Bug 5967 - -VERS-SSL3.0 in GnuTLS priority strings is redundant
Summary: -VERS-SSL3.0 in GnuTLS priority strings is redundant
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.11.0
Assignee: Pierre Ossman
URL:
Keywords: nikle_tester, relnotes
Depends on:
Blocks:
 
Reported: 2016-08-29 20:18 CEST by Pierre Ossman
Modified: 2019-12-03 10:12 CET (History)
2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2016-08-29 20:18:28 CEST 
SSL3 is disabled by default in GnuTLS 3.4.0 and later. Therefore we no longer need to explicitly include that in our default priority strings.
Comment 4 Pierre Ossman cendio 2019-12-02 10:05:06 CET 
Seems to work well. The new default is just "NORMAL" and yet SSL 3 is still rejected (tested with openssl s_client):

> 2019-12-02 10:01:43 ERROR tlwebadm[25138]: [::ffff:10.47.1.240] gnutls_handshake: A packet with illegal or unsupported version was received.

Note though that migrating configuration will leave the old value in place. It doesn't seem to do any damage though. No warnings in the logs, and SSL 3 is still disabled.

Tested on RHEL 8.
Comment 5 Niko Lehto cendio 2019-12-02 16:53:33 CET 
Verified with 'openssl s_client' using Fedora 30 client/server. It gives the same output in the tlwebadm.log:
> 2019-12-02 16:18:10 ERROR tlwebadm[12037]: [::1] gnutls_handshake: A packet with illegal or unsupported version was received.
Note You need to log in before you can comment on or make changes to this bug.