Hi Daniel, nice to meet you. >> |<1>| Note that the security level of the Diffie-Hellman key exchange >> has been lowered to 256 bits and this may allow decryption of the >> session data
> 0) a warning that the configuration has lowered the DH key exchange > strength and may cause weakness (what we're seeing here) -- Juliusz, can > you propose an alternate text for this warning? Note that the current configuration of either gnutls or your client software allows Diffie-Hellman key exchange to succeed with as little as 256 bits, which is not enough to guarantee a reasonable level of security. Please reconfigure gnutls or your client software with a more reasonable value (at least 1024, preferably 2048 or more). Please tweak the values at will, I'm not a crypto specialist. > 1) a warning in the _gnutls_audit_log when the dh bits is *actually* > lower than whatever cutoff we deem to be absurdly unacceptable. Yes, that would be helpful. > I worry a little bit about either warning, mainly because it seems to > imply that anything higher than 512 bits *won't* allow decryption of the > session data, which probably isn't the case for, say, a 513-bit group :P Very true, hence the "at least 1024, prerefably 2048 or more" in the suggested message above. -- Juliusz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
