<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: .875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;

}

body {

font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>

<div class="content">

<p class="details" style="font-style: italic; color: #626168;">

<a href="https://gitlab.com/asosedkin">Alexander Sosedkin</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1622">#1622</a>

</p>

<div class="md" style="position: relative; z-index: 1; color: #3a383f; word-wrap: break-word;">

<blockquote dir="auto" style="font-size: inherit; color: #4c4b51; padding-top: .5rem; padding-bottom: .5rem; padding-left: 1rem; border-left-color: #dcdcde; border-left-style: solid; margin: 0 0 .5rem; border-width: 0 0 0 4px;" align="initial">

<p style="color: inherit; line-height: 1.5; margin: 0;">A new option <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>allow-rsa-pkcs1-encrypt</code>

has been added into the system-wide library configuration which

allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the

RSAES-PKCS1-v1_5 is enabled by default.</p>

</blockquote>

<p dir="auto" style="color: #3a383f; margin: 0 0 16px;" align="initial">According to this NEWS entry, there are future plans to flip the option to false by default.

I've tried doing just that with 3.8.8 by flipping the value in lib/priority.c,

and the existing testsuite is not ready for this.</p>

<p dir="auto" style="color: #3a383f; margin: 0 0 16px;" align="initial">One easy way to work around this is to run the tests with configs that flip the option back on.

For many such tests, this can be attained by a</p>

<div class="gl-relative markdown-code-block js-markdown-code">

<pre data-canonical-lang="diff" class="code highlight js-syntax-highlight language-diff" v-pre="true" style='display: block; font-size: 14px; color: #3a383f; line-height: 1.6em; overflow-x: auto; border-radius: .25rem; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 16px; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: inherit; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: .25rem; white-space: pre; margin-top: 0; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="diff" style="margin-top: 0;"><span class="gd" style="margin-top: 0;">--- a/tests/system.prio</span></span>

<span id="LC2" class="line" lang="diff"><span class="gi" style="margin-top: 0;">+++ b/tests/system.prio</span></span>

<span id="LC3" class="line" lang="diff"><span class="p" style="margin-top: 0;">@@ -1,3 +1,6 @@</span></span>

<span id="LC4" class="line" lang="diff"> HELLO1=NORMAL</span>

<span id="LC5" class="line" lang="diff"> HELLO2=NORMAL:+AES-128-CBC</span>

<span id="LC6" class="line" lang="diff"> HELLO3=NONE:+VERS-TLS-ALL:-VERS-SSL3.0:+AEAD:+SHA1:+SHA256:+SHA384:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-GCM:+CAMELLIA-128-CBC:+3DES-CBC:+SIGN-ALL:-SIGN-RSA-MD5:+CURVE-ALL:+COMP-NULL:%PROFILE_LOW</span>

<span id="LC7" class="line" lang="diff"><span class="gi" style="margin-top: 0;">+</span></span>

<span id="LC8" class="line" lang="diff"><span class="gi" style="margin-top: 0;">+[overrides]</span></span>

<span id="LC9" class="line" lang="diff"><span class="gi" style="margin-top: 0;">+allow-rsa-pkcs1-encrypt = true</span></span></code></pre>

<copy-code></copy-code><insert-code-snippet></insert-code-snippet>

</div>

<p dir="auto" style="color: #3a383f; margin: 0 0 16px;" align="initial">but then several other tests that override the config and try to use, say, RSA kex, need to have an <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>allow-rsa-pkcs1-encrypt = true</code> slotted into the <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>[overrides]</code> of their overriding configs (<code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>gnutls-cli-debug.sh</code>, <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>protocol-set-allowlist.sh</code>, <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>system-override-allow-rsa-pkcs1-encrypt.sh</code>).

The list would be even longer when building with full testsuite.</p>

<p dir="auto" style="color: #3a383f; margin: 0;" align="initial">I'm afraid the tests should gradually migrate off using RSA kex, made able to override the option back on, or, at least, expect failures when the library is built with the option defaulting to false. The latter currently doesn't look possible, as there's no API to query neither the compile default nor the current effective value.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #626168;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1622">view it on GitLab</a>.

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/522a1f13d7c5162ef284233645244484/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1622"}}</script>

</p>

</div>

</body>

</html>