[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] gnutls priority string disables any signature algorithms and

From: Andreas Metzler
Subject: [Lynx-dev] gnutls priority string disables any signature algorithms and ertificate types
Date: Mon, 11 May 2015 19:09:01 +0200
User-agent: tin/2.2.1-20140504 ("Tober an Righ") (UNIX) (Linux/3.16.0-4-amd64 (x86_64))


lynx 2.8.9dev6 uses the following GnuTLS priority string:

This any signature algorithms and ertificate types:

(SID)address@hidden:~$ gnutls-cli 
 -l | tail -n4
Protocols: VERS-SSL3.0, VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
Compression: COMP-NULL
Elliptic curves: none
PK-signatures: none

Starting with GnuTLS 3.3.15 this causes connection failures, since now
GnuTLS was fixed to correctly check PK-signature algoritms
(GNUTLS-SA-2015-2). Connecting to e.g. now fails.

As a hotfix +CTYPE-X.509:+SIGN-ALL could be added, however looking the
string I wonder whether it would not be better if lynx simple used
GnuTLS default settings with gnutls_set_default_priority() by default.
Optionally a configuration option allowing a user to specify an
alternate priority-string could be used.

I doubt that e.g. a deliberate choice was made to disable ECDHE and
SHA256 MAC when the priority string was hardcoded.

cu Andreas

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

reply via email to

[Prev in Thread] Current Thread [Next in Thread]