[gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Andreas Metzler-3
Hello,

this is copy of http://bugs.debian.org/857436 by Justin Coffman reported
against 3.5.10:

8X----------------------------------------------
Certain packages that rely on this OpenSSL wrapper library are unable to
connect using TLS 1.1/1.2 cipher suites.

Even though the server (and the client, when compiled against OpenSSL)
supports the full array of TLS 1.1/1.2 ciphers, the package as provided
seems to be limited to only TLS 1.0 ciphers.

An example is bug #842120 in package tf5.

tf5, when connecting using a version compiled manually against OpenSSL:

% Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256.

When connecting using the packaged version utilizing the OpenSSL
wrapper:

% Connected to server using cipher RSA_AES_128_CBC_SHA1.

Given the progression toward the deprecation of TLS 1.0 (see NIST SP
800-52 Rev. 1), it would seem prudent to ensure that packages not
written against GnuTLS are still capable of their full function.
[...]
8X----------------------------------------------

I do not know  but I suspect that the OpenSSL API has changed quite a
bit in recent years and being a a good OpenSSL customer requires using
these new APIs. e.g. from the Exim 4.89 announcement: "Please note that
we are seeing OpenSSL issues which require 1.0.2 minimum ...".

OTOH the GnuTLS openssl wrapper does not seem to be seeing active
development.

Therefore I suspect the usefulness of the GnuTLS openssl wrapper to be
decreasing, since only programs with outdated OpenSSL code work.

Am I guessing correctly?

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Nikos Mavrogiannopoulos
On Sat, 2017-03-11 at 15:34 +0100, Andreas Metzler wrote:
> Hello,
>
> this is copy of http://bugs.debian.org/857436 by Justin Coffman
> reported
> against 3.5.10:
[...]

> I do not know  but I suspect that the OpenSSL API has changed quite a
> bit in recent years and being a a good OpenSSL customer requires
> using
> these new APIs. e.g. from the Exim 4.89 announcement: "Please note
> that
> we are seeing OpenSSL issues which require 1.0.2 minimum ...".
>
> OTOH the GnuTLS openssl wrapper does not seem to be seeing active
> development.
>
> Therefore I suspect the usefulness of the GnuTLS openssl wrapper to
> be decreasing, since only programs with outdated OpenSSL code work.
> Am I guessing correctly?

I guess so. Furthermore I have no plans updating this wrapper. If it
proves no useful to existing programs, and there is no "owner" of it, I
think it would make more sense to schedule dropping it from gnutls.

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Andreas Metzler-3
In reply to this post by Andreas Metzler-3
On 2017-03-11 Andreas Metzler <[hidden email]> wrote:
[...]> 8X----------------------------------------------
> Certain packages that rely on this OpenSSL wrapper library are unable to
> connect using TLS 1.1/1.2 cipher suites.

> Even though the server (and the client, when compiled against OpenSSL)
> supports the full array of TLS 1.1/1.2 ciphers, the package as provided
> seems to be limited to only TLS 1.0 ciphers.

Actually this *seems* to be trivially fixable.

/Seems/ because I assume there is/was a reason for using a custom
priority string. ;-)

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

0001-Use-NORMAL-priority-for-SSLv23_-_method.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Andreas Metzler-3
On 2017-03-16 Andreas Metzler <[hidden email]> wrote:
> On 2017-03-11 Andreas Metzler <[hidden email]> wrote:
> [...]> 8X----------------------------------------------
>> Certain packages that rely on this OpenSSL wrapper library are unable to
>> connect using TLS 1.1/1.2 cipher suites.

>> Even though the server (and the client, when compiled against OpenSSL)
>> supports the full array of TLS 1.1/1.2 ciphers, the package as provided
>> seems to be limited to only TLS 1.0 ciphers.

> Actually this *seems* to be trivially fixable.

Ping?

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Nikos Mavrogiannopoulos
On Thu, Mar 30, 2017 at 7:05 PM, Andreas Metzler <[hidden email]> wrote:

> On 2017-03-16 Andreas Metzler <[hidden email]> wrote:
>> On 2017-03-11 Andreas Metzler <[hidden email]> wrote:
>> [...]> 8X----------------------------------------------
>>> Certain packages that rely on this OpenSSL wrapper library are unable to
>>> connect using TLS 1.1/1.2 cipher suites.
>
>>> Even though the server (and the client, when compiled against OpenSSL)
>>> supports the full array of TLS 1.1/1.2 ciphers, the package as provided
>>> seems to be limited to only TLS 1.0 ciphers.
>
>> Actually this *seems* to be trivially fixable.
>
> Ping?

Hi,
 Possibly, but I have not checked it. If you have any patch for it
please go for it and submit an MR.

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...