GNU bug report logs - #49035
cURL 7.77.0 uses invalid TLS priority string, prevents access to bitbucket.org

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Tue, 15 Jun 2021 09:18:02 UTC

Severity: important

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #29 received at 49035 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Daiki Ueno <ueno <at> gnu.org>
Cc: 49035 <at> debbugs.gnu.org, Emmanuel Agullo <emmanuel.agullo <at> inria.fr>,
 gnutls-help <at> lists.gnutls.org
Subject: Re: [gnutls-help] TLS downgrade at bitbucket.org
Date: Sun, 20 Jun 2021 23:26:13 +0200

Hi Daiki,

Daiki Ueno <ueno <at> gnu.org> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> $ gnutls-cli --priority="NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3" -p https bitbucket.org

[...]

>> Aren’t these two priority strings supposed to be equivalent today?
>
> No.  If -VERS-TLS-ALL is used, the default priorities on TLS versions in
> NORMAL are ignored; the user is responsible for building the priority
> string so it reflects the actual preference, which in this case is:
>
>   -VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0

Thanks for the explanations.  As you suggest, the mistake was that cURL
7.77.0 would pass the priority string in the “wrong order”, preferring
older TLS versions.  This is now fixed:

  https://github.com/curl/curl/issues/7277

Ludo’.
This bug report was last modified 3 years and 337 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.