Package: libgnutls-openssl27 Version: 3.5.10-1 Severity: important Certain packages that rely on this OpenSSL wrapper library are unable to connect using TLS 1.1/1.2 cipher suites.
Even though the server (and the client, when compiled against OpenSSL) supports the full array of TLS 1.1/1.2 ciphers, the package as provided seems to be limited to only TLS 1.0 ciphers. An example is bug #842120 in package tf5. tf5, when connecting using a version compiled manually against OpenSSL: % Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256. When connecting using the packaged version utilizing the OpenSSL wrapper: % Connected to server using cipher RSA_AES_128_CBC_SHA1. Given the progression toward the deprecation of TLS 1.0 (see NIST SP 800-52 Rev. 1), it would seem prudent to ensure that packages not written against GnuTLS are still capable of their full function. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libgnutls-openssl27 depends on: ii libc6 2.24-9 ii libgnutls30 3.5.10-1 libgnutls-openssl27 recommends no packages. libgnutls-openssl27 suggests no packages. -- no debconf information