master d2830c9f319: Make NSM warn if DH key exchange has less than 2048 bit primes

[Stefan Kangas]

branch: master
commit d2830c9f319d33f68fad4966ccf9d6b272233973
Author: Stefan Kangas <stefankangas@gmail.com>
Commit: Stefan Kangas <stefankangas@gmail.com>

    Make NSM warn if DH key exchange has less than 2048 bit primes
    
    The previous default was to warn when servers supported only 1024 bit
    primes in Diffie-Hellman key exchanges.  This highly conservative
    number was based on the observation that, in November 2018, no less
    than 12.7% of servers still only supported 1024 bit primes (less than
    0.1% supported only 768 and 512 bits).
    
    Five years later, in October 2023, only 3.7 % of servers remain with
    only 1024 bit support.  SSL Labs summarizes: "At this time, 2048 bits
    is the minimum expected strength."  Therefore, it is reasonable to
    start warning users about this in Emacs 30.1, at which time even fewer
    servers with such poor capabilities will remain.
    
    Note that key exchanges based on 1024 bit prime number were considered
    broken for security purposes already in 2015 (see Logjam below).
    
    For more information:
    https://www.ssllabs.com/ssl-pulse/
    https://en.wikipedia.org/wiki/Logjam_(computer_security)
    
    * lisp/net/nsm.el (nsm-protocol-check--dhe-prime-kx): Bump expected
    minimum number of prime bits to 2048.
---
 etc/NEWS        |  5 +++++
 lisp/net/nsm.el | 15 +++++++--------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/etc/NEWS b/etc/NEWS
index 9268575c246..52fc02df36a 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -68,6 +68,11 @@ disclosed in 2016, and its small 112 bit key size.  Emacs 
now warns
 about its use also when 'network-security-level' is set to 'medium'
 (the default).  See 'network-security-protocol-checks'.
 
+** The Network Security Manager now warns about <2048 bits in DH key exchange.
+Emacs used to warn for Diffie-Hellman key exchanges with prime numbers
+smaller than 1024 bits.  Since more servers now support it, this
+number has been bumped to 2048 bits.
+
 ** Help
 
 *** 'describe-function' shows function inferred type when available.
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 478a2998830..274cca7123a 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -387,12 +387,11 @@ between the user and the server, to downgrade vulnerable 
TLS
 connections to insecure 512-bit export grade cryptography.
 
 The Logjam paper suggests using 1024-bit prime on the client to
-mitigate some effects of this attack, and upgrade to 2048-bit as
-soon as server configurations allow.  According to SSLLabs' SSL
-Pulse tracker, only about 75% of server support 2048-bit key
-exchange in June 2018[2].  To provide a balance between
-compatibility and security, this function only checks for a
-minimum key strength of 1024-bit.
+mitigate some effects of this attack, and upgrading to 2048-bit
+as soon as server configurations allow.  According to SSLLabs'
+SSL Pulse tracker the overwhelming majority of servers support
+2048-bit key exchange in October 2023[2].  This function
+therefore checks for a minimum key strength of 2048 bits.
 
 See also: `nsm-protocol-check--dhe-kx'
 
@@ -404,10 +403,10 @@ Diffie-Hellman Fails in Practice\", `https://weakdh.org/'
 `https://www.ssllabs.com/ssl-pulse/'"
   (let ((prime-bits (plist-get status :diffie-hellman-prime-bits)))
     (if (and (string-match "^\\bDHE\\b" (plist-get status :key-exchange))
-             (< prime-bits 1024))
+             (< prime-bits 2048))
         (format-message
          "Diffie-Hellman key strength (%s bits) too weak (%s bits)"
-         prime-bits 1024))))
+         prime-bits 2048))))
 
 (defun nsm-protocol-check--dhe-kx (_host _port status &optional _settings)
   "Check for existence of DH key exchange based on integer factorization.