On Tue, Jul 24, 2018 at 9:50 PM, Dave Hansen <dave at sr71.net> wrote: > On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote: >>> Further, this code still seems to be around in openconnect, at least >>> when compiled against old versions of gnutls: >>> >>> https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202 >>> >>> Is this something Ubuntu can fix in their openconnect? Or is it >>> something we should also be fixing in the upstream openconnect? >> This has been fixed in upstream openconnect since 2014, and we cannot >> fix items in the past (unless David has skills which we don't know >> about). That's up to your distribution to fix and a potential fix >> could be to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0" >> (i.e., allow everything except SSL3.0). > > Am I misreading the code? > > If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and > gtls_ver(3,0,0) checks, won't we do > "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below? > > I read that as "when using old gnutls versions and !DEFAULT_PRIO", use > this string. > >> #ifdef DEFAULT_PRIO >> default_prio = DEFAULT_PRIO ":%COMPAT"; >> #else >> if (gtls_ver(3,2,9)) { >> default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT"; >> } else if (gtls_ver(3,0,0)) { >> default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ >> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \ >> ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"; >> } else { >> default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ >> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"; >> } >> #endif Hmm, that is true, but ubuntu doesn't use that code. If it did it could have made sense to update it, but looks like dead code as since 5f0eb81daa0df5668eedd8e48eaeea065c92d9ad openconnect can no longer build with a version of gnutls < 3 (which doesn't have DTLS). regards, Nikos