[gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Sat May 12 14:20:15 CEST 2018

Note that if you use the revert you will make incompatible gnutls with other implementations with RSA PSS. If I remember well, these ciphersuites are from TLS1.3 draft21 and they changed semantics in later drafts. that's why they were disabled in 3.6.2. I think it is best to mark the test as xfail.

On May 12, 2018 12:07:02 PM UTC, Andreas Metzler <ametzler at bebt.de> wrote:
>On 2018-05-10 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> On Thu, May 10, 2018 at 4:21 PM, Andreas Metzler <ametzler at bebt.de>
>> > tests/pkcs11/tls-neg-pkcs11-key fails after upgrading softhsm from
>>> # 2.4.0
>>> (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$
>>> The token has been initialized and is reassigned to slot 1993469037
>>> checking: tls1.2: ecc key
>>> checking: tls1.2: rsa-sign key
>>> checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized
>>> checking: tls1.2: rsa-pss-sign key
>>> client[-28]: Resource temporarily unavailable, try again.
>>> server[-87]: No supported cipher suites have been found.
>>> try_with_key:189: Handshake failed
>>> This is on Debian sid.
>> I have debian testing at home and it seems to work here (trying from
>> gnutls master)
>Yes, gnutls master works. I have run git bisect to locate the
>"unbreakage" in between 3.6.2 and master and found
>962ef882031062866f6782078af17cf9701266da which reverts 
>| ef44477127952c13e93d7ea88f7b549bf36602f5
>| priority: disable the enabled by default RSA-PSS signature
>| algorithms
>| They have been modified in the latest (yet unsupported) TLS 1.3
>| drafts, so prevent causes interoperability failures by keeping them
>| on.
>And indeed reverting ef44477127952c13e93d7ea88f7b549bf36602f5 on top of
>3.6.2 also fixes the testsuite error in tls-neg-pkcs11-key.
>cu Andreas

Sent from my mobile. Please excuse my brevity.

More information about the Gnutls-devel mailing list