[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] gnutls priority string disables any signature algorithms and
|
From: |
Andreas Metzler |
|
Subject: |
[Lynx-dev] gnutls priority string disables any signature algorithms and ertificate types |
|
Date: |
Mon, 11 May 2015 19:09:01 +0200 |
|
User-agent: |
tin/2.2.1-20140504 ("Tober an Righ") (UNIX) (Linux/3.16.0-4-amd64 (x86_64)) |
Hello,
lynx 2.8.9dev6 uses the following GnuTLS priority string:
NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5
This any signature algorithms and ertificate types:
(SID)address@hidden:~$ gnutls-cli
--priority=NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5
-l | tail -n4
Protocols: VERS-SSL3.0, VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
Compression: COMP-NULL
Elliptic curves: none
PK-signatures: none
Starting with GnuTLS 3.3.15 this causes connection failures, since now
GnuTLS was fixed to correctly check PK-signature algoritms
(GNUTLS-SA-2015-2). Connecting to e.g. www.kernel.org now fails.
As a hotfix +CTYPE-X.509:+SIGN-ALL could be added, however looking the
string I wonder whether it would not be better if lynx simple used
GnuTLS default settings with gnutls_set_default_priority() by default.
Optionally a configuration option allowing a user to specify an
alternate priority-string could be used.
I doubt that e.g. a deliberate choice was made to disable ECDHE and
SHA256 MAC when the priority string was hardcoded.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
- [Lynx-dev] gnutls priority string disables any signature algorithms and ertificate types,
Andreas Metzler <=