00074S-HP for emacs-devel@gnu.org; Mon, 18 Jul 2011 05:23:28 +0200 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 18 Jul 2011 05:23:28 +0200 Original-Received: from larsi by cm-84.215.51.58.getinternet.no with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 18 Jul 2011 05:23:28 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 26 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: cm-84.215.51.58.getinternet.no Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAD1BMVEXvWxDTOA/lTBGJGwz2 eRPj4oVuAAACe0lEQVQ4jT1UgbHrIAxTqAcIkAHAzQAhdACSeP+Zvkz/K3e9thbYlixA54oxxbly /y18Aa01xrLH+D/cOs7cW4pa7LuuzZ6L3wRevakCYgMMBALPffUJRJUBaE1B12u74q9GKlfLa6h/ LfhyICqaoUJ/UVXNiC2VZQPuNajOvpOCDXGflmew7EaAdZJ63AGFENht1eo5tIRJDSmJPWMzO3Qm x5j0K+IKe7At4zOBgvdkXtFWYX5ShudRqZPFEXAmFl7kPoZq0rLMeI4R5+paVLV5YpkCtujATsCF CrGnrxpNC5s4hTUoVYijNyeQQEn5WXeEynjdbPbP6JIWXaiRGJvQKA7EFAqBmioCU3VK24o9TeGA i/yGT2eMUPO5vU+5DhajNjEDu8EQchfLTW4miglROwEBSsiHDSoHn0pBCASK3Bo0d3t8mN4ftFQC mCXY7dPJrxW4BKmjDAe0foyS9i8V5SAnEJiLxNlLY0grj0Ss7JZTY1YGqxPXaUt8yIMqgJ4KZSj8 PAkmbOLSUsW5BIOktDWecHVF3IusVow/AjnmmWrsG76WPngqkPz7jc8+rJrdHh8PgeKz6RkH02bG hInwHIGCYFGaulyHn8AaxJA5wzO5Xh1h3XY8+ulJsPyfeH3njtpM7uc4etpfOoEVfjewNMoYrbwO ec6va8V1Rimx2rAl042We3Rnzhu1ctq73cnpUY7CP9O92N+0BjffdbAtY29Xaw4Qr2/53mXIGHa3 7g+BN1Dv5noZvT6GLG2dQBsqVmm3zbRKpJayxHmd55tAB1CWKqfJvMwOnDN9DtyAuw0CNf89Mt+7 wpm+6Jpl1v4Bsbe2aOz6t/EfGBic4bszcugAAAAASUVORK5CYII= Mail-Copies-To: never X-Now-Playing: David Sylvian's _Dead Bees on a Cake_: "The Shining of Things" User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:RxWvJv4XKedU5FE4ocp8yM5XX2M= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:142083 Archived-At: We should strive to make TLS connections as painless as possible, and involving as little user intervention as possible, while preserving a reasonable level of security. So far, two failure points have been identified: 1) Some servers sends a prime with fewer bits than the accepted default. I think the right thing to do here is to just default `gnutls-min-prime-bits' to a lower number than the default GnuTLS number. I don't know what that number should be, but I think people who want better bits than that can adjust this number upwards. 2) Servers presenting broken, er, certificates with certain algorithms. If negotiation with DHE-RSA has failed, then negotiation without that algorithm should be attempted. But is it possible to fall back to plain-text? I don't really know how that works. But if that's possible, the fall-back should obviously stop before it gets that far. After a priority has been established, I then think that the priority for this specific server/port pair should be saved via Customize, so that the next connection can be done faster automatically, without the need for all this negotiation. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog http://lars.ingebrigtsen.no/