Package: gnutls-bin Version: 3.8.5-1 Severity: normal X-Debbugs-Cc: none, Sanjoy Mahajan <san...@mit.edu> File: /usr/bin/gnutls-cli
After dist-upgrading today, exim4 could no longer talk to my usual outgoing mail server. I reproduced the problem using just gnutls-cli. The problem started after today's upgrade of the various gnutls packages. They were upgraded from 3.8.4-2 to 3.8.5-1. The following command with the given input lines reproduces the problem: $ gnutls-cli -V -d 9 --starttls --crlf --port 587 -V outgoing.mit.edu EHLO randomhost STARTTLS ctrl-D [to send EOF] It fails with "*** Fatal error: The encryption algorithm is not supported." (I haven't tried it with other outgoing servers, but this one definitely shows the problem.) The problem goes away after downgrading the relevant packages to 3.8.4-2 : # apt install gnutls-bin=3.8.4-2 gnutls-doc=3.8.4-2 libgnutls-dane0t64=3.8.4-2 libgnutls-openssl27t64=3.8.4-2 libgnutls28-dev=3.8.4-2 libgnutls30t64=3.8.4-2 (My sources.list includes the snapshots repos deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20240329T213539Z/ unstable main deb-src [check-valid-until=no] http://snapshot.debian.org/archive/debian/20240329T213539Z/ unstable main ) The lines around the fatal error message with 3.8.5-1 are: |<4>| HSK[0x5632451d5260]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 0, sequence: 0 |<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1130 |<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1374 |<3>| ASSERT: ../../../lib/nettle/pk.c[_wrap_nettle_pk_encrypt]:773 |<3>| ASSERT: ../../../lib/auth/rsa.c[_gnutls_gen_rsa_client_kx]:288 |<3>| ASSERT: ../../lib/kx.c[_gnutls_send_client_kx_message]:379 |<3>| ASSERT: ../../lib/handshake.c[handshake_client]:3183 *** Fatal error: The encryption algorithm is not supported. |<5>| REC: Sending Alert[2|80] - Internal error |<5>| REC[0x5632451d5260]: Preparing Packet Alert(21) with length: 2 and min pad: 0 |<9>| ENC[0x5632451d5260]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 |<5>| REC[0x5632451d5260]: Sent Packet[2] Alert(21) in epoch 0 and length: 7 *** Handshake has failed |<5>| REC[0x5632451d5260]: Start of epoch cleanup |<5>| REC[0x5632451d5260]: End of epoch cleanup |<5>| REC[0x5632451d5260]: Epoch #0 freed |<5>| REC[0x5632451d5260]: Epoch #1 freed I've kept my packages at 3.8.4-2 for now,n but I can do more debug tests if needed (by upgrading, testing, and downgrading). -Sanjoy -- System Information: Debian Release: sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.7.9-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnutls-bin depends on: ii libc6 2.37-15.1 ii libgnutls-dane0t64 3.8.5-1 ii libgnutls30t64 3.8.5-1 ii libtasn1-6 4.19.0-3+b2 gnutls-bin recommends no packages. gnutls-bin suggests no packages. -- no debconf information