From: Stefan Kangas Date: Tue, 24 Oct 2023 15:28:51 +0000 (+0200) Subject: Make NSM warn if DH key exchange has less than 2048 bit primes X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=d2830c9f319d33f68fad4966ccf9d6b272233973;p=emacs.git Make NSM warn if DH key exchange has less than 2048 bit primes The previous default was to warn when servers supported only 1024 bit primes in Diffie-Hellman key exchanges. This highly conservative number was based on the observation that, in November 2018, no less than 12.7% of servers still only supported 1024 bit primes (less than 0.1% supported only 768 and 512 bits). Five years later, in October 2023, only 3.7 % of servers remain with only 1024 bit support. SSL Labs summarizes: "At this time, 2048 bits is the minimum expected strength." Therefore, it is reasonable to start warning users about this in Emacs 30.1, at which time even fewer servers with such poor capabilities will remain. Note that key exchanges based on 1024 bit prime number were considered broken for security purposes already in 2015 (see Logjam below). For more information: https://www.ssllabs.com/ssl-pulse/ https://en.wikipedia.org/wiki/Logjam_(computer_security) * lisp/net/nsm.el (nsm-protocol-check--dhe-prime-kx): Bump expected minimum number of prime bits to 2048. --- diff --git a/etc/NEWS b/etc/NEWS index 9268575c246..52fc02df36a 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -68,6 +68,11 @@ disclosed in 2016, and its small 112 bit key size. Emacs now warns about its use also when 'network-security-level' is set to 'medium' (the default). See 'network-security-protocol-checks'. +** The Network Security Manager now warns about <2048 bits in DH key exchange. +Emacs used to warn for Diffie-Hellman key exchanges with prime numbers +smaller than 1024 bits. Since more servers now support it, this +number has been bumped to 2048 bits. + ** Help *** 'describe-function' shows function inferred type when available. diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 478a2998830..274cca7123a 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -387,12 +387,11 @@ between the user and the server, to downgrade vulnerable TLS connections to insecure 512-bit export grade cryptography. The Logjam paper suggests using 1024-bit prime on the client to -mitigate some effects of this attack, and upgrade to 2048-bit as -soon as server configurations allow. According to SSLLabs' SSL -Pulse tracker, only about 75% of server support 2048-bit key -exchange in June 2018[2]. To provide a balance between -compatibility and security, this function only checks for a -minimum key strength of 1024-bit. +mitigate some effects of this attack, and upgrading to 2048-bit +as soon as server configurations allow. According to SSLLabs' +SSL Pulse tracker the overwhelming majority of servers support +2048-bit key exchange in October 2023[2]. This function +therefore checks for a minimum key strength of 2048 bits. See also: `nsm-protocol-check--dhe-kx' @@ -404,10 +403,10 @@ Diffie-Hellman Fails in Practice\", `https://weakdh.org/' `https://www.ssllabs.com/ssl-pulse/'" (let ((prime-bits (plist-get status :diffie-hellman-prime-bits))) (if (and (string-match "^\\bDHE\\b" (plist-get status :key-exchange)) - (< prime-bits 1024)) + (< prime-bits 2048)) (format-message "Diffie-Hellman key strength (%s bits) too weak (%s bits)" - prime-bits 1024)))) + prime-bits 2048)))) (defun nsm-protocol-check--dhe-kx (_host _port status &optional _settings) "Check for existence of DH key exchange based on integer factorization.