Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#59554 - [gnutls] supported priority strings not matching upstream

Attached to Project: Arch Linux
Opened by ipp (n8V8r) - Tuesday, 07 August 2018, 12:50 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 07 August 2018, 17:12 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description: The supported priority strings listed upstream https://gnutls.org/manual/html_node/Priority-Strings.html are not being matched by the repo's package. This has a detrimental impact on packages being reliant on gnutls for TLS encryption such as [ msmtp ] not being able to handle certain types of certificates.


Additional info:
* package version(s) 3.5.19
* config and/or log files etc.

# gnutls-cli --priority-list

Priority strings in GnuTLS 3.5.19:
NORMAL PFS SECURE128 SECURE192 SUITEB128 SUITEB192 LEGACY PERFORMANCE


Special strings:
%NO_ETM %NO_TICKETS %NEW_PADDING %NO_EXTENSIONS %NO_SESSION_HASH
%COMPAT %DISABLE_WILDCARDS %SAFE_RENEGOTIATION %SSL3_RECORD_VERSION
%UNSAFE_RENEGOTIATION %STATELESS_COMPRESSION %PROFILE_HIGH %FALLBACK_SCSV
%PROFILE_MEDIUM %VERIFY_DISABLE_CRL_CHECKS %DISABLE_SAFE_RENEGOTIATION
%VERIFY_ALLOW_X509_V1_CA_CRT %PROFILE_ULTRA %PROFILE_LEGACY %VERIFY_ALLOW_SIGN_RSA_MD5
%PARTIAL_RENEGOTIATION %DEBUG_ALLOW_KEY_USAGE_VIOLATIONS %DUMBFW
%PROFILE_VERY_WEAK %LATEST_RECORD_VERSION %SERVER_PRECEDENCE %PROFILE_SUITEB128
%PROFILE_LOW

Steps to reproduce:
This task depends upon

Closed by  Doug Newgard (Scimmia)
Tuesday, 07 August 2018, 17:12 GMT
Reason for closing:  Not a bug
Comment by Doug Newgard (Scimmia) - Tuesday, 07 August 2018, 16:34 GMT
What, exactly, is the problem here?
Comment by ipp (n8V8r) - Tuesday, 07 August 2018, 17:07 GMT
The supported priority strings in this repo package are not corresponding with upstream.

From the initial keywords [ NONE ] and [ SECURE256 ] appear to be absent reading the output from [ gnutls-cli --priority-list ].

[ GROUP-ALL ] is producing a syntax error same as [ NONE ].


connecting over TLS to a remote host serving a X509v3 certificate signed with ecdsa-with-SHA512. The certificate in question is working with no issues in other applications.

gnutls-cli --priority=PFS:+SIGN-ALL:+CIPHER-ALL:+CURVE-ALL:+KX-ALL --port=50025 mail
Processed 150 CA certificate(s).
Resolving 'mail:50025'...
Connecting to '172.24.109.6:50025'...
|<1>| Received record packet of unknown type 50
*** Fatal error: An unexpected TLS packet was received.
*** handshake has failed: An unexpected TLS packet was received.

Comment by Doug Newgard (Scimmia) - Tuesday, 07 August 2018, 17:11 GMT
SECURE256 is just an alias, and NONE literally means none. I don't see that there's a problem there at all.

Loading...