[gnutls-help] gnutls_dh_set_prime_bits question

[Nikos Mavrogiannopoulos]

On 07/01/2013 11:50 PM, Ted Zlatanov wrote:

> NM> 256 bits, means that it is a matter of minutes to recover the keys used
> NM> in the session in a modern PC.
> We understand it's insecure.  Our users have told us some servers won't
> work without it.  We need to know if setting it to 256 means the client
> and the server will negotiate a higher setting with DHE.  We also don't
> want to spend a lot of effort making custom settings for this if it's
> irrelevant for 3.x.

The set_prime_bits sets the lowest acceptable threshold for a DHE prime.
That is the actual security level. That unfortunately it is not
negotiated in TLS, and thus the client can only drop the connection if
the server goes lower than that threshold. A way to overcome that issue
is instead of lowering the threshold, to retry a connection without DHE
as Daniel mentioned.

> - how can we detect a server that demands 256 and renegotiate only for
>   those servers?

You cannot. The way TLS is designed, you only get an error at the handshake.

> We've been considering requiring GnuTLS 3.x but due to the platforms we
> support in Emacs, that's not a simple decision.  Can you explain the
> above questions and how they are different with ECDHE?  We plan to move
> to 3.x fairly soon in any case, but knowing this will make my life easier.

In ECDHE the curve (which is effectively the security level) is
negotiated and thus has not the problems of DHE.

> Will legacy servers (of which there are many, all critical to our users
> apparently) work with ECDHE? 

Unfortunately, I cannot know that. If they are very old servers most
probably wouldn't support elliptic curves.

regards,
Nikos