Openconnect and old gnutls on Ubuntu 14.04

Dave Hansen dave at sr71.net
Tue Jul 24 21:50:03 UTC 2018 

On 07/24/2018 01:01 PM, Nikos Mavrogiannopoulos wrote:
>> Am I misreading the code?
>>
>> If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and
>> gtls_ver(3,0,0) checks, won't we do
>> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below?
>>
>> I read that as "when using old gnutls versions and !DEFAULT_PRIO", use
>> this string.
>>
>>> #ifdef DEFAULT_PRIO
>>>       default_prio = DEFAULT_PRIO ":%COMPAT";
>>> #else
>>>       if (gtls_ver(3,2,9)) {
>>>               default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
>>>       } else if (gtls_ver(3,0,0)) {
>>>               default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
>>>                       "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \
>>>                       ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA";
>>>       } else {
>>>               default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"                     \
>>>                       "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION";
>>>       }
>>> #endif
> Hmm, that is true, but ubuntu doesn't use that code.

My version is this, verbatim:

>         err = gnutls_priority_set_direct(vpninfo->https_sess,
>                                          "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"
> #if GNUTLS_VERSION_MAJOR >= 3
>                                          "-CURVE-ALL:"
> #endif
>                                          "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION",
>                                          NULL);

Which is a bit more arcane way to do _some_ of the same stuff, like
adding "-CURVE-ALL:" for gnults >= 3.

> If it did it could have made sense to update it, but looks like dead
> code as since 5f0eb81daa0df5668eedd8e48eaeea065c92d9ad openconnect
> can no longer build with a version of gnutls < 3 (which doesn't have
> DTLS).
Right, Ubuntu (14.04) doesn't have the first two cases, only the third.
But, I was basically asking (despite being an ancient version of
openconnect) whether this affects upstream openconnect.

The "gtls_ver(3,0,0)" in upstream openconnect still has this hunk in its
string, though: "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:".  Does that cause
any issues on gnutls versions >=3.0.0, but <3.2.9?

More information about the Ubuntu-motu mailing list