[gnutls-devel] NORMAL:-SIGN-ALL changed behavior in 3.3.15

[Andreas Metzler]

Hello,

I have tried finding the reason for <https://bugs.debian.org/784430>
(lynx nor being able to connect to kernel.org since upgrading GnuTLS
to 3.3.15). Afaict it comes from lynx using this byzantine priority
string:
NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5

Which notably does not add any of the following after removing all by
starting with NONE:
- SIGN-* (Signature algorithms)
- CURVE-* (Elliptic curves)
- CTYPE-* (Certificate type)

Boiling this down to the simplest case shows that 3.3.14 connected
successfully (including certificate verification) to www.kernel.org,
but 3.3.15 stopped doing so. I suspect it is side-effect of the fix
for GNUTLS-SA-2015-2.

Is this the right thing to do? And if it is (I personally think so)
shouldn't
gnutls-cli --priority=NORMAL:-CTYPE-ALL www.kernel.org
also fail?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'