[gnutls-devel] GnuTLS | GnuTLS 3.8.5 broke TLS connections to RSA cert using hosts (#1540)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Apr 9 19:28:20 CEST 2024

Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1853760757

Thank you for confirming. The beginning of the log when the config is parsed seems to be missing, but, I guess, we can do without one now.

Here are the results of investigation into it (not mine):

@ZoltanFridrich had the intention to have [`cfg->allow_rsa_pkcs1_encrypt = true;](https://gitlab.com/gnutls/gnutls/-/blob/49f4ae2109b7cc969539b90be92a5844bbe7b322/lib/priority.c?page=3#L1427) by default and thus cause no behaviour change in the existing configurations.

Prompted by your report, @dueno has noticed that [`cfg_apply()` doing this](https://gitlab.com/gnutls/gnutls/-/blob/49f4ae2109b7cc969539b90be92a5844bbe7b322/lib/priority.c?page=3#L2298) is, unfortunately, only called if the configuration file is available and valid. He also proposed a plan to resolve this: moving the `= true;` line immediately after [the config structure gets zeroized](https://gitlab.com/gnutls/gnutls/-/blob/49f4ae2109b7cc969539b90be92a5844bbe7b322/lib/priority.c?page=3#L2280).

Since there probably are many more distros not shipping a config at all, the issue might have a rather wide impact and warrant a follow-up release.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1853760757
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240409/3c02170b/attachment.html>

More information about the Gnutls-devel mailing list