Package: libgnutls30t64 Version: 3.8.5-1 Severity: important Tags: trixie upstream fixed-upstream Forwarded: https://gitlab.com/gnutls/gnutls/-/work_items/1660 Control: found -1 3.8.9-3+deb13u2 Control: fixed -1 3.8.12-2 User: [email protected] Usertags: origin-steamrt steamrt4
A regression in GnuTLS 3.8.5, which started shuffling the extensions order, causes an interoperability issue leading to handshake failures with some SSL/TLS servers. I'm reporting this at important severity since it's an interop regression affecting an unknown number of remote services. >From the linked regression report https://github.com/luakit/luakit/issues/1101, it seems that at the time of writing, search.dismail.de is a good test-case, for example: $ podman run --rm -it debian:trixie-slim # apt update && apt upgrade && apt install ca-certificates gnutls-bin # gnutls-cli search.dismail.de Processed 150 CA certificate(s). Resolving 'search.dismail.de:443'... Connecting to '128.140.68.142:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [47]: Illegal parameter (or use your favourite way to get a clean trixie environment, if not podman) I've confirmed that 3.8.12-2 in forky and 3.7.9-2+deb12u6 in bookworm are both unaffected by this: they successfully connect to that server, with gnutls-cli output that includes "Handshake was completed". (Press Ctrl+D to exit after seeing this.) This appears to have been fixed by https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 after the 3.8.9 release, commit <https://gitlab.com/gnutls/gnutls/-/commit/dc5ee80c3a28577e9de0f82fb08164e4c02b96af>, but unfortunately that commit didn't make it into Debian 13. Please could this change be backported? (I haven't yet verified that this change resolves the issue, I'll look into that next.) Thanks, smcv -- System Information: Debian Release: 13.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security-debug'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'stable'), (400, 'proposed-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 6.18.5+deb13-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libgnutls30t64 depends on: ii libc6 2.41-12+deb13u1 ii libgmp10 2:6.3.0+dfsg-3 ii libhogweed6t64 3.10.1-1 ii libidn2-0 2.3.8-2 ii libnettle8t64 3.10.1-1 ii libp11-kit0 0.25.5-3 ii libtasn1-6 4.20.0-2 ii libunistring5 1.3-2 libgnutls30t64 recommends no packages. Versions of packages libgnutls30t64 suggests: ii gnutls-bin 3.8.9-3+deb13u2 -- no debconf information
