[gnutls-devel] NORMAL:-SIGN-ALL changed behavior in 3.3.15
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Mon May 11 08:23:41 CEST 2015
The priority string is indeed wrong. The issue is that it enables tls1.2 but no signature algorithms. Given that the fix in 3.3.15 is to enforce the algorithms set, the issue seen is justified.
On 10 May 2015 13:24:39 CEST, Andreas Metzler <ametzler at bebt.de> wrote:
>Hello,
>
>I have tried finding the reason for <https://bugs.debian.org/784430>
>(lynx nor being able to connect to kernel.org since upgrading GnuTLS
>to 3.3.15). Afaict it comes from lynx using this byzantine priority
>string:
>NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5
>
>Which notably does not add any of the following after removing all by
>starting with NONE:
>- SIGN-* (Signature algorithms)
>- CURVE-* (Elliptic curves)
>- CTYPE-* (Certificate type)
>
>Boiling this down to the simplest case shows that 3.3.14 connected
>successfully (including certificate verification) to www.kernel.org,
>but 3.3.15 stopped doing so. I suspect it is side-effect of the fix
>for GNUTLS-SA-2015-2.
>
>Is this the right thing to do? And if it is (I personally think so)
>shouldn't
>gnutls-cli --priority=NORMAL:-CTYPE-ALL www.kernel.org
>also fail?
>
>cu Andreas
--
Sent fron my mobile. Please excuse my brevity.
More information about the Gnutls-devel
mailing list