[gnutls-devel] NORMAL:-SIGN-ALL changed behavior in 3.3.15

Andreas Metzler ametzler at bebt.de
Sun May 10 13:24:39 CEST 2015


I have tried finding the reason for <https://bugs.debian.org/784430>
(lynx nor being able to connect to kernel.org since upgrading GnuTLS
to 3.3.15). Afaict it comes from lynx using this byzantine priority

Which notably does not add any of the following after removing all by
starting with NONE:
- SIGN-* (Signature algorithms)
- CURVE-* (Elliptic curves)
- CTYPE-* (Certificate type)

Boiling this down to the simplest case shows that 3.3.14 connected
successfully (including certificate verification) to www.kernel.org,
but 3.3.15 stopped doing so. I suspect it is side-effect of the fix
for GNUTLS-SA-2015-2.

Is this the right thing to do? And if it is (I personally think so)
gnutls-cli --priority=NORMAL:-CTYPE-ALL www.kernel.org
also fail?

cu Andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list