Bug 707266

Summary: GnuTLS 2.10 client cannot negotiate TLS 1.2 to GnuTLS 2.8 server
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: gnutlsAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: jorton, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-24 15:39:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2011-05-24 14:30:53 UTC 
Description of problem:
Fedora 14 server - GnuTLS 2.8.6
Fedora 15 client - GnuTLS 2.10.5

The server is initialized with the following priorities:
"NONE:+VERS-TLS1.2:+AES-256-CBC:+RSA:+SHA1:+COMP-DEFLATE"

When the client attempts to connect the attempt fails with "handshake failed" as the reason. When I change the server to be:
"NONE:+VERS-TLS1.1:+AES-256-CBC:+RSA:+SHA1:+COMP-DEFLATE"
the connection succeeds. TLS 1.0 also works.


Version-Release number of selected component (if applicable):
gnutls-2.8.6-2.fc14.x86_64
gnutls-2.10.5-1.fc15.x86_64


How reproducible: Always


Steps to Reproduce:
1. Setup GnuTLS 2.8.6 server with the priorities above.
2. Setup GnuTLS 2.10.5 client with the same priorities.
3. Attempt to connect to the server.
  
Actual results:
Handshake failure.


Expected results:
Connection succeeds.

Additional info:
If I connect to a 2.10.5 server with the 2.10.5 client, it succeeds. It seems there is some incompatibility between 2.8 and 2.10. I would report upstream but they have moved on to version 2.12 and probably would not fix 2.8 or 2.10.
Comment 1 Tomas Mraz 2011-05-24 14:42:35 UTC 
I'd suggest reporting it upstream anyway. If the problem is in 2.10 (or even 2.12) they would fix it.
Comment 2 Michael Cronenworth 2011-05-24 14:55:10 UTC 

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 Michael Cronenworth 2011-05-24 15:39:20 UTC 
(In reply to comment #1)
> I'd suggest reporting it upstream anyway. If the problem is in 2.10 (or even
> 2.12) they would fix it.

Per upstream, 2.8's TLS 1.2 support was not complete and disabled by default. Perhaps it should be disabled in Fedora's build. The 2.10 version has complete TLS 1.2 support.

Red Hat 6 also has GnuTLS 2.8, which would have the incomplete TLS 1.2 implementation. I am working on a commercial app that would have used TLS 1.2, but it seems I will have to scale back to TLS 1.1 to be compatible on Red Hat boxes.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 4 Tomas Mraz 2011-05-24 15:46:35 UTC 
As you have to explicitly add TLS1.2 to the priority string to enable it on GNUTLS2.8, I do not think there is much to fix by the rebuild.