[gnutls-devel] GnuTLS | gnutls-serv and gnutls-client fail with "Detected downgrade to TLS 1.2 from TLS 1.3" (#837)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Sep 21 13:31:00 CEST 2019



Richard Frith-Macdonald created an issue: https://gitlab.com/gnutls/gnutls/issues/837



## Description of problem:

If a client attempts to connect to a server with 1.2 and 1.3 in the priority string, it fails with the error 'Detected downgrade to TLS 1.2 from TLS 1.3'

I think this is because the priority string specifies 1.2 before 1.3, so while the client advertises itself as supporting both versions, the server picks the first one and responds using 1.2, which the client then thinks is an illegal downgrade.

It's possible to work-around this by changing the client priority string to have 1.3 first (ie as the preferred version), but that means that the connection will be established using the oldest version that client and server support, ot the newest/best, which seems undesirable.

If this is the case, there may be various ways to address the issue:
a. the server could ignore offers of older versions and select the highest one the client says it supports
b. the client could always offer higher versions before lower versions
c. the client could recognise that, if it offered 1.2 to the server, then a response of 1.2 is not a downgrade


## Version of gnutls used:

3.6.7

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Built from source

## How reproducible:

Steps to Reproduce:

set gnutls-serv using --priority="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
connect to it with gnutls-cli using --priority="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"

## Actual results:

|<1>| Detected downgrade to TLS 1.2 from TLS 1.3
*** Fatal error: An illegal parameter has been received.

## Expected results:

Connection established.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/837
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190921/829dda80/attachment-0001.html>


More information about the Gnutls-devel mailing list