Philip Schaten <[email protected]> writes: > I wrote to this list on 15-05-2021 having trouble with my universities > mail server. > Thanks to Daiki Ueno, I got this to work on my system by changing the > crypto policies, but I believe I may have found a bug in gnutls as > well:
Let me add Alexander, the current maintainer of crypto-policies, who could shed some light on this. > - Using gnutls-cli, I try to establish a connection to the mail server. > - From wireshark, I can see that gnutls offers rsa_pcks_sha1 as a > signature algorithm. Do you see this behavior also with the DEFAULT policy? > - The server is admittedly badly configured and chooses that signature > algorithm. > - gnutls aborts, complaining that "One of the involved algorithms has > insufficient security level." (btw. Why can't it just state for what > exact reason the security level was deemed insufficient? that would be > incredibly useful...) > > Openssl, in contrast, doesn't even offer rsa_pcks_sha1 if it's not > allowed per the systems crypto policies. > > Sooo I believe that the bug here is to offer SHA1 in the first place, > ignoring the crpto policies. > > But I am very new to this (4 weeks ago I had'nt heard about GnuTLS), > maybe I'm missing something here: Maybe TLSv1.2 is disabled completely > to mitigate some sort of man-in-the-middle attack where the attacker > forces the use of sha1 to be able to spoof the servers identity..? > > Very much looking forward to your responses. Regards, -- Daiki Ueno _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
