Hello Philip, Philip Schaten <phi...@noerdcampus.de> writes:
> Hi! > After an upgrade to Fedora 34, gnutls-cli gives me a > `*** Fatal error: One of the involved algorithms has insufficient > security level.` when connecting to my university mail server. > > With `gnutls-cli --allow-broken`, connection works and I get this > result `- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA1)- > (AES-128-CBC)-(SHA1)`. > Using `gnutls-cli -l` I can see that SHA1 in combination with tls1.2 > seems to be forbidden. > Also, `gnutls-cli-debug` tells me it needs to disable TLS1.2 (why is > this?). > Might this be the reason for the error/is there a way to find out? > Is it a bug in gnutls or misconfiguration in the university mail > server? In Fedora, allowed algorithms are centrally managed through crypto-policies, where SHA-1 is indeed disabled for digital signatures: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 You could either downgrade the policy profile to LEGACY, with: sudo update-crypto-policies --set LEGACY or create a custom crypto policy: https://archive.fosdem.org/2020/schedule/event/security_custom_crypto_policies/attachments/slides/4089/export/events/attachments/security_custom_crypto_policies/slides/4089/custom_crypto_policies_fosdem.pdf Regards, -- Daiki Ueno _______________________________________________ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help