[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network Security Manager warns safe renegotiation is not supported
From: |
Herbert J. Skuhra |
Subject: |
Re: Network Security Manager warns safe renegotiation is not supported |
Date: |
Thu, 5 Sep 2019 12:02:58 +0200 |
User-agent: |
Mutt/1.12.1 (2019-06-15) |
On Thu, Sep 05, 2019 at 11:38:41AM +0200, Robert Pluim wrote:
> >>>>> On Thu, 5 Sep 2019 09:53:08 +0200, "Herbert J. Skuhra"
> >>>>> <herbert@gojira.at> said:
>
> Herbert> On Thu, Sep 05, 2019 at 08:51:23AM +0200, Robert Pluim wrote:
> >> >>>>> On Sun, 01 Sep 2019 12:37:10 -0400, Amin Bandali
> <bandali@gnu.org> said:
> Amin> I’m no security expert, but I don’t think that’s a good idea.
> Setting
> Amin> `gnutls-algorithm-priority' to that value basically tells GnuTLS to
> skip
> Amin> TLS1.3 altogether, which is the latest version of the TLS protocol.
> >>
> Amin> The issue seems to be that nsm.el checks for renegotiation_info[1]
> for
> Amin> TLS1.3 connections as well; but if I understand correctly,
> renegotiation
> Amin> was removed from TLS1.3, according to [2] and [3]. I *think* the
> proper
> Amin> way to fix this would be have nsm *not* check for
> renegotiation-info-ext
> Amin> for TlS1.3 connections. Please don’t take my word for this as,
> again,
> Amin> I’m no security/GnuTLS expert. Hopefully others with more
> knowledge can
> Amin> chime in to clarify.
> >>
> >> Correct. Fixed in emacs-master.
>
> Herbert> Hi,
>
> Herbert> I am still getting:
>
> Herbert> Certificate information
> Herbert> Issued by: Let's Encrypt Authority X3
> Herbert> Issued to: CN=elpa.gnu.org
> Herbert> Hostname: elpa.gnu.org
> Herbert> Public key: RSA, signature: RSA-SHA256
> Herbert> Session: TLS1.3, key: ECDHE-RSA, cipher:
> AES-256-GCM, mac:
> Herbert> AEAD
> Herbert> Security level: Medium
> Herbert> Valid: From 2019-08-07 to 2019-11-05
>
> Herbert> The TLS connection to elpa.gnu.org:443 is insecure
> Herbert> for the following reason:
>
> Herbert> * safe renegotiation is not supported, connection not protected
> from
> Herbert> impersonators
>
> When did you rebuild emacs? 95becaaf3b went in last night.
I just did another full build (git clean -xfd, ./autogen.sh, ./configure,
etc.). Same result.
% git status
On branch master
Your branch is up to date with 'origin/master'.
% git log -1
commit 365dad197bac5deec9244fd9c189d23c46c99b31 (HEAD -> master,
origin/master, origin/HEAD)
--
Herbert
- Re: Network Security Manager warns safe renegotiation is not supported, Jude DaShiell, 2019/09/01
- Re: Network Security Manager warns safe renegotiation is not supported, Amin Bandali, 2019/09/01
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Herbert J. Skuhra, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported,
Herbert J. Skuhra <=
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Message not available
- Re: Network Security Manager warns safe renegotiation is not supported, Lars Magne Ingebrigtsen, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Message not available
- Re: Network Security Manager warns safe renegotiation is not supported, Lars Magne Ingebrigtsen, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Robert Pluim, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Herbert J. Skuhra, 2019/09/05
- Re: Network Security Manager warns safe renegotiation is not supported, Herbert J. Skuhra, 2019/09/05