Bug#1091103: gnutls-bin: SRP support is accidentally disabled since 3.8.1-2
Andreas Metzler
ametzler at bebt.de
Sun Dec 22 18:01:11 GMT 2024
On 2024-12-22 Samuel Henrique <samueloph at debian.org> wrote:
> Package: gnutls-bin
> Version: 3.8.1-2
> Severity: important
> When investigating an issue with curl's testsuite, I've noticed that
> gnutls-serv stopped reporting the SRP feature:
> $ gnutls-serv -l | grep SRP
> No matches on unstable, whereas stable shows SRP enabled.
> Looking through the build logs, I found out that this happened between 3.7.9-2
> and 3.8.1-2 (on sid).
> The build logs for 3.7.9-2 contains:
> checking whether to disable SRP authentication support... no
> And for 3.8.1-2:
> checking whether to enable SRP authentication support... no
> Notice how the check went from "disable" to "enable". Likely a change of
> defaults from upstream where we dropped by feature due to not explicitly
> setting it in d/rules.
> There was no mention in d/changelog about it, so I assume this was
> accidental.
[...]
Hello,
it was me intentionally following upstream defaults when not having strong
arguments to deviate from them, so it was not accidental. Upstream NEWS
said:
** libgnutls: SRP authentication is now disabled by default.
It is disabled because the SRP authentication in TLS is not up to
date with the latest TLS standards and its ciphersuites are based
on the CBC mode and SHA-1. To enable it back, supply
--enable-srp-authentication option to configure script.
And afaiui SRP is not supported with TLS 1.3.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list