[sr #107623] Priority string "SECURITY256" seemingly no longer supports DSA keys

Sun Mar 13 15:53:22 CET 2011

URL:
  <http://savannah.gnu.org/support/?107623>

                 Summary: Priority string "SECURITY256" seemingly no longer
supports DSA keys
                 Project: GnuTLS
            Submitted by: None
            Submitted on: sön 13 mar 2011 14.53.21
                Category: None
                Priority: 5 - Normal
                Severity: 4 - Important
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: teddy at fukt.bsnet.se
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux

    _______________________________________________________

Details:

If DSA keys are used, the priority string "SECURE256" no longer yields a
successful handshake.  Steps to reproduce:

########
mkdir /tmp/keydir

cat > /tmp/keydir/batch <<EOF
Key-Type: DSA
Key-Length: 2048
Subkey-Type: ELG-E
Subkey-Length: 2048
Name-Real: localhost
Expire-Date: 0
%commit
EOF

gpg --quiet --batch --no-tty --no-options --enable-dsa2 --homedir /tmp/keydir
--trust-model always --gen-key /tmp/keydir/batch

gpg --quiet --batch --no-tty --no-options --enable-dsa2 --homedir /tmp/keydir
--armor --export-options export-minimal --comment "Test key for GnuTLS"
--output /tmp/keydir/seckey.txt --export-secret-keys
gpg --quiet --batch --no-tty --no-options --enable-dsa2 --homedir /tmp/keydir
--armor --export-options export-minimal --comment "Test key for GnuTLS"
--output /tmp/keydir/pubkey.txt --export

gnutls-serv --priority 'SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP' --pgpkeyfile
/tmp/keydir/seckey.txt --pgpcertfile /tmp/keydir/pubkey.txt --port 5556

# Now, in another terminal, run this:

gnutls-cli --insecure --priority 'SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP'
--port 5556 localhost
########

The server produces these error messages:
Error in handshake
Error: An unknown public key algorithm was encountered.

This used to work in GnuTLS 2.8.6.  If I change the SECURE256 to SECURE128 (on
both server and client) it works, and also if I add ":!VERS-TLS1.2".  However
both of those "solutions" feel suboptimal.

/Teddy Hogeborn

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107623>

_______________________________________________
  Meddelandet skickades via/av Savannah
  http://savannah.gnu.org/