[gnutls-devel] Debian bug #857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers

Andreas Metzler ametzler at bebt.de
Sat Mar 11 15:34:59 CET 2017


this is copy of http://bugs.debian.org/857436 by Justin Coffman reported
against 3.5.10:

Certain packages that rely on this OpenSSL wrapper library are unable to
connect using TLS 1.1/1.2 cipher suites.

Even though the server (and the client, when compiled against OpenSSL)
supports the full array of TLS 1.1/1.2 ciphers, the package as provided
seems to be limited to only TLS 1.0 ciphers.

An example is bug #842120 in package tf5.

tf5, when connecting using a version compiled manually against OpenSSL:

% Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256.

When connecting using the packaged version utilizing the OpenSSL

% Connected to server using cipher RSA_AES_128_CBC_SHA1.

Given the progression toward the deprecation of TLS 1.0 (see NIST SP
800-52 Rev. 1), it would seem prudent to ensure that packages not
written against GnuTLS are still capable of their full function.

I do not know  but I suspect that the OpenSSL API has changed quite a
bit in recent years and being a a good OpenSSL customer requires using
these new APIs. e.g. from the Exim 4.89 announcement: "Please note that
we are seeing OpenSSL issues which require 1.0.2 minimum ...".

OTOH the GnuTLS openssl wrapper does not seem to be seeing active

Therefore I suspect the usefulness of the GnuTLS openssl wrapper to be
decreasing, since only programs with outdated OpenSSL code work.

Am I guessing correctly?

cu Andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list