On Tue, Jun 3, 2014 at 12:33 AM, Daniel Kahn Gillmor <[email protected]> wrote: > over on https://bugs.debian.org/750094, >> This warning is printed before any TLS negotiation happens, so it does not >> reflect the parameters that were actually negotiated. The wording should >> be changed in order to make it clear that the actual negotiated parameters >> might be different. > this can be replicated without the --starttls or -p 80, just with: > gnutls-cli --dh-bits 256 www.debian.org > the warning happens before the TLS handshake happens. > I'm forwarding this to the gnutls-devel mailing list. > It seems to me there could be two different kinds of warnings: > 0) a warning that the configuration has lowered the DH key exchange > strength and may cause weakness (what we're seeing here) -- Juliusz, can > you propose an alternate text for this warning? > 1) a warning in the _gnutls_audit_log when the dh bits is *actually* > lower than whatever cutoff we deem to be absurdly unacceptable.
I agree with your points. In fact the current warning was setup to cover (0). There could be another warning for (1), but gnutls-cli prints the size of the prime anyway if DHE is negotiated so I'm not sure how much another warning would help. > I worry a little bit about either warning, mainly because it seems to > imply that anything higher than 512 bits *won't* allow decryption of the > session data, which probably isn't the case for, say, a 513-bit group :P > Nikos, any thoughts on what makes sense to do here? I've put that warning once I saw people arguing in various fora to set dh-bits less than 256 bits in order to improve compatibility. Indeed 513 is not much more secure, and the warning could be changed to less than 700 or so. regards, Nikos -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

