On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote: >> Further, this code still seems to be around in openconnect, at least >> when compiled against old versions of gnutls: >> >> https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202 >> >> Is this something Ubuntu can fix in their openconnect? Or is it >> something we should also be fixing in the upstream openconnect? > This has been fixed in upstream openconnect since 2014, and we cannot > fix items in the past (unless David has skills which we don't know > about). That's up to your distribution to fix and a potential fix > could be to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0" > (i.e., allow everything except SSL3.0). Am I misreading the code? If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and gtls_ver(3,0,0) checks, won't we do "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below? I read that as "when using old gnutls versions and !DEFAULT_PRIO", use this string. > #ifdef DEFAULT_PRIO > default_prio = DEFAULT_PRIO ":%COMPAT"; > #else > if (gtls_ver(3,2,9)) { > default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT"; > } else if (gtls_ver(3,0,0)) { > default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ > "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \ > ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"; > } else { > default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ > "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"; > } > #endif
