Openconnect and old gnutls on Ubuntu 14.04
Dave Hansen
dave at sr71.net
Tue Jul 24 19:50:38 UTC 2018
On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote:
>> Further, this code still seems to be around in openconnect, at least
>> when compiled against old versions of gnutls:
>>
>> https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202
>>
>> Is this something Ubuntu can fix in their openconnect? Or is it
>> something we should also be fixing in the upstream openconnect?
> This has been fixed in upstream openconnect since 2014, and we cannot
> fix items in the past (unless David has skills which we don't know
> about). That's up to your distribution to fix and a potential fix
> could be to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0"
> (i.e., allow everything except SSL3.0).
Am I misreading the code?
If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and
gtls_ver(3,0,0) checks, won't we do
"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below?
I read that as "when using old gnutls versions and !DEFAULT_PRIO", use
this string.
> #ifdef DEFAULT_PRIO
> default_prio = DEFAULT_PRIO ":%COMPAT";
> #else
> if (gtls_ver(3,2,9)) {
> default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
> } else if (gtls_ver(3,0,0)) {
> default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \
> ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA";
> } else {
> default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION";
> }
> #endif
More information about the Ubuntu-motu
mailing list