Bug#857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers
Justin Coffman
justin at covert.one
Sat Mar 11 05:48:48 UTC 2017
Package: libgnutls-openssl27
Version: 3.5.10-1
Severity: important
Certain packages that rely on this OpenSSL wrapper library are unable to connect using TLS 1.1/1.2 cipher suites.
Even though the server (and the client, when compiled against OpenSSL) supports the full array of TLS 1.1/1.2 ciphers, the package as provided seems to be limited to only TLS 1.0 ciphers.
An example is bug #842120 in package tf5.
tf5, when connecting using a version compiled manually against OpenSSL:
% Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256.
When connecting using the packaged version utilizing the OpenSSL wrapper:
% Connected to server using cipher RSA_AES_128_CBC_SHA1.
Given the progression toward the deprecation of TLS 1.0 (see NIST SP 800-52 Rev. 1), it would seem prudent to ensure that packages not written against GnuTLS are still capable of their full function.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libgnutls-openssl27 depends on:
ii libc6 2.24-9
ii libgnutls30 3.5.10-1
libgnutls-openssl27 recommends no packages.
libgnutls-openssl27 suggests no packages.
-- no debconf information
More information about the Pkg-gnutls-maint
mailing list