[gnutls-devel] GnuTLS | Setting tls priority lists is not working correctly (#1046)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Jun 30 17:30:59 CEST 2020

Andreas Schneider created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1046

To honor system crypto policies we changed the 'tls priority' setting in Samba from `NORMAL:-VERS-SSL3.0` to `@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0` according to the doc of [gnutls_priority_init2](https://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fpriority_005finit2)

Typical usage would be to specify                                                                                                                   
application specified keyword first, followed by "SYSTEM" as                                                                                                                    
a default fallback. e.g., "@LIBVIRT,SYSTEM:!-VERS-SSL3.0" will                                                                                                                     
first try to find a config file entry matching "LIBVIRT", but if                                                                                                                   
that does not exist will use the entry for "SYSTEM". If "SYSTEM"                                                                                                                   
does not exist either, an error will be returned. In all cases,                                                                                                                    
the SSL3.0 protocol will be disabled.

However this doesn't work at all as it even doesn't recognize NORMAL if SAMBA and SYSTEM profiles are not available:

asn at addc:~/workspace/projects/samba> GNUTLS_DEBUG_LEVEL=6 bin/ldbsearch -H ldaps://$SERVER:636/ -s base -b "" -U%
gnutls[2]: Enabled GnuTLS 3.6.14 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel SHA was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator (AVX) was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
gnutls[5]: REC[0x55c6d6cc78a0]: Allocating epoch #0
gnutls[2]: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
gnutls[2]: resolved 'SAMBA' to '', next 'SYSTEM,NORMAL'
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
gnutls[2]: resolved 'SYSTEM' to '', next 'NORMAL'
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
gnutls[2]: resolved 'NORMAL' to '', next ''
gnutls[2]: unable to resolve @SAMBA,SYSTEM,NORMAL:!VERS-SSL3.0
gnutls[3]: ASSERT: priority.c[gnutls_priority_init]:2017
gnutls[3]: ASSERT: priority.c[gnutls_priority_set_direct]:2343
TLS ../../source4/lib/tls/tls_tstream.c:1052 - The request is invalid..  Check 'tls priority' option at '@SAMBA,SYSTEM,NORMAL:!VERS-SSL3.0'

How should the correct string be that it tries the a SAMBA and SYSTEM profile and if this doesn't work uses NORMAL and not trying to resolve NORMAL as a file?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1046
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200630/3fa18b46/attachment-0001.html>

More information about the Gnutls-devel mailing list