www.cendio.com
Bug 5967 - -VERS-SSL3.0 in GnuTLS priority strings is redundant
: -VERS-SSL3.0 in GnuTLS priority strings is redundant
Status: CLOSED FIXED
: ThinLinc
Other
: trunk
: PC Unknown
: P2 Normal
: 4.11.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-08-29 20:18 by
Modified: 2019-12-03 10:12 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2016-08-29 20:18:28
SSL3 is disabled by default in GnuTLS 3.4.0 and later. Therefore we no longer
need to explicitly include that in our default priority strings.
------- Comment #4 From cendio 2019-12-02 10:05:06 -------
Seems to work well. The new default is just "NORMAL" and yet SSL 3 is still
rejected (tested with openssl s_client):

> 2019-12-02 10:01:43 ERROR tlwebadm[25138]: [::ffff:10.47.1.240] gnutls_handshake: A packet with illegal or unsupported version was received.

Note though that migrating configuration will leave the old value in place. It
doesn't seem to do any damage though. No warnings in the logs, and SSL 3 is
still disabled.

Tested on RHEL 8.
------- Comment #5 From cendio 2019-12-02 16:53:33 -------
Verified with 'openssl s_client' using Fedora 30 client/server. It gives the
same output in the tlwebadm.log:
> 2019-12-02 16:18:10 ERROR tlwebadm[12037]: [::1] gnutls_handshake: A packet with illegal or unsupported version was received.