[gnutls-devel] GnuTLS | HMAC-SHA256 missing from NORMAL (#831)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Wed Sep 11 10:15:05 CEST 2019
Pierre Ossman (Work account) created an issue: https://gitlab.com/gnutls/gnutls/issues/831
## Description of problem:
Current versions of GnuTLS no longer advertise HMAC-SHA256 support unless very explicitly told to do so. This change was introduced in 62248b6adf0c11d469b04b4bf58aa97deff5a813, but the rationale doesn't match what's actually out there.
Two issues:
* Currently still supported versions of Windows has disabled HMAC-SHA1, but never got support for AEAD. This means that GnuTLS cannot connect to the RDP server on Windows 2012 R2.
* The documentation states that `NORMAL` (and derived values such as `MAC-ALL`) should enable all currently secure ciphersuites. This is quite obviously not the case, and very confusing when trying to debug this issue.
## Version of gnutls used:
3.6.8
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Tested on Fedora, but the cause is upstream.
## How reproducible:
100%
Steps to Reproduce:
```
$ gnutls rds2012r2.example.com -p 3389
```
## Actual results:
Server drops the connection and logs that it could not find a supported ciphersuite.
## Expected results:
TLS handshake succeeds.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/831
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190911/69809b32/attachment.html>
More information about the Gnutls-devel
mailing list