<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p style="color: #777777;">
<a href="https://gitlab.com/boekhold">Maarten Boekhold</a>
commented:
</p>
<div style="">
<p dir="auto">I just discovered the <code>gnutls-cli-debug</code> program, posting the output below in case it can be of any help:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ gnutls-cli-debug github.com</span>
<span id="LC2" class="line" lang="plaintext">GnuTLS debug client 3.6.13</span>
<span id="LC3" class="line" lang="plaintext">Checking github.com:443</span>
<span id="LC4" class="line" lang="plaintext">whether the server accepts default record size (512 bytes)... yes</span>
<span id="LC5" class="line" lang="plaintext">                  whether %ALLOW_SMALL_RECORDS is required... no</span>
<span id="LC6" class="line" lang="plaintext">                        whether we need to disable TLS 1.2... no</span>
<span id="LC7" class="line" lang="plaintext">                        whether we need to disable TLS 1.1... no</span>
<span id="LC8" class="line" lang="plaintext">                        whether we need to disable TLS 1.0... no</span>
<span id="LC9" class="line" lang="plaintext">                        whether %NO_EXTENSIONS is required... no</span>
<span id="LC10" class="line" lang="plaintext">                               whether %COMPAT is required... no</span>
<span id="LC11" class="line" lang="plaintext">                             for TLS 1.0 (RFC2246) support... no</span>
<span id="LC12" class="line" lang="plaintext">                             for TLS 1.1 (RFC4346) support... no</span>
<span id="LC13" class="line" lang="plaintext">                                  fallback from TLS 1.1 to... failed</span>
<span id="LC14" class="line" lang="plaintext">                             for TLS 1.2 (RFC5246) support... yes</span>
<span id="LC15" class="line" lang="plaintext">                             for TLS 1.3 (RFC8446) support... yes</span>
<span id="LC16" class="line" lang="plaintext">                    for known TLS or SSL protocols support... yes</span>
<span id="LC17" class="line" lang="plaintext">                       TLS1.2 neg fallback from TLS 1.6 to... TLS1.2</span>
<span id="LC18" class="line" lang="plaintext">                                     for HTTPS server name... unknown</span>
<span id="LC19" class="line" lang="plaintext">                               for certificate chain order... sorted</span>
<span id="LC20" class="line" lang="plaintext">                  for safe renegotiation (RFC5746) support... yes</span>
<span id="LC21" class="line" lang="plaintext">                    for encrypt-then-MAC (RFC7366) support... yes</span>
<span id="LC22" class="line" lang="plaintext">                   for ext master secret (RFC7627) support... yes</span>
<span id="LC23" class="line" lang="plaintext">                           for heartbeat (RFC6520) support... no</span>
<span id="LC24" class="line" lang="plaintext">                       for version rollback bug in RSA PMS... dunno</span>
<span id="LC25" class="line" lang="plaintext">                  for version rollback bug in Client Hello... no</span>
<span id="LC26" class="line" lang="plaintext">            whether the server ignores the RSA PMS version... yes</span>
<span id="LC27" class="line" lang="plaintext">whether small records (512 bytes) are tolerated on handshake... yes</span>
<span id="LC28" class="line" lang="plaintext">    whether cipher suites not in SSL 3.0 spec are accepted... yes</span>
<span id="LC29" class="line" lang="plaintext">whether a bogus TLS record version in the client hello is accepted... yes</span>
<span id="LC30" class="line" lang="plaintext">         whether the server understands TLS closure alerts... yes</span>
<span id="LC31" class="line" lang="plaintext">            whether the server supports session resumption... no</span>
<span id="LC32" class="line" lang="plaintext">                      for anonymous authentication support... no</span>
<span id="LC33" class="line" lang="plaintext">                              for RSA key exchange support... yes</span>
<span id="LC34" class="line" lang="plaintext">                      for ephemeral Diffie-Hellman support... no</span>
<span id="LC35" class="line" lang="plaintext">                        for RFC7919 Diffie-Hellman support... no</span>
<span id="LC36" class="line" lang="plaintext">                   for ephemeral EC Diffie-Hellman support... yes</span>
<span id="LC37" class="line" lang="plaintext">for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... no</span>
<span id="LC38" class="line" lang="plaintext">                             for curve SECP256r1 (RFC4492)... no</span>
<span id="LC39" class="line" lang="plaintext">                             for curve SECP384r1 (RFC4492)... no</span>
<span id="LC40" class="line" lang="plaintext">                             for curve SECP521r1 (RFC4492)... no</span>
<span id="LC41" class="line" lang="plaintext">                                for curve X25519 (RFC8422)... yes</span>
<span id="LC42" class="line" lang="plaintext">                      for AES-GCM cipher (RFC5288) support... yes</span>
<span id="LC43" class="line" lang="plaintext">                      for AES-CCM cipher (RFC6655) support... no</span>
<span id="LC44" class="line" lang="plaintext">                    for AES-CCM-8 cipher (RFC6655) support... no</span>
<span id="LC45" class="line" lang="plaintext">                      for AES-CBC cipher (RFC3268) support... yes</span>
<span id="LC46" class="line" lang="plaintext">                 for CAMELLIA-GCM cipher (RFC6367) support... no</span>
<span id="LC47" class="line" lang="plaintext">                 for CAMELLIA-CBC cipher (RFC5932) support... no</span>
<span id="LC48" class="line" lang="plaintext">                     for 3DES-CBC cipher (RFC2246) support... no</span>
<span id="LC49" class="line" lang="plaintext">                  for ARCFOUR 128 cipher (RFC2246) support... no</span>
<span id="LC50" class="line" lang="plaintext">            for CHACHA20-POLY1305 cipher (RFC7905) support... yes</span>
<span id="LC51" class="line" lang="plaintext">for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no</span>
<span id="LC52" class="line" lang="plaintext">                                       for MD5 MAC support... no</span>
<span id="LC53" class="line" lang="plaintext">                                      for SHA1 MAC support... yes</span>
<span id="LC54" class="line" lang="plaintext">                                    for SHA256 MAC support... yes</span>
<span id="LC55" class="line" lang="plaintext">for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no</span>
<span id="LC56" class="line" lang="plaintext">                     for max record size (RFC6066) support... yes</span>
<span id="LC57" class="line" lang="plaintext">                for OCSP status response (RFC6066) support... no</span></code></pre>
</div>


</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/990#note_347776171">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/ef206014e222df8c2571b6e190f7f85c/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/990#note_347776171"}}</script>


</p>
</div>
</body>
</html>