On Fri, Nov 06, 2015 at 07:11:18PM +0000, Viktor Dukhovni wrote:
> For the record the site is using GnuTLS 3.3.8 on Debian jessie.
> The administrator inadvertently disabled TLS 1.2, exposing what
> looks like a GnuTLS bug (use of TLS 1.2 ciphers with TLS 1.1), and
> an apparent OpenSSL bug in return (accepting a TLS 1.2 cipher from
> a TLS 1.1 server).
>
> I've reached out to the rest of the OpenSSL team and Nikos
> Mavrogiannopoulos of GnuTLS fame. With a bit of luck both issues
> will be addressed (possibly already addressed in code postdating
> GnuTLS 3.3.8 and OpenSSL 1.0.2 respectively).
>
> I'll post a final note on this when all the dust settles.
The dust has settled. I reported the bug to one of the GnuTLS
maintainers, and as of today I'm told:
Fixed in 3.3.19 and 3.4.7. Previous versions are affected.
As for OpenSSL, there was an issue in OpenSSL 1.0.2, which
inadvertently accepted server choices of TLS 1.2 ciphers in
combination with a protocol version of 1.1 or less. The fix has
been on Github for a while:
https://github.com/openssl/openssl/commit/fdbe4a3fa669166efaec0d963e4216233368a7d9
and will included in 1.0.2e, which will be released in the near
future.
The simplest solution is to not disable the TLS 1.2 protocol in
GnuTLS-based servers. If you that you do need to disable TLS 1.2
in such a server, then make sure your GnuTLS library is either of
the versions above or newer (for someone reading this message
archived at some future date).
--
Viktor.