Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A bug in gnutls-3.8.5_1 while connecting to some servers with old tls(gnutls-3.8.4_1 works fine) #49804

Open
djaonline opened this issue Apr 11, 2024 · 8 comments · May be fixed by #49809
Open

A bug in gnutls-3.8.5_1 while connecting to some servers with old tls(gnutls-3.8.4_1 works fine) #49804

djaonline opened this issue Apr 11, 2024 · 8 comments · May be fixed by #49809
Labels
bug Something isn't working needs-testing Testing a PR or reproducing an issue needed

Comments

@djaonline
Copy link

Is this a new report?

No

System Info

Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF

Package(s) Affected

gnutls-3.8.5_1

Does a report exist for this bug with the project's home (upstream) and/or another distro?

Same issue in debian
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1965706.html

Expected behaviour

gnutls-cli some-old-tls-server
successfull output

Actual behaviour

gnutls-cli some-old-tls-server
output with error *** Fatal error: The encryption algorithm is not supported.

Steps to reproduce

gnutls-cli old-tls-server
output with error *** Fatal error: The encryption algorithm is not supported.
@djaonline djaonline added bug Something isn't working needs-testing Testing a PR or reproducing an issue needed labels Apr 11, 2024
@cinerea0 cinerea0 linked a pull request Apr 11, 2024 that will close this issue
Open
@cinerea0
Copy link
Contributor

Can you test #49809 to see if that fixes the problem? Or alternatively provide a known failing server that can be tested.

@djaonline
Copy link
Author

@cinerea0 I tried the commit. It hasn't solved the problem:( Still error "The encryption algorithm is not supported."

@sgn
Copy link
Member

sgn commented Apr 12, 2024

Can you should the steps to reproduce and/or its full logs?

@djaonline
Copy link
Author

gnutls-cli-debug -V xxx

GnuTLS debug client 3.8.5
Checking xxx:443
whether the server accepts default record size (512 bytes)... no
                  whether %ALLOW_SMALL_RECORDS is required... no
                        whether we need to disable TLS 1.2... yes
                        whether we need to disable TLS 1.1... yes
                        whether we need to disable TLS 1.0... yes
                        whether %NO_EXTENSIONS is required... skipped
                               whether %COMPAT is required... skipped
                             for TLS 1.0 (RFC2246) support... no
 for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no
                             for TLS 1.1 (RFC4346) support... no
                                  fallback from TLS 1.1 to... failed
                             for TLS 1.2 (RFC5246) support... no
                             for TLS 1.3 (RFC8446) support... no
                    for known TLS or SSL protocols support... no

@djaonline
Copy link
Author

djaonline commented Apr 12, 2024
edited

Working OpenConnect VPN client GUI info:
image
Server info from admins
TLSv1.0
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

@nazgulsenpai
Copy link

nazgulsenpai commented May 2, 2024
edited

I'm just passing through but you may have inadvertently included sensitive information in this issue. I would recommend rekeying that certificate and removing the posts.

@classabbyamp
Copy link
Member

there aren't any private keys, the certificate is fine

@RobJamesRamos
Copy link

Any progress on this? I think I may be hitting this bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-testing Testing a PR or reproducing an issue needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gnutls: Fix RSAES-PKCS1-v1_5 system-wide config cinerea0/void-packages
6 participants
@classabbyamp @RobJamesRamos @nazgulsenpai @sgn @cinerea0 @djaonline