On Fri, Nov 06, 2015 at 04:25:41PM +0000, Viktor Dukhovni wrote:
> This is different from the firewall issue in:
>
> > https://lists.exim.org/lurker/thread/20150827.155850.719f1865.en.html#i20150827.155850.719f1865
>
> but the observations about TLS 1.1 were very helpful. Thanks.
For the record the site is using GnuTLS 3.3.8 on Debian jessie.
The administrator inadvertently disabled TLS 1.2, exposing what
looks like a GnuTLS bug (use of TLS 1.2 ciphers with TLS 1.1), and
an apparent OpenSSL bug in return (accepting a TLS 1.2 cipher from
a TLS 1.1 server).
I've reached out to the rest of the OpenSSL team and Nikos
Mavrogiannopoulos of GnuTLS fame. With a bit of luck both issues
will be addressed (possibly already addressed in code postdating
GnuTLS 3.3.8 and OpenSSL 1.0.2 respectively).
I'll post a final note on this when all the dust settles.
--
Viktor.