Package: gnutls28 Version: 3.6.7-4 Severity: important Assuming the client program did not specify a cipher list we end up with NORMAL and this can be display via gnutls-cli --list --priority NORMAL
If we strip TLS1.3 and ECDHE away (because the remote side does not support it) then we end up with: |TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2 |TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2 |TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0 |TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2 |TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2 |TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0 |TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2 |TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2 |TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2 |TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0 |TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2 |TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2 |TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0 as possible candidates. If the server has no preference then we negotiate TLS_RSA_AES_256_GCM_SHA384. It would be ideal to send first the DHE ciphers and then the non-DHE ciphers. The ECDHE cipher come first so it would be make sense to send the DHE ciphers before the plain RSA. There is documentation how the ciphers can be overriden but this does not work as I would expect it. Or I failed at somepoint. I added: |$ cat /etc/gnutls/config |[priorities] |SYSTEM = PFS:SECURE128:SECURE192 |NORMAL = PFS:SECURE128:SECURE192 but the output of gnutls-cli --list --priority NORMAL remains unchanged. However using gnutls-cli --list --priority @NORMAL gives me the PFS ones fist since the application uses NORMAL by default, this does not help (as by chaning system defaults). Could the DHE ciphers please be moved up (preferable 1.2 ciphers first, followed by 1.0 but I guess this makes no change unless ciphers were removed on the remote side) in the default ciphers list? Using a config file would work (I guess) but having this by default would be better security wise I suppose. Sebastian