Bug#710657: gnutls: Negiotates an SSL v3.0 cipher when talkign to openssl using TLS 1.2
Kurt Roeckx
kurt at roeckx.be
Sat Jun 1 10:42:15 UTC 2013
Source: gnutls26
Version: 2.12.20-6
Severity: important
Tags: security
Hi,
When using gnutls-cli to talk to apache with mod_ssl, I
always get this when testing with SSL v3.0 to TLS v1.2:
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
When talking to it with TLS 1.2, I really would like to see
that it doesn't use SHA1. From gnutls-cli --list, I would
expect it to use one of the following:
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
Openssl supports both of them.
openssl also selects DHE-RSA-AES256-SHA256 when talking to itself
when GCM is disabled, so I assume this is a gnutls problem.
Kurt
More information about the Pkg-gnutls-maint
mailing list