Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

On Mon, Jul 9, 2018 at 6:36 PM Jimmy Yuen Ho Wong <address@hidden> wrote:
>
> On Mon, Jul 9, 2018 at 5:58 PM Eli Zaretskii <address@hidden> wrote:
> >
> > > From: Jimmy Yuen Ho Wong <address@hidden>
> > > Date: Sun, 8 Jul 2018 20:22:54 +0100
> > > Cc: Lars Ingebrigtsen <address@hidden>, Emacs-Devel devel <address@hidden>
> > > > Problem is, I cannot find this number in the GnuTLS documentation,
> > > > either.  Maybe I'm blind; but if not, it means our users have no
> > > > reasonable way of knowing how many bits they are using, and that is
> > > > not good, IMO.
> > >
> > > It's not in the documentation, it's in the src/gnutls.c line
> > > 1834-1835. It's also in the docstring of `gnutls-min-prime-bits`.
> >
> > Are you talking about the master branch of the Emacs repository?  If
> > so, I must be blind, because I don't see 1008 anywhere around those
> > places.
> >
>
> No I was merely talking about what (setq gnutls-algorithm-priority nil) means.
>
> https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1835
>
> The default is here:
>
> https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1606
>

Ahhh the lines moved:

This is what (setq gnutls-min-prime-bits nil) means:

https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1854


> > > > > Users aren't supposed to care about that variable, anyway, since the 
> > > > > NSM
> > > > > warns about less than 1024 bits...
> > > >
> > > > Yes, but what if GnuTLS bumps the default to more than that?  And even
> > > > if not, I think I might like to know how far below 1024 I'm going to
> > > > be if I allow the connection.
> > >
> > > See my other email for a way out of this. Once you've caught
> > > GNUTLS_E_DH_PRIME_UNACCEPTABLE, you can still call
> > > gnutls_dh_get_prime_bits to get the prime bits the server sends back
> > > out. I think this is already done, we just need to catch
> > > GNUTLS_E_DH_PRIME_UNACCEPTABLE so gnutls_verify_boot doesn't
> > > immediately return.
> >
> > That's a separate issue, regarding your argument with Lars whether to
> > let NSM handle the too low bits or leave it to GnuTLS.  The issue I
> > raised was how can users know what is the GnuTLS default.  Because the
> > doc string of gnutls-min-prime-bits says:
> >
> >   (defcustom gnutls-min-prime-bits 256
> >     ;; Several mail servers send fewer bits than the GnuTLS default.
> >     ;; Currently, 256 appears to be a reasonable choice (Bug#11267).
> >     "Minimum number of prime bits accepted by GnuTLS for key exchange.
> >   During a Diffie-Hellman handshake, if the server sends a prime
> >   number with fewer than this number of bits, the handshake is
> >   rejected.  \(The smaller the prime number, the less secure the
> >   key exchange is against man-in-the-middle attacks.)
> >
> >   A value of nil says to use the default GnuTLS value."
> >   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > Which of course immediately begs the question "what is my GnuTLS's
> > default value?"