[gnutls-help] gnutls offers rsa_pcks_sha1, but does not accept it

Daiki Ueno ueno at gnu.org
Fri Jun 11 15:26:59 CEST 2021


Philip Schaten <philip at noerdcampus.de> writes:

>> > - Using gnutls-cli, I try to establish a connection to the mail
>> > server.
>> > - From wireshark, I can see that gnutls offers rsa_pcks_sha1 as a
>> > signature algorithm.
>> 
>> Do you see this behavior also with the DEFAULT policy?
>
> yes.
> So, in brief:
> DEFAULT policy is enabled.
> GnuTLS proposes SHA1 as a signature algorithm during TLS Handshake.
> Server chooses SHA1.
> GnuTLS cancels because SHA1 is forbidden by DEFAULT crypto-policy.
> In the end, this leads to evolution mailclient not working anymore.

Thank you; that indeed seems like a bug in GnuTLS itself.  I've filed an
MR to fix it:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1447

Regards,
-- 
Daiki Ueno



More information about the Gnutls-help mailing list