help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network Security Manager warns safe renegotiation is not supported


From: Robert Pluim
Subject: Re: Network Security Manager warns safe renegotiation is not supported
Date: Thu, 05 Sep 2019 11:38:41 +0200

>>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra" 
>>>>> <herbert@gojira.at> said:

    Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
    >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> 
said:
    Amin> I’m no security expert, but I don’t think that’s a good idea.  Setting
    Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to 
skip
    Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.
    >> 
    Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] for
    Amin> TLS1.3 connections as well; but if I understand correctly, 
renegotiation
    Amin> was removed from TLS1.3, according to [2] and [3].  I *think* the 
proper
    Amin> way to fix this would be have nsm *not* check for 
renegotiation-info-ext
    Amin> for TlS1.3 connections.  Please don’t take my word for this as, again,
    Amin> I’m no security/GnuTLS expert.  Hopefully others with more knowledge 
can
    Amin> chime in to clarify.
    >> 
    >> Correct. Fixed in emacs-master.

    Herbert> Hi,

    Herbert> I am still getting:

    Herbert> Certificate information
    Herbert>   Issued by:          Let's Encrypt Authority X3
    Herbert>   Issued to:          CN=elpa.gnu.org
    Herbert>   Hostname:           elpa.gnu.org
    Herbert>   Public key:         RSA, signature: RSA-SHA256
    Herbert>   Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, 
mac:
    Herbert> AEAD
    Herbert>   Security level:     Medium
    Herbert>   Valid:              From 2019-08-07 to 2019-11-05

    Herbert> The TLS connection to elpa.gnu.org:443 is insecure
    Herbert> for the following reason:

    Herbert> * safe renegotiation is not supported, connection not protected 
from
    Herbert> impersonators

When did you rebuild emacs? 95becaaf3b went in last night.

Robert



reply via email to

[Prev in Thread] Current Thread [Next in Thread]