Hello again, I wrote to this list on 15-05-2021 having trouble with my universities mail server. Thanks to Daiki Ueno, I got this to work on my system by changing the crypto policies, but I believe I may have found a bug in gnutls as well:
- Using gnutls-cli, I try to establish a connection to the mail server. - From wireshark, I can see that gnutls offers rsa_pcks_sha1 as a signature algorithm. - The server is admittedly badly configured and chooses that signature algorithm. - gnutls aborts, complaining that "One of the involved algorithms has insufficient security level." (btw. Why can't it just state for what exact reason the security level was deemed insufficient? that would be incredibly useful...) Openssl, in contrast, doesn't even offer rsa_pcks_sha1 if it's not allowed per the systems crypto policies. Sooo I believe that the bug here is to offer SHA1 in the first place, ignoring the crpto policies. But I am very new to this (4 weeks ago I had'nt heard about GnuTLS), maybe I'm missing something here: Maybe TLSv1.2 is disabled completely to mitigate some sort of man-in-the-middle attack where the attacker forces the use of sha1 to be able to spoof the servers identity..? Very much looking forward to your responses. Best Philip _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
