[gnutls-devel] GnuTLS | GnuTLS 3.8.5 broke TLS connections to RSA cert using hosts (#1540)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Apr 9 19:28:20 CEST 2024
Alexander Sosedkin commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1853760757
Thank you for confirming. The beginning of the log when the config is parsed seems to be missing, but, I guess, we can do without one now.
Here are the results of investigation into it (not mine):
@ZoltanFridrich had the intention to have [`cfg->allow_rsa_pkcs1_encrypt = true;](https://gitlab.com/gnutls/gnutls/-/blob/49f4ae2109b7cc969539b90be92a5844bbe7b322/lib/priority.c?page=3#L1427) by default and thus cause no behaviour change in the existing configurations.
Prompted by your report, @dueno has noticed that [`cfg_apply()` doing this](https://gitlab.com/gnutls/gnutls/-/blob/49f4ae2109b7cc969539b90be92a5844bbe7b322/lib/priority.c?page=3#L2298) is, unfortunately, only called if the configuration file is available and valid. He also proposed a plan to resolve this: moving the `= true;` line immediately after [the config structure gets zeroized](https://gitlab.com/gnutls/gnutls/-/blob/49f4ae2109b7cc969539b90be92a5844bbe7b322/lib/priority.c?page=3#L2280).
Since there probably are many more distros not shipping a config at all, the issue might have a rather wide impact and warrant a follow-up release.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1540#note_1853760757
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240409/3c02170b/attachment.html>
More information about the Gnutls-devel
mailing list