help-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network Security Manager warns safe renegotiation is not supported

From: Herbert J. Skuhra
Subject: Re: Network Security Manager warns safe renegotiation is not supported
Date: Thu, 5 Sep 2019 09:53:08 +0200
User-agent: Mutt/1.12.1 (2019-06-15) 
On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali <bandali@gnu.org> said:
>     Amin> I’m no security expert, but I don’t think that’s a good idea.  
> Setting
>     Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to 
> skip
>     Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.
> 
>     Amin> The issue seems to be that nsm.el checks for renegotiation_info[1] 
> for
>     Amin> TLS1.3 connections as well; but if I understand correctly, 
> renegotiation
>     Amin> was removed from TLS1.3, according to [2] and [3].  I *think* the 
> proper
>     Amin> way to fix this would be have nsm *not* check for 
> renegotiation-info-ext
>     Amin> for TlS1.3 connections.  Please don’t take my word for this as, 
> again,
>     Amin> I’m no security/GnuTLS expert.  Hopefully others with more 
> knowledge can
>     Amin> chime in to clarify.
> 
> Correct. Fixed in emacs-master.

Hi,

I am still getting:

Certificate information
  Issued by:          Let's Encrypt Authority X3
  Issued to:          CN=elpa.gnu.org
  Hostname:           elpa.gnu.org
  Public key:         RSA, signature: RSA-SHA256
  Session:            TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac:
AEAD
  Security level:     Medium
  Valid:              From 2019-08-07 to 2019-11-05

The TLS connection to elpa.gnu.org:443 is insecure
for the following reason:

* safe renegotiation is not supported, connection not protected from
impersonators

-- 
Herbert
reply via email to
[Prev in Thread] Current Thread [Next in Thread]