Bug#1091103: gnutls-bin: SRP support is accidentally disabled since 3.8.1-2
Andreas Metzler
ametzler at bebt.de
Mon Jan 13 17:10:19 GMT 2025
On 2025-01-13 Samuel Henrique <samueloph at debian.org> wrote:
>> it was me intentionally following upstream defaults when not having strong
>> arguments to deviate from them, so it was not accidental. Upstream NEWS
>> said:
>> ** libgnutls: SRP authentication is now disabled by default.
>> It is disabled because the SRP authentication in TLS is not up to
>> date with the latest TLS standards and its ciphersuites are based
>> on the CBC mode and SHA-1. To enable it back, supply
>> --enable-srp-authentication option to configure script.
>> And afaiui SRP is not supported with TLS 1.3.
> Would it make sense to enable it for as long as TLS 1.2 is supported?
> For the curl package, we make use of GnuTLS to run tests for TLS-SRP
> support, without it we lose that test coverage. It's not critical, but
> it helps a lot.
Hello Samuel,
isn't this (testsuite case) a pretty weak argument for shipping an
outdated and rather exotic cyphersuite?
This really is supposed to be an honest question, I think I am missing
something important. I have got some saved-up trust in
$curl-maintainers and am ready to be convined or told.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list