Bug#857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Justin Coffman justin at covert.one
Sat Mar 11 05:48:48 UTC 2017

Package: libgnutls-openssl27
Version: 3.5.10-1
Severity: important

Certain packages that rely on this OpenSSL wrapper library are unable to connect using TLS 1.1/1.2 cipher suites.

Even though the server (and the client, when compiled against OpenSSL) supports the full array of TLS 1.1/1.2 ciphers, the package as provided seems to be limited to only TLS 1.0 ciphers.

An example is bug #842120 in package tf5.

tf5, when connecting using a version compiled manually against OpenSSL:

% Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256.

When connecting using the packaged version utilizing the OpenSSL wrapper:

% Connected to server using cipher RSA_AES_128_CBC_SHA1.

Given the progression toward the deprecation of TLS 1.0 (see NIST SP 800-52 Rev. 1), it would seem prudent to ensure that packages not written against GnuTLS are still capable of their full function.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgnutls-openssl27 depends on:
ii  libc6        2.24-9
ii  libgnutls30  3.5.10-1

libgnutls-openssl27 recommends no packages.

libgnutls-openssl27 suggests no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list