void-packages icon indicating copy to clipboard operation
void-packages copied to clipboard

Published 20 hours ago verified publisher icon void-linux

A bug in gnutls-3.8.5_1 while connecting to some servers with old tls(gnutls-3.8.4_1 works fine)

Open djaonline opened this issue 10 months ago • 7 comments

Is this a new report?

No

System Info

Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF

Package(s) Affected

gnutls-3.8.5_1

Does a report exist for this bug with the project's home (upstream) and/or another distro?

Same issue in debian https://www.mail-archive.com/[email protected]/msg1965706.html

Expected behaviour

gnutls-cli some-old-tls-server successfull output

Actual behaviour

gnutls-cli some-old-tls-server output with error *** Fatal error: The encryption algorithm is not supported.

Steps to reproduce

gnutls-cli old-tls-server output with error *** Fatal error: The encryption algorithm is not supported.

djaonline avatar Apr 11 '24 18:04 djaonline

Can you test #49809 to see if that fixes the problem? Or alternatively provide a known failing server that can be tested.

cinerea0 avatar Apr 11 '24 19:04 cinerea0

@cinerea0 I tried the commit. It hasn't solved the problem:( Still error "The encryption algorithm is not supported."

djaonline avatar Apr 11 '24 21:04 djaonline

Can you should the steps to reproduce and/or its full logs?

sgn avatar Apr 12 '24 05:04 sgn

gnutls-cli-debug -V xxx

GnuTLS debug client 3.8.5
Checking xxx:443
whether the server accepts default record size (512 bytes)... no
                  whether %ALLOW_SMALL_RECORDS is required... no
                        whether we need to disable TLS 1.2... yes
                        whether we need to disable TLS 1.1... yes
                        whether we need to disable TLS 1.0... yes
                        whether %NO_EXTENSIONS is required... skipped
                               whether %COMPAT is required... skipped
                             for TLS 1.0 (RFC2246) support... no
 for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no
                             for TLS 1.1 (RFC4346) support... no
                                  fallback from TLS 1.1 to... failed
                             for TLS 1.2 (RFC5246) support... no
                             for TLS 1.3 (RFC8446) support... no
                    for known TLS or SSL protocols support... no

djaonline avatar Apr 12 '24 08:04 djaonline

Working OpenConnect VPN client GUI info: image Server info from admins TLSv1.0 TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

djaonline avatar Apr 12 '24 08:04 djaonline

I'm just passing through but you may have inadvertently included sensitive information in this issue. I would recommend rekeying that certificate and removing the posts.

nazgulsenpai avatar May 02 '24 19:05 nazgulsenpai

there aren't any private keys, the certificate is fine

classabbyamp avatar May 02 '24 19:05 classabbyamp

Any progress on this? I think I may be hitting this bug.

RobJamesRamos avatar Jun 07 '24 17:06 RobJamesRamos

The list of closed issues associated with 3.8.6 seems to indicate this issue was fixed there, can you try out #51193 and check?

cinerea0 avatar Jul 10 '24 15:07 cinerea0