search

void-linux / void-packages

The Void source packages collection
https://voidlinux.org
Other
2.58k stars 2.15k forks source link

A bug in gnutls-3.8.5_1 while connecting to some servers with old tls(gnutls-3.8.4_1 works fine) #49804

Open djaonline opened 6 months ago

djaonline commented 6 months ago

Is this a new report?

No

System Info

Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF

Package(s) Affected

gnutls-3.8.5_1

Does a report exist for this bug with the project's home (upstream) and/or another distro?

Same issue in debian https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1965706.html

Expected behaviour

gnutls-cli some-old-tls-server successfull output

Actual behaviour

gnutls-cli some-old-tls-server output with error *** Fatal error: The encryption algorithm is not supported.

Steps to reproduce

gnutls-cli old-tls-server output with error *** Fatal error: The encryption algorithm is not supported.

cinerea0 commented 6 months ago

Can you test #49809 to see if that fixes the problem? Or alternatively provide a known failing server that can be tested.

djaonline commented 6 months ago

@cinerea0 I tried the commit. It hasn't solved the problem:( Still error "The encryption algorithm is not supported."

sgn commented 6 months ago

Can you should the steps to reproduce and/or its full logs?

djaonline commented 6 months ago

gnutls-cli-debug -V xxx

GnuTLS debug client 3.8.5
Checking xxx:443
whether the server accepts default record size (512 bytes)... no
                  whether %ALLOW_SMALL_RECORDS is required... no
                        whether we need to disable TLS 1.2... yes
                        whether we need to disable TLS 1.1... yes
                        whether we need to disable TLS 1.0... yes
                        whether %NO_EXTENSIONS is required... skipped
                               whether %COMPAT is required... skipped
                             for TLS 1.0 (RFC2246) support... no
 for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no
                             for TLS 1.1 (RFC4346) support... no
                                  fallback from TLS 1.1 to... failed
                             for TLS 1.2 (RFC5246) support... no
                             for TLS 1.3 (RFC8446) support... no
                    for known TLS or SSL protocols support... no
djaonline commented 6 months ago

Working OpenConnect VPN client GUI info: image Server info from admins TLSv1.0 TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

nazgulsenpai commented 6 months ago

I'm just passing through but you may have inadvertently included sensitive information in this issue. I would recommend rekeying that certificate and removing the posts.

classabbyamp commented 6 months ago

there aren't any private keys, the certificate is fine

RobJamesRamos commented 5 months ago

Any progress on this? I think I may be hitting this bug.

cinerea0 commented 3 months ago

The list of closed issues associated with 3.8.6 seems to indicate this issue was fixed there, can you try out #51193 and check?