From 244d06637f4b598b2c0b2167a504d1fafb091a4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 21 Aug 2020 12:06:47 +0200 Subject: [PATCH] compat.sh: enable CBC-SHA-2 suites for GnuTLS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Recent GnuTLS packages on Ubuntu 16.04 have them disabled. From /usr/share/doc/libgnutls30/changelog.Debian.gz: gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium * SECURITY UPDATE: Lucky-13 issues [...] - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256 ciphersuites were removed from defaults in lib/gnutls_priority.c, tests/priorities.c. Since we do want to test the ciphersuites, explicitly re-enable them in the server's priority string. (This is a no-op with versions of GnuTLS where those are already enabled by default.) Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 9f2798ee7..40c8856a4 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -907,7 +907,7 @@ setup_arguments() M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1" O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem" G_SERVER_ARGS="-p $PORT --http $G_MODE" - G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" + G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes if is_dtls "$MODE"; then