[gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers
Andreas Metzler
ametzler at bebt.de
Sat Mar 11 15:34:59 CET 2017
Hello,
this is copy of http://bugs.debian.org/857436 by Justin Coffman reported
against 3.5.10:
8X----------------------------------------------
Certain packages that rely on this OpenSSL wrapper library are unable to
connect using TLS 1.1/1.2 cipher suites.
Even though the server (and the client, when compiled against OpenSSL)
supports the full array of TLS 1.1/1.2 ciphers, the package as provided
seems to be limited to only TLS 1.0 ciphers.
An example is bug #842120 in package tf5.
tf5, when connecting using a version compiled manually against OpenSSL:
% Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256.
When connecting using the packaged version utilizing the OpenSSL
wrapper:
% Connected to server using cipher RSA_AES_128_CBC_SHA1.
Given the progression toward the deprecation of TLS 1.0 (see NIST SP
800-52 Rev. 1), it would seem prudent to ensure that packages not
written against GnuTLS are still capable of their full function.
[...]
8X----------------------------------------------
I do not know but I suspect that the OpenSSL API has changed quite a
bit in recent years and being a a good OpenSSL customer requires using
these new APIs. e.g. from the Exim 4.89 announcement: "Please note that
we are seeing OpenSSL issues which require 1.0.2 minimum ...".
OTOH the GnuTLS openssl wrapper does not seem to be seeing active
development.
Therefore I suspect the usefulness of the GnuTLS openssl wrapper to be
decreasing, since only programs with outdated OpenSSL code work.
Am I guessing correctly?
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list