Results 1 to 6 of 6

Thread: Globally disable SECP256R1 for GnuTLS-linked programs?

  1. #1
    Join Date
    May 2020
    Beans
    7

    Question Globally disable SECP256R1 for GnuTLS-linked programs?

    Hi,

    Ubuntu 20.04

    I have a very strange issue that seems to be specific to the geographical location I'm located in. GnuTLS-linked programs have trouble connecting to many sites. Also see https://gitlab.com/gnutls/gnutls/-/issues/990 for a long discussion on this. The short of the story is that any connection attempt that tries to use the SECP256R1 elliptic curve encryption fails. Unfortunately those programs include APT and GIT, which means for example that mono-project.com as an apt repository doesn't work, and I'm unable to clone any github repo.

    The gnutls-cli program has command line options that let you control which encryption methods are attempted by gnutls-cli, e.g.:

    gnutls-cli --priority=NORMAL:-GROUP-SECP256R1 github.com

    works, but:

    gnutls-cli github.com

    Does not.

    Does anybody know of a way to globally/system-wide adjust the priority that GnuTLS uses? I have found some references to possible gnutls configuration files, but that support seems to be dependent on specific compilation options, and I don't know which options are used for the Ubuntu 20.04 package. Also, I found update-crypto-policy, which I hoped would be able to do this, but I've not been able to figure out how to actually use it.

    Rgds

  2. #2
    Join Date
    May 2020
    Beans
    7

    Re: Globally disable SECP256R1 for GnuTLS-linked programs?

    Hmmm,

    Doesn't look like the Ubuntu libgnutls30 package has a default priority file location compiled in (https://gnutls.org/manual/html_node/...m_config_file.). I downloaded the Ubuntu source packages, and there is no reference to "GNUTLS_SYSTEM_PRIORITY_FILE", nor to the "with_system_priority_file" configure option.

    Also, I very much doubt that the update-crypto-policies tool has any impact on libgnutls30: again the source package doesn't have any reference to "/etc/crypto-policies" whatsoever.

    I'll try to set GNUTLS_SYSTEM_PRIORITY_FILE through /etc/profile and see what happens...

  3. #3
    Join Date
    Jan 2017
    Beans
    135

    Re: Globally disable SECP256R1 for GnuTLS-linked programs?

    I know nothing about this but I perused the docs and the following seems to work.
    https://www.gnutls.org/manual/html_n...of-the-library
    https://www.gnutls.org/manual/html_n...-and-protocols

    Results before creating config file:
    Code:
    $ gnutls-cli github.com
    ...
    - Status: The certificate is trusted.  
    - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
    ...
    After:
    Code:
    $ cat /etc/gnutls/config  
    [overrides]
    tls-disabled-group=GROUP-SECP256R1
    
    $ gnutls-cli github.com
    ...
    - Status: The certificate is trusted.  
    - Description: (TLS1.3-X.509)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
    ...
    HTH


    Edit:

    The default config file is defined in config.ac: https://github.com/gnutls/gnutls/blo...figure.ac#L849

    When configure is executed it generates a config.h file which contains:
    Code:
    /* The system-wide gnutls configuration file */
    #define SYSTEM_PRIORITY_FILE "/etc/gnutls/config"
    Last edited by norobro; 1 Week Ago at 02:50 AM. Reason: additional info

  4. #4
    Join Date
    May 2020
    Beans
    7

    Re: Globally disable SECP256R1 for GnuTLS-linked programs?

    I've got GIT working by creating the following file

    Code:
    # /etc/gnutls/config
    [overrides]
    tls-disabled-group = group-secp256r1
    However this doesn't work for apt/apt-get. If I run:

    Code:
    export GNUTLS_DEBUG_LEVEL=9
    apt update
    I'm getting a different kind of exception from gnutls:

    Code:
    gnutls[3]: ASSERT: ../../lib/record.c[check_session_status]:1649
    gnutls[3]: ASSERT: ../../lib/record.c[gnutls_bye]:324
    Err:14 https://download.mono-project.com/repo/ubuntu stable-focal Release                                                     
      Could not handshake: A TLS fatal alert has been received. [IP: 152.199.19.161 443]
    Will keep investigating...

  5. #5
    Join Date
    May 2010
    Beans
    335

    Re: Globally disable SECP256R1 for GnuTLS-linked programs?

    Could make a BASH alias in ~/.bashrc

    Code:
    alias gnutls-cli='gnutls-cli --priority=NORMAL:-GROUP-SECP256R1'

  6. #6
    Join Date
    Jan 2017
    Beans
    135

    Re: Globally disable SECP256R1 for GnuTLS-linked programs?

    With ECDHE-SECP256R1 disabled in /etc/gnutls/config the mono-project server used ECDHE-SECP384R1
    Code:
    $ gnutls-cli mono-project.com
    . . .
    - Description: (TLS1.2-X.509)-(ECDHE-SECP384R1)-(RSA-SHA256)-(AES-256-GCM)
    . . .
    So I disabled secp384r1 and the server fell back to using RSA.
    Code:
    $ cat /etc/gnutls/config 
    [overrides]
    tls-disabled-group=GROUP-SECP256R1
    tls-disabled-group=GROUP-SECP384R1
    
    
    $ gnutls-cli mono-progect.com
    . . .
    - Description: (TLS1.2-X.509)-(RSA)-(AES-256-GCM)
    . . .

    I don't have a problem using secp256r1 so I can't test this but perhaps disabling secp384R1 also will allow apt to download from that repository.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •