Openconnect and old gnutls on Ubuntu 14.04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 24, 2018 at 9:50 PM, Dave Hansen <dave at sr71.net> wrote:
> On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote:
>>> Further, this code still seems to be around in openconnect, at least
>>> when compiled against old versions of gnutls:
>>>
>>> https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202
>>>
>>> Is this something Ubuntu can fix in their openconnect?  Or is it
>>> something we should also be fixing in the upstream openconnect?
>> This has been fixed in upstream openconnect since 2014, and we cannot
>> fix items in the past (unless David has skills which we don't know
>> about). That's up to your distribution to fix and a potential fix
>> could be to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0"
>> (i.e., allow everything except SSL3.0).
>
> Am I misreading the code?
>
> If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and
> gtls_ver(3,0,0) checks, won't we do
> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below?
>
> I read that as "when using old gnutls versions and !DEFAULT_PRIO", use
> this string.
>
>> #ifdef DEFAULT_PRIO
>>       default_prio = DEFAULT_PRIO ":%COMPAT";
>> #else
>>       if (gtls_ver(3,2,9)) {
>>               default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
>>       } else if (gtls_ver(3,0,0)) {
>>               default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
>>                       "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \
>>                       ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA";
>>       } else {
>>               default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"                     \
>>                       "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION";
>>       }
>> #endif

Hmm, that is true, but ubuntu doesn't use that code. If it did it
could have made sense to update it, but looks like dead code as since
5f0eb81daa0df5668eedd8e48eaeea065c92d9ad openconnect can no longer
build with a version of gnutls < 3 (which doesn't have DTLS).

regards,
Nikos



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux