On 2022-03-20 23:15:57 [+0100], Kurt Roeckx wrote:
> > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz
> >
> > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > *** Fatal error: A TLS fatal alert has been received.
> > Failure: Failed
> > *** Fatal error: A TLS fatal alert has been received.
> > %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > Failure: Failed
> > *** Fatal error: A TLS fatal alert has been received.
> > Failure: Failed
> > FAIL [11]../../tests/suite/testcompat-main-openssl
> >
> > Which, according to me, is this check:
> > https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307
>
> That test still seems to exist, but is just moved to a different file:
> https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255
>
> My understanding is that gnutls now passes the correct list of signature
> algorithms to use to OpenSSL's s_client to be able to do that test, and
> that this is probably fixed by:
> https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b
> (and
> https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667)
>
> I'm trying to remember what was changed and why, but I can't
> find/remember it.
The change in openssl is commit
cc7c6eb8135b ("Check that the default signature type is allowed")
The server is
openssl s_server -quiet -www -accept 57687 -keyform pem -certform pem
-tls1 \
-key tests/certs/ecc384.pem -cert tests/certs/cert-ecc384.pem -Verify
1 \
-named_curve secp384r1 -CAfile tests/certs/ca-cert-ecc.pem
The client is
/usr/bin/gnutls-cli -p 57687 127.0.0.1 \
--priority
NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL
\
--insecure --x509certfile tests/certs/cert-ecc384.pem --x509keyfile
tests/certs/ecc384.pem
Before the commit in question it connects as:
- Description: (TLS1.0)-(ECDHE-SECP384R1)-(AES-256-CBC)-(SHA1)
after that, the server throws:
140490373015360:error:14201044:SSL routines:tls_choose_sigalg:internal
error:../ssl/t1_lib.c:2880:
and it appears that the security level in openssl forbids SHA1 here.
The argument on the s_server side
-sigalgs RSA+SHA1:RSA+SHA256:DSA+SHA1:DSA+SHA256
doesn't help here but
-cipher "ALL:@SECLEVEL=1"
does.
> Kurt
Sebastian
