[gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon May 18 02:21:30 CEST 2020




Daniel Lenski commented:


My previous MR (!1221) could be improved, because it correctly shows the (partial) SSL 3.0 support of these servers but does not show the (partial) TLS 1.0 support.

```
$ ../gnutls/src/gnutls-cli-debug jazzvpn.jazzsemi.com
GnuTLS debug client 3.6.12
Checking jazzvpn.jazzsemi.com:443
whether the server accepts default record size (512 bytes)... no
                  whether %ALLOW_SMALL_RECORDS is required... no
                             for SSL 3.0 (RFC6101) support... yes
                               for SSL 3.0 with extensions... no
        for SSL 3.0 with cipher suites not in SSL 3.0 spec... yes
                        whether we need to disable TLS 1.2... yes
                        whether we need to disable TLS 1.1... yes
                        whether we need to disable TLS 1.0... no
```

With !1251, this is improved, and a few other important bits of the output are clarified:

```
                        whether we need to disable TLS 1.0... no
                        whether %NO_EXTENSIONS is required... yes
                     for 3DES-CBC cipher (RFC2246) support... yes
                  for ARCFOUR 128 cipher (RFC2246) support... yes
```

This clarifying information may enable someone who needs to use such a server to use the
(marginally-less insecure?) combination of TLS 1.0 and RC4 rather than SSL 3.0.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_344037865
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200518/462f5902/attachment.html>


More information about the Gnutls-devel mailing list