[gnutls-devel] TLS connection improperly terminated

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jul 28 23:04:27 CEST 2015 

On Tue 2015-07-28 13:07:05 -0400, Rustom Mody wrote:
> gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
> has been lowered to 256 bits and this may allow decryption of the session data

In my testing of marmelade-repo.org's https server, i do not see a
256-bit finite-field DHE setup, i see a 1024-bit (FF)DHE setup:

0 dkg at alice:~$ gnutls-cli --priority NORMAL:-ECDHE-RSA --tofu marmalade-repo.org 
Processed 163 CA certificate(s).
Resolving 'marmalade-repo.org'...
Connecting to '80.69.77.43:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=PositiveSSL,CN=marmalade-repo.org', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-07-12 00:00:00 UTC', expires `2018-07-11 23:59:59 UTC', SHA-1 fingerprint `6e080a477d14631d2edf839de582ac04d4363d09'
	Public Key ID:
		aba6d76ab3d363fa190d654160236eefd32a46dc
	Public key's random art:
		+--[ RSA 2048]----+
		|      . +oo      |
		|     . o . .     |
		|      o   o      |
		|     . . o       |
		|     . .S        |
		|      o.E=       |
		|     . o= o      |
		|      O.==       |
		|    .*=X+.       |
		+-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
- Description: (TLS1.2)-(DHE-RSA-1024)-(AES-256-GCM)
- Session ID: 63:DA:A1:02:83:2A:E6:BC:E8:07:2C:7D:B3:30:00:E7:68:EA:33:6C:01:F6:6E:D0:35:27:7B:6D:1E:4E:FC:DA
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 319 bits
 - Peer's public key: 1023 bits


GnuTLS's tighter limits are for (FF)DHE, not for ECDHE, and they do not
reject this 1024-bit group today.  The issue is the transvalid cert
chain, as i mentioned in another e-mail.

For ECDHE, this server uses a 256-bit curve, but that is far stronger
than the (FF)DHE 1024-bit group, so it should not be an issue either.

     --dkg

More information about the Gnutls-devel mailing list