[Pkg-gnutls-maint] Bug#422024: gnutls13: default list of supported
protocols doesn't match documentation
Jan Christoph Nordholz
hesso at pool.math.tu-berlin.de
Wed May 2 23:06:59 UTC 2007
Package: libgnutls13
Version: 1.7.7-1
Tags: experimental
Hi,
code and documentation seem to have diverged when TLS1.2 was introduced:
-> lib/gnutls_priority.c, lines 252 ff., gnutls_set_default_priority()
] [...]
] * The order is TLS 1.2, TLS 1.1, TLS 1.0, SSL3 for protocols.
] * RSA, DHE_DSS, DHE_RSA for key exchange
] * algorithms. SHA, MD5 and RIPEMD160 for MAC algorithms.
] * AES_128_CBC, 3DES_CBC,
] * and ARCFOUR_128 for ciphers.
] [...]
] static const int protocol_priority[] = { GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_SSL3, 0 };
] static const int kx_priority[] =
] { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 };
] static const int cipher_priority[] = {
] GNUTLS_CIPHER_AES_128_CBC,
] GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0
] };
] static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 };
] static const int mac_priority[] =
] { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
] [...]
TLS1.0 and MAC_RIPEMD are gone... I guess this is intentional, but it
should be documented accordingly, because I've just crept for hours through
an application's source code searching for the magic call that disables
TLS1.0... ;-)
Regards,
Jan
PS: This (upstream) change makes the package description look a bit absurd,
advertising TLS1.0 support when it's deactivated by default...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20070503/e5b66894/attachment.pgp
More information about the Pkg-gnutls-maint
mailing list