Make NSM warn if DH key exchange has less than 2048 bit primes

The previous default was to warn when servers supported only 1024 bit
primes in Diffie-Hellman key exchanges.  This highly conservative
number was based on the observation that, in November 2018, no less
than 12.7% of servers still only supported 1024 bit primes (less than
0.1% supported only 768 and 512 bits).

Five years later, in October 2023, only 3.7 % of servers remain with
only 1024 bit support.  SSL Labs summarizes: "At this time, 2048 bits
is the minimum expected strength."  Therefore, it is reasonable to
start warning users about this in Emacs 30.1, at which time even fewer
servers with such poor capabilities will remain.

Note that key exchanges based on 1024 bit prime number were considered
broken for security purposes already in 2015 (see Logjam below).

For more information:
https://www.ssllabs.com/ssl-pulse/
https://en.wikipedia.org/wiki/Logjam_(computer_security)

* lisp/net/nsm.el (nsm-protocol-check--dhe-prime-kx): Bump expected
minimum number of prime bits to 2048.

diff --git a/etc/NEWS b/etc/NEWS
index 9268575c24636f4fba0920b367e12e189501648b..52fc02df36a8fb37051e81874d340ffab6480aef 100644 (file)
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -68,6 +68,11 @@ disclosed in 2016, and its small 112 bit key size.  Emacs now warns
 about its use also when 'network-security-level' is set to 'medium'
 (the default).  See 'network-security-protocol-checks'.
 
+** The Network Security Manager now warns about <2048 bits in DH key exchange.
+Emacs used to warn for Diffie-Hellman key exchanges with prime numbers
+smaller than 1024 bits.  Since more servers now support it, this
+number has been bumped to 2048 bits.
+
 ** Help
 
 *** 'describe-function' shows function inferred type when available.

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 478a2998830abae75f596f0dbd2df5d67d6a4139..274cca7123a8c219cd2d2a3050b7d7be5995e385 100644 (file)
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -387,12 +387,11 @@ between the user and the server, to downgrade vulnerable TLS
 connections to insecure 512-bit export grade cryptography.
 
 The Logjam paper suggests using 1024-bit prime on the client to
-mitigate some effects of this attack, and upgrade to 2048-bit as
-soon as server configurations allow.  According to SSLLabs' SSL
-Pulse tracker, only about 75% of server support 2048-bit key
-exchange in June 2018[2].  To provide a balance between
-compatibility and security, this function only checks for a
-minimum key strength of 1024-bit.
+mitigate some effects of this attack, and upgrading to 2048-bit
+as soon as server configurations allow.  According to SSLLabs'
+SSL Pulse tracker the overwhelming majority of servers support
+2048-bit key exchange in October 2023[2].  This function
+therefore checks for a minimum key strength of 2048 bits.
 
 See also: `nsm-protocol-check--dhe-kx'
 
@@ -404,10 +403,10 @@ Diffie-Hellman Fails in Practice\", `https://weakdh.org/'
 `https://www.ssllabs.com/ssl-pulse/'"
   (let ((prime-bits (plist-get status :diffie-hellman-prime-bits)))
     (if (and (string-match "^\\bDHE\\b" (plist-get status :key-exchange))
-             (< prime-bits 1024))
+             (< prime-bits 2048))
         (format-message
          "Diffie-Hellman key strength (%s bits) too weak (%s bits)"
-         prime-bits 1024))))
+         prime-bits 2048))))
 
 (defun nsm-protocol-check--dhe-kx (_host _port status &optional _settings)
   "Check for existence of DH key exchange based on integer factorization.