[Bug 1860461] Re: libgnutls30 3.6.11.1-2ubuntu2 (Ubuntu 20.04) breaks pulseui client with error "Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough)."

Tom Reynolds 1860461 at bugs.launchpad.net
Mon Apr 13 17:13:46 UTC 2020 

There is no easy way to gracefully handle weak crypto. It has been known
for more than five years that 1024 bit (or rather <2048 bit) DH primes
need to be considered weak and should not be used - https://weakdh.org/
- GnuTLS > 3.2 does the right thing in having services which still have
not taken action to use contemporary (non weak) crypto fail by default,
so that users will become aware of the fact they are (were) connecting
insecurely, and these services can be more easily identified and fixed.

In some cases, using clients (and software versions of client) which
support higher TLS protocol versions can work around this problem (if
remote servers support strong ciphers on higher TLS protocol versions;
example:
https://www.ssllabs.com/ssltest/analyze.html?d=mail.nhs.net&hideResults=on
).

It *may* be possible to continue to allow for insecure connections by
setting the GnuTLS priority string to include LEGACY as per
https://gnutls.org/manual/html_node/Priority-Strings.html

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1860461

Title:
  libgnutls30 3.6.11.1-2ubuntu2 (Ubuntu 20.04) breaks pulseui client
  with error "Error performing TLS handshake: The Diffie-Hellman prime
  sent by the server is not acceptable (not long enough)."

Status in evolution package in Ubuntu:
  Confirmed
Status in gnome-online-accounts package in Ubuntu:
  Confirmed
Status in gnutls28 package in Ubuntu:
  Confirmed

Bug description:
  After upgrade to 20.04 package libgnutls30 broke pulseUI VPN client
  with the following error:

  "Error performing TLS handshake: The Diffie-Hellman prime sent by the
  server is not acceptable (not long enough)."

  I had to revert the package to the 19.10 version (3.6.9-5ubuntu1) and
  to install 19.10 dependency libhogweed4 3.4.1-1 to fix it.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libgnutls30 3.6.9-5ubuntu1
  ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
  Uname: Linux 5.4.0-9-generic x86_64
  ApportVersion: 2.20.11-0ubuntu15
  Architecture: amd64
  Date: Tue Jan 21 17:48:39 2020
  InstallationDate: Installed on 2017-06-21 (943 days ago)
  InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
  SourcePackage: gnutls28
  UpgradeStatus: Upgraded to focal on 2020-01-10 (10 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1860461/+subscriptions

More information about the foundations-bugs mailing list