[gnutls-devel] Bug#750094: Misleading warning

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jun 4 09:30:42 CEST 2014

On Tue, Jun 3, 2014 at 12:33 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> over on https://bugs.debian.org/750094,
>> This warning is printed before any TLS negotiation happens, so it does not
>> reflect the parameters that were actually negotiated.  The wording should
>> be changed in order to make it clear that the actual negotiated parameters
>> might be different.
> this can be replicated without the --starttls or -p 80, just with:
>  gnutls-cli --dh-bits 256 www.debian.org
> the warning happens before the TLS handshake happens.
> I'm forwarding this to the gnutls-devel mailing list.
> It seems to me there could be two different kinds of warnings:
>  0) a warning that the configuration has lowered the DH key exchange
> strength and may cause weakness (what we're seeing here) -- Juliusz, can
> you propose an alternate text for this warning?
>  1) a warning in the _gnutls_audit_log when the dh bits is *actually*
> lower than whatever cutoff we deem to be absurdly unacceptable.

I agree with your points. In fact the current warning was setup to
cover (0). There could be another warning for (1), but gnutls-cli
prints the size of the prime anyway if DHE is negotiated so I'm not
sure how much another warning would help.

> I worry a little bit about either warning, mainly because it seems to
> imply that anything higher than 512 bits *won't* allow decryption of the
> session data, which probably isn't the case for, say, a 513-bit group :P
> Nikos, any thoughts on what makes sense to do here?

I've put that warning once I saw people arguing in various fora to set
dh-bits less than 256 bits in order to improve compatibility. Indeed
513 is not much more secure, and the warning could be changed to less
than 700 or so.


More information about the Gnutls-devel mailing list