On 2022-03-20 23:15:57 [+0100], Kurt Roeckx wrote: > > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz > > > > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > > *** Fatal error: A TLS fatal alert has been received. > > Failure: Failed > > *** Fatal error: A TLS fatal alert has been received. > > %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > > Failure: Failed > > *** Fatal error: A TLS fatal alert has been received. > > Failure: Failed > > FAIL [11]../../tests/suite/testcompat-main-openssl > > > > Which, according to me, is this check: > > https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307 > > That test still seems to exist, but is just moved to a different file: > https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255 > > My understanding is that gnutls now passes the correct list of signature > algorithms to use to OpenSSL's s_client to be able to do that test, and > that this is probably fixed by: > https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b > (and > https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667) > > I'm trying to remember what was changed and why, but I can't > find/remember it.
The change in openssl is commit cc7c6eb8135b ("Check that the default signature type is allowed") The server is openssl s_server -quiet -www -accept 57687 -keyform pem -certform pem -tls1 \ -key tests/certs/ecc384.pem -cert tests/certs/cert-ecc384.pem -Verify 1 \ -named_curve secp384r1 -CAfile tests/certs/ca-cert-ecc.pem The client is /usr/bin/gnutls-cli -p 57687 127.0.0.1 \ --priority NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL \ --insecure --x509certfile tests/certs/cert-ecc384.pem --x509keyfile tests/certs/ecc384.pem Before the commit in question it connects as: - Description: (TLS1.0)-(ECDHE-SECP384R1)-(AES-256-CBC)-(SHA1) after that, the server throws: 140490373015360:error:14201044:SSL routines:tls_choose_sigalg:internal error:../ssl/t1_lib.c:2880: and it appears that the security level in openssl forbids SHA1 here. The argument on the s_server side -sigalgs RSA+SHA1:RSA+SHA256:DSA+SHA1:DSA+SHA256 doesn't help here but -cipher "ALL:@SECLEVEL=1" does. > Kurt Sebastian