[gnutls-devel] NORMAL:-SIGN-ALL changed behavior in 3.3.15

Andreas Metzler ametzler at bebt.de
Mon May 11 19:18:59 CEST 2015


On 2015-05-11 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:

> On 10 May 2015 13:24:39 CEST, Andreas Metzler <ametzler at bebt.de> wrote:
> >Hello,
> >
> >I have tried finding the reason for <https://bugs.debian.org/784430>
> >(lynx nor being able to connect to kernel.org since upgrading GnuTLS
> >to 3.3.15). Afaict it comes from lynx using this byzantine priority
> >string:
> >NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5

>> Boiling this down to the simplest case shows that 3.3.14 connected
>> successfully (including certificate verification) to www.kernel.org,
>> but 3.3.15 stopped doing so. I suspect it is side-effect of the fix
>> for GNUTLS-SA-2015-2.

> The priority string is indeed wrong. The issue is that it enables
> tls1.2 but no signature algorithms.  Given that the fix in 3.3.15 is
> to enforce the algorithms set, the issue seen is justified. 

Thanks for the confirmation, I will submit a bug report against lynx.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



More information about the Gnutls-devel mailing list