Bug#1130152: libgnutls30t64: extensions shuffling regression in 3.8.5 causes handshake failure with certain servers
Andreas Metzler
ametzler at bebt.de
Mon Mar 9 17:44:37 GMT 2026
On 2026-03-09 Simon McVittie <smcv at collabora.com> wrote:
> Package: libgnutls30t64
> Version: 3.8.5-1
> Severity: important
> Tags: trixie upstream fixed-upstream
> Forwarded: https://gitlab.com/gnutls/gnutls/-/work_items/1660
> Control: found -1 3.8.9-3+deb13u2
> Control: fixed -1 3.8.12-2
> User: linux at steampowered.com
> Usertags: origin-steamrt steamrt4
> A regression in GnuTLS 3.8.5, which started shuffling the extensions
> order, causes an interoperability issue leading to handshake failures
> with some SSL/TLS servers. I'm reporting this at important severity since
> it's an interop regression affecting an unknown number of remote services.
> From the linked regression report https://github.com/luakit/luakit/issues/1101,
> it seems that at the time of writing, search.dismail.de is a good test-case,
> for example:
[...]
> This appears to have been fixed by
> https://gitlab.com/gnutls/gnutls/-/merge_requests/1930
> after the 3.8.9 release, commit
> <https://gitlab.com/gnutls/gnutls/-/commit/dc5ee80c3a28577e9de0f82fb08164e4c02b96af>,
> but unfortunately that commit didn't make it into Debian 13. Please
> could this change be backported?
Sure I can do that. Thanks for the excellent report! (MR just popped in
my inbox, too.)
> (I haven't yet verified that this change
> resolves the issue, I'll look into that next.)
It does resolve connecting to search.dismail.de.
cu Andreas
--
"You people are noisy," Nia said.
I made the gesture of agreement.
More information about the Pkg-gnutls-maint
mailing list