[gnutls-devel] Bug#750094: Misleading warning

[Daniel Kahn Gillmor]

over on https://bugs.debian.org/750094,

On 06/01/2014 10:01 AM, Juliusz Chroboczek wrote:
> Package: gnutls-bin
> Version: 3.2.14-1
> 
> Try the following:
> 
>   gnutls-cli --dh-bits 256 --starttls -p 80 www.debian.org
> 
> It prints the following warning:
> 
>   |<1>| Note that the security level of the Diffie-Hellman key exchange
>   has been lowered to 256 bits and this may allow decryption of the
>   session data
> 
> This warning is printed before any TLS negotiation happens, so it does not
> reflect the parameters that were actually negotiated.  The wording should
> be changed in order to make it clear that the actual negotiated parameters
> might be different.

this can be replicated without the --starttls or -p 80, just with:

 gnutls-cli --dh-bits 256 www.debian.org

the warning happens before the TLS handshake happens.

I'm forwarding this to the gnutls-devel mailing list.

It seems to me there could be two different kinds of warnings:

 0) a warning that the configuration has lowered the DH key exchange
strength and may cause weakness (what we're seeing here) -- Juliusz, can
you propose an alternate text for this warning?

 1) a warning in the _gnutls_audit_log when the dh bits is *actually*
lower than whatever cutoff we deem to be absurdly unacceptable.


I worry a little bit about either warning, mainly because it seems to
imply that anything higher than 512 bits *won't* allow decryption of the
session data, which probably isn't the case for, say, a 513-bit group :P

Nikos, any thoughts on what makes sense to do here?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140602/b836ca9e/attachment.sig>