[gnutls-help] Fedora 34, One of the involved algorithms has insufficient security level

Daiki Ueno ueno at gnu.org
Mon May 17 10:19:35 CEST 2021

Hello Philip,

Philip Schaten <philip at noerdcampus.de> writes:

> Hi!
> After an upgrade to Fedora 34, gnutls-cli gives me a
> `*** Fatal error: One of the involved algorithms has insufficient
> security level.` when connecting to my university mail server.
> With `gnutls-cli --allow-broken`, connection works and I get this
> result `- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA1)-
> (AES-128-CBC)-(SHA1)`.
> Using `gnutls-cli -l` I can see that SHA1 in combination with tls1.2
> seems to be forbidden.
> Also, `gnutls-cli-debug` tells me it needs to disable TLS1.2 (why is
> this?).
> Might this be the reason for the error/is there a way to find out?
> Is it a bug in gnutls or misconfiguration in the university mail
> server?

In Fedora, allowed algorithms are centrally managed through
crypto-policies, where SHA-1 is indeed disabled for digital signatures:

You could either downgrade the policy profile to LEGACY, with:

  sudo update-crypto-policies --set LEGACY

or create a custom crypto policy:


Daiki Ueno

More information about the Gnutls-help mailing list