Description of problem: Fedora 30's default configuration is unable to connect to Windows 2012 R2, which is needed for RDP clients using GnuTLS, i.e. rdesktop's upcoming version. The issue is caused by an unfortunate change upstream: https://gitlab.com/gnutls/gnutls/issues/831 It can be worked around for now though. if the default priority string includes "+SHA256". So this is a request to do just that. Version-Release number of selected component (if applicable): gnutls-3.6.8-1.fc30.x86_64 How reproducible: 100% Steps to Reproduce: $ gnutls-cli rds2012r2.example.com -p 3389 Actual results: Server drops the connection and logs that it could not find a supported ciphersuite. Expected results: TLS handshake succeeds. Additional info: Oddly enough "openssl s_client" also fails to connect. I have not investigated if it also has gotten HMAC_SHA256 disabled, but if so then that should probably also be fixed.
Correct me if I'm wrong, but aren't these scenarios specifically covered by the LEGACY policy?
That might be intended, but LEGACY also leaves HMAC_SHA256 disabled. :) Try this: > $ gnutls-cli --list --priority LEGACY | grep CBC_SHA256
Sorry for being unclear. I had crypto-policies LEGACY policy in mind (sudo update-crypto-policies --set LEGACY), but it seems like it doesn't cover this either.
LEGACY policy adds things needed to support LEGACY systems - it is not intended to support marginal/weird/corner-case configurations.
I'm seeing some more weirdness from Windows where the supported ciphersuites are changing in odd ways depending on TLS version. Let me investigate a bit more and see where I land. This might be more quirky than can be supported by default.
And it now decided that it no longer accepts TLS 1.2... It seems like there is something seriously broken with this specific RDS farm. So it's probably not a general issue. Sorry for the noise. Feel free to close this. I'll comment if I find something that reasonably involves Fedora.