help-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network Security Manager warns safe renegotiation is not supported

From: Amin Bandali
Subject: Re: Network Security Manager warns safe renegotiation is not supported
Date: Sun, 01 Sep 2019 12:37:10 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) 
Yuji Nakao <contact@yujinakao.com> writes:

> Hi, I tried to connect to https://elpa.gnu.org in eww Emacs 27.0.50, but
> Network Security Manager warned `TLS connection to elpa.gnu.org:433 is
> insecure for the following reason: * safe renegotiation is not
> supported, connection not protected from impersonators`, and showed
> `Continue connecting?` multiple choice prompt whether to accept the
> certificate.
>
> I guess this is caused by recently merged nsm.el, and
> after some investigation, the warning disaapeared by setting
> (setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3").
> Is this a right workaround for this issue?
>

I’m no security expert, but I don’t think that’s a good idea.  Setting
`gnutls-algorithm-priority' to that value basically tells GnuTLS to skip
TLS1.3 altogether, which is the latest version of the TLS protocol.

The issue seems to be that nsm.el checks for renegotiation_info[1] for
TLS1.3 connections as well; but if I understand correctly, renegotiation
was removed from TLS1.3, according to [2] and [3].  I *think* the proper
way to fix this would be have nsm *not* check for renegotiation-info-ext
for TlS1.3 connections.  Please don’t take my word for this as, again,
I’m no security/GnuTLS expert.  Hopefully others with more knowledge can
chime in to clarify.

Footnotes:
[1]  See C-h f nsm-protocol-check--renegotiation-info-ext RET

[2]  https://wiki.openssl.org/index.php/TLS1.3#Renegotiation

[3]  https://www.cloudflare.com/learning-resources/tls-1-3/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]