Bug 5967

Summary: -VERS-SSL3.0 in GnuTLS priority strings is redundant
Product: ThinLinc Reporter: Pierre Ossman <ossman>
Component: OtherAssignee: Pierre Ossman <ossman>
Status: CLOSED FIXED    
Severity: Normal CC: nikle, ossman
Priority: P2 Keywords: nikle_tester, relnotes
Version: trunk   
Target Milestone: 4.11.0   
Hardware: PC   
OS: Unknown   
Acceptance Criteria:

Description Pierre Ossman cendio 2016-08-29 20:18:28 CEST
SSL3 is disabled by default in GnuTLS 3.4.0 and later. Therefore we no longer need to explicitly include that in our default priority strings.
Comment 4 Pierre Ossman cendio 2019-12-02 10:05:06 CET
Seems to work well. The new default is just "NORMAL" and yet SSL 3 is still rejected (tested with openssl s_client):

> 2019-12-02 10:01:43 ERROR tlwebadm[25138]: [::ffff:10.47.1.240] gnutls_handshake: A packet with illegal or unsupported version was received.

Note though that migrating configuration will leave the old value in place. It doesn't seem to do any damage though. No warnings in the logs, and SSL 3 is still disabled.

Tested on RHEL 8.
Comment 5 Niko Lehto cendio 2019-12-02 16:53:33 CET
Verified with 'openssl s_client' using Fedora 30 client/server. It gives the same output in the tlwebadm.log:
> 2019-12-02 16:18:10 ERROR tlwebadm[12037]: [::1] gnutls_handshake: A packet with illegal or unsupported version was received.