[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min
From: |
Lars Ingebrigtsen |
Subject: |
bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). |
Date: |
Mon, 10 Feb 2014 21:09:25 -0800 |
User-agent: |
Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.50 (gnu/linux) |
Ted Zlatanov <tzz@lifelogs.com> writes:
> LI> But aren't there lots of (or some) servers that only supports DHE and
> LI> not ECDHE?
>
> There's no way to know until you connect, that's the heart of the
> problem. So IIUC you'd have to either be potentially insecure all the
> time (DHE enabled) or potentially fail connecting to some servers.
I thought TLS worked like this:
1) You connect to a server.
2) A server says what encryption methods it supports
3) You choose one, and start talking in that method.
So things like browsers have a pre-defined list of methods, in
descending order of what they consider "more safe", so that ECDHE is
used if available, etc.
> I think the latter is the better option as a default, as long as we make
> it clear (not in a *GnuTLS log* buffer but with `message' so it shows up
> in the echo region and in STDERR in batch mode) that
>
> * the connection was rejected because the remote requires a lower level
> of security
I've basically never ever seen Firefox say "you can't talk to this
server, because the TLS is too weak". Neither should Emacs.
(Emacs, being Emacs, might offer as an option a way to restrict all TLS
connections to a smaller set of algorithms/levels, but that should not
be the default.)
> * how to try allowing the less-secure connection (perhaps a simple
> command to automate this, or even a clickable button, would be nicer
> than asking the user to `customize-variable'). The original discussion
> sort of settled on magically reopening the connection with less security
> but I think that might be a disservice to the users.
We would always try to get the most secure TLS connection possible, so I
don't quite understand "reconnect"...
> * why it's smarter to ask the server admin to upgrade their TLS
> implementation
>
> Fitting all of that in a short readable message might be a challenge,
> hence the button suggestion, but that's not ideal either.
If the user has explicitly said "don't talk unless it has teh haxors
leet mode", then that's not necessary, I would have thought.
But I might be misunderstanding the problem completely. >"?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
- bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, Ted Zlatanov, 2014/02/09
- bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, Lars Ingebrigtsen, 2014/02/09
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Ted Zlatanov, 2014/02/10
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).,
Lars Ingebrigtsen <=
- bug#16253: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Nikos Mavrogiannopoulos, 2014/02/11
- bug#15057: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Ted Zlatanov, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Roland Winkler, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Ted Zlatanov, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Lars Ingebrigtsen, 2014/02/11
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough), Ted Zlatanov, 2014/02/12
- bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)., Lars Ingebrigtsen, 2014/02/11