[gnutls-help] Fedora 34, One of the involved algorithms has insufficient security level
Daiki Ueno
ueno at gnu.org
Mon May 17 10:19:35 CEST 2021
Hello Philip,
Philip Schaten <philip at noerdcampus.de> writes:
> Hi!
> After an upgrade to Fedora 34, gnutls-cli gives me a
> `*** Fatal error: One of the involved algorithms has insufficient
> security level.` when connecting to my university mail server.
>
> With `gnutls-cli --allow-broken`, connection works and I get this
> result `- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA1)-
> (AES-128-CBC)-(SHA1)`.
> Using `gnutls-cli -l` I can see that SHA1 in combination with tls1.2
> seems to be forbidden.
> Also, `gnutls-cli-debug` tells me it needs to disable TLS1.2 (why is
> this?).
> Might this be the reason for the error/is there a way to find out?
> Is it a bug in gnutls or misconfiguration in the university mail
> server?
In Fedora, allowed algorithms are centrally managed through
crypto-policies, where SHA-1 is indeed disabled for digital signatures:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
You could either downgrade the policy profile to LEGACY, with:
sudo update-crypto-policies --set LEGACY
or create a custom crypto policy:
https://archive.fosdem.org/2020/schedule/event/security_custom_crypto_policies/attachments/slides/4089/export/events/attachments/security_custom_crypto_policies/slides/4089/custom_crypto_policies_fosdem.pdf
Regards,
--
Daiki Ueno
More information about the Gnutls-help
mailing list