[gnutls-help] gnutls_dh_set_prime_bits question

Ted Zlatanov tzz at lifelogs.com
Mon Jul 1 23:50:56 CEST 2013

On Mon, 01 Jul 2013 22:45:17 +0200 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: 

NM> On 07/01/2013 02:31 PM, Ted Zlatanov wrote:
>> (I know the function is deprecated in a recent 3.x, but this is a
>> general behavior question.)
>> Emacs users are wondering about the negotiation behavior with the DH
>> minimum bits.  Currently Emacs uses `gnutls_dh_set_prime_bits' and the
>> users can set it very low, 256 for instance.  We understand that's
>> insecure,

NM> 256 bits, means that it is a matter of minutes to recover the keys used
NM> in the session in a modern PC.

We understand it's insecure.  Our users have told us some servers won't
work without it.  We need to know if setting it to 256 means the client
and the server will negotiate a higher setting with DHE.  We also don't
want to spend a lot of effort making custom settings for this if it's
irrelevant for 3.x.

>> but want to know about the negotiation: can it go up?  Are
>> there any rules?  Some IMAP servers, for instance, refuse to connect if
>> it's over 256 (the full story is in an Emacs bug discussion).

NM> I don't quite understand what do you mean about going up. However, the
NM> problem is in the DHE ciphersuites that do not allow the client to
NM> notify the server of its security threshold for the parameters.

I need to know, when the client sets this to 256, what actually happens
during the session:

- is there a negotiation?
- will the number be opportunistically adjusted up by either side?
- how can we detect a server that demands 256 and renegotiate only for
  those servers?

NM> You are better off using the ECDHE equivalents (in recent gnutls
NM> version they take precedence over DHE).

We've been considering requiring GnuTLS 3.x but due to the platforms we
support in Emacs, that's not a simple decision.  Can you explain the
above questions and how they are different with ECDHE?  We plan to move
to 3.x fairly soon in any case, but knowing this will make my life easier.

Will legacy servers (of which there are many, all critical to our users
apparently) work with ECDHE?  Or do they drop down to DHE?  If they drop
to DHE, do we still need the minimum prime bits?  Where do we set it in
3.x, since `gnutls_dh_set_prime_bits' is deprecated in 3.12, and I can't
find a priority string setting for it?

Basically I have to answer all these questions from Emacs and especially
Gnus users, so I'm trying to understand the protocols a little better.


More information about the Gnutls-help mailing list