James Cloos
2014-06-21 11:44:37 UTC
I've been getting this message on my deb box for a few days now:
,----
| gnutls.c: [1] Note that the security level of the Diffie-Hellman key
| exchange has been lowered to 256 bits and this may allow decryption of
| the session data
`----
It occurs for both nntp starttls and imaps connectins.
That box runs sid and emacs24-nox, which uses libgnutls-deb0-28
(currently 3.2.15-2).
Using gnutls-cli directly, with either --tofu or --insecure to
connect to news.gmane.org (also with --starttls) results in:
,----
| - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
| - Session ID: E9:A4:91:94:AF:F0:B0:0E:EB:E1:55:BD:80:8F:A5:63:88:FC:38:96:3F:75:1E:63:2B:18:F4:F1:11:D6:98:E0
| - Version: TLS1.0
| - Key Exchange: RSA
| - Cipher: AES-128-CBC
| - MAC: SHA1
| - Compression: NULL
`----
and no error.
gnutls-cli -p imaps imap.gmail.com also works well, generating:
,----
| - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
| - Session ID: 5A:B8:70:F0:43:3D:25:EF:9D:F2:2D:9A:73:5C:CB:6E:DE:45:01:0C:71:E3:D6:F6:B3:C0:B9:47:5A:E2:E4:A4
| - Ephemeral EC Diffie-Hellman parameters
| - Using curve: SECP256R1
| - Curve size: 256 bits
| - Version: TLS1.2
| - Key Exchange: ECDHE-RSA
| - Server Signature: RSA-SHA256
| - Cipher: AES-128-GCM
| - MAC: AEAD
| - Compression: NULL
`----
So I cannot see why gnus' usage triggers that warning from gnutls.
-JimC
--
-JimC
,----
| gnutls.c: [1] Note that the security level of the Diffie-Hellman key
| exchange has been lowered to 256 bits and this may allow decryption of
| the session data
`----
It occurs for both nntp starttls and imaps connectins.
That box runs sid and emacs24-nox, which uses libgnutls-deb0-28
(currently 3.2.15-2).
Using gnutls-cli directly, with either --tofu or --insecure to
connect to news.gmane.org (also with --starttls) results in:
,----
| - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
| - Session ID: E9:A4:91:94:AF:F0:B0:0E:EB:E1:55:BD:80:8F:A5:63:88:FC:38:96:3F:75:1E:63:2B:18:F4:F1:11:D6:98:E0
| - Version: TLS1.0
| - Key Exchange: RSA
| - Cipher: AES-128-CBC
| - MAC: SHA1
| - Compression: NULL
`----
and no error.
gnutls-cli -p imaps imap.gmail.com also works well, generating:
,----
| - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
| - Session ID: 5A:B8:70:F0:43:3D:25:EF:9D:F2:2D:9A:73:5C:CB:6E:DE:45:01:0C:71:E3:D6:F6:B3:C0:B9:47:5A:E2:E4:A4
| - Ephemeral EC Diffie-Hellman parameters
| - Using curve: SECP256R1
| - Curve size: 256 bits
| - Version: TLS1.2
| - Key Exchange: ECDHE-RSA
| - Server Signature: RSA-SHA256
| - Cipher: AES-128-GCM
| - MAC: AEAD
| - Compression: NULL
`----
So I cannot see why gnus' usage triggers that warning from gnutls.
-JimC
--
-JimC
--
James Cloos <***@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
James Cloos <***@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6