On 2025-01-13 Samuel Henrique <samuel...@debian.org> wrote: >> it was me intentionally following upstream defaults when not having strong >> arguments to deviate from them, so it was not accidental. Upstream NEWS >> said: >> ** libgnutls: SRP authentication is now disabled by default. >> It is disabled because the SRP authentication in TLS is not up to >> date with the latest TLS standards and its ciphersuites are based >> on the CBC mode and SHA-1. To enable it back, supply >> --enable-srp-authentication option to configure script.
>> And afaiui SRP is not supported with TLS 1.3. > Would it make sense to enable it for as long as TLS 1.2 is supported? > For the curl package, we make use of GnuTLS to run tests for TLS-SRP > support, without it we lose that test coverage. It's not critical, but > it helps a lot. Hello Samuel, isn't this (testsuite case) a pretty weak argument for shipping an outdated and rather exotic cyphersuite? This really is supposed to be an honest question, I think I am missing something important. I have got some saved-up trust in $curl-maintainers and am ready to be convined or told. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
